risk analysis webinar

© 2010 Aliado Accesso LLC

Introduction to FAIR

Factor Analysis of Information Riskby

Patrick Florer, Principal Consultant

April 28, 2010


Let’s talk about risk

risk (rĭsk) [French risque, from Italian risco, rischio.]

1. The possibility of suffering harm or loss; danger.

2. A factor, thing, element, or course involving uncertain danger; a hazard.

3. The danger or probability of loss to an insurer.

4. The amount that an insurance company stands to lose.

5. The variability of returns from an investment.

6. The chance of nonpayment of a debt.

7. One considered with respect to the possibility of loss: a poor risk.

from The American Heritage® Dictionary of the English Language, Fourth Edition. Copyright © 2006, 2000 by Houghton Mifflin Company

Factor Analysis of Information Risk (FAIR)Definition of Risk


risk:

Risk is the possibility of suffering harm or loss. It is the potential for realizing unwanted negative consequences of an event. It refers to a situation where a person could do something undesirable or a natural occurrence could cause an undesirable outcome, resulting in a negative impact or consequence.

from An Introduction to the OCTAVESM Method by Christopher Alberts and Audrey Dorofee, Software Engineering Institute, Carnegie Mellon University; last updated January 30, 2001



risk:

The probable frequency and probable magnitude of future loss.

from the Factor Analysis of Information Risk (FAIR), ©2008 Risk Management Insight, LLC



The net mission impact considering:1. The probability that a particular threat-source will exercise accidentally

trigger or intentionally exploit) a particular information system vulnerability2. The resulting impact if this should occur.

IT-related risks arise from legal liability or mission loss due to: 1. Unauthorized (malicious or accidental) disclosure, modification, or

destruction of information2. Unintentional errors and omissions3. IT disruptions due to natural or man-made disasters4. Failure to exercise due care and diligence in the implementation and

operation of the IT system.

from NIST Special Publication 800-30

Factor Analysis of Information Risk (FAIR)IT – Related Risk


And now, let’s talk briefly about a few other concepts that will be important in helping

you to understand FAIR


What’s the difference?

Possibility –

“capable of happening, existing, or being true without contradicting proven facts, laws, or circumstances known to be true”

Probability –

“The likelihood that a given event will occur”

And, in statistics -

“A number expressing the likelihood that a specific event will occur, expressed as the ratio of the number of actual occurrences to the number of possible occurrences”

(All quotes from the American Heritage Dictionary of the English Language, Fourth Edition)

Factor Analysis of Information Risk (FAIR)Possibility vs. Probability


Possibility – a set of outcomes, sometimes binary – yes or no – something that could happen.

Understanding the possibilities does not necessarily require data, just a knowledge of possible outcomes

Probability – a mathematical calculation with a result where 0 <= P(x) <= 1 Probability is sometimes expressed as a percentage (0 – 100%) , or as an odds ratio (3 out of 4)

Probability calculations require data – either actual/historical or estimates



Using a coin as an example …

The possibilities are …

The probabilities are …

Knowing the possibilities does not, in any way, allow you to predict whether the coin will come up heads on the next toss, or on any toss.

Knowing the probabilities does not allow you to do this, either, but it does allow you to predict the number of heads that will come up if you toss the coins a large number of times.




Precision –

“the ability of a measurement to be consistently reproduced”

Accuracy –

“the ability of a measurement to match the actual value of the quantity being measured”

(All quotes from the American Heritage Dictionary of the English Language, Fourth Edition)

Factor Analysis of Information Risk (FAIR)Precision vs. Accuracy


Why does this matter?

Precise Accuracy –

This would be great, but it is often not achievable.

Precision –

For example, my watch may run 10 minutes slow with great precision. If you ask me the time, I may tell youthe wrong time.

Accuracy –

My watch runs slow at times and fast at times. If you ask me the time, I will likely say – it’s about 10:00 o’clock – imprecise, perhaps, but good enough for the circumstances.

Factor Analysis of Information Risk (FAIR)Precision vs. Accuracy



Qualitative – low, medium, high, or red, yellow, green, or 1 – 5, etc.

Good for some types of quick assessments and quick prioritizations.

But -

Variability in assessment is a problem, both between different assessors and with the same assessor over time.

Qualitative assessments cannot be manipulated arithmetically.

Qualitative scales are problematic near the boundaries.

Most of the time, when making a qualitative assessment, the assessor has a number in mind anyway – why not just use the number?

Factor Analysis of Information Risk (FAIR)Qualitative vs. Quantitative Methods



Quantitative –

Uses cardinal numbers – everyone understands numbers

3 means 3 and $100k means $100k.

You can add, subtract, or do whatever you wish with numbers –you don’t have to guess!

But –

Quantitative approaches require data, either actual/historical, or estimated.

This may or may not be as big a problem as you might think!

Factor Analysis of Information Risk (FAIR)Qualitative vs. Quantitative Methods


What’s the purpose of taking a measurement?

To reduce uncertainty .

Sometimes the “perfect” answer is unattainable.But, in many cases, it doesn’t matter. A reduction in uncertainty is what is required.

How much do we need to reduce uncertainty?

Only as much as required by the decision at hand.

And if we cannot reduce uncertainty to that level, then what?

We can either collect more measurements, or work with what we have.

Factor Analysis of Information Risk (FAIR)Measurement



“Variability is the effect of chance and is a function of the system. It is not reproducible through either study or further measurement, but may be reduced by changing the physical system” 1

“Uncertainty is the assessor’s lack of knowledge (level of ignorance) about the parameters that characterize the physical system being modeled. It is sometimes reducible through further measurement or study, or by consulting more experts” 1

1 David Vose, Risk Analysis, A Quantitative Guide, 3rd edition, 2008, pp. 47-48

Factor Analysis of Information Risk (FAIR)Variability and Uncertainty


So, now that we have addressed all of that –What is FAIR?


Factor Analysis of Information Risk (FAIR)Defensible Risk Analysis

Framework of interconnected models that describe how key elements of the

information risk landscape work.

Models that analyze the underlying dynamics of the information risk landscape.

Developed in 2001 and under continual evolution, FAIR was created by a CISO who

was trying to find answers to :

• How much risk do we have?

• How much less/more risk will we have if ...?

• What are our most significant issues?


Factor Analysis of Information Risk (FAIR)Defensible Risk Analysis

Future development underway in 2009-2011 by Aliado Accesso:

Decision Analytics based upon the Value of Additional Information

Opportunity Risk applications

Risk Analysis SaaS delivered by the Aliado Accesso web portal (under development)

Risk Analysis Training via CBT and Instructor-led courses


Emphasis on Risk

Logical and Rational Framework

Quantitative

Flexible

Rigorous

Repeatable

Factor Analysis of Information Risk (FAIR)How is FAIR Different


Prioritize risk issues for metric development and analysis

Identify and compare risk mitigation cost-benefit propositions

Design sophisticated what-if analyses

Business case development for security and risk management initiatives

Strategic development of a risk and security program while augmenting current risk frameworks

Opportunity Risk analysis

Breaking down communication barriers between business units and IT security enabling well-informed business decisions

Factor Analysis of Information Risk (FAIR)FAIR is being used to…


Factor Analysis of Information Risk (FAIR)



Scenario – a laptop is lost or stolen

1) Encryption, no sensitive data – small primary loss, no secondary loss

2) Encryption, sensitive data – small primary loss, no secondary loss

3) No encryption, no sensitive data – small primary loss, no secondary loss

4) No encryption, sensitive data – small primary loss, large secondary loss

The Relationship between Primary and Secondary Loss:


Aliado Accesso Confidential and Proprietary

Copyright (c) 2010 Aliado Accesso, LLC



Mission: Develop risk analysis software and methodologies to deliver education, consulting, and certifications to the enterprise for an accurate and defensible risk management program.

Founded by security professionals who have designed and executed enterprise security programs.

Markets: Retail, Financial Services, Aerospace, Manufacturing, Government, and Education.

Strategic Position: To be the partnering source for the ongoing development of your company’s risk management program and the education of the people who execute the plan.

Factor Analysis of Information Risk (FAIR)About Aliado


Aliado’s risk management software gives organizations the key to translate risk loss exposure into real dollar values so that decision makers can strategically manage their IT Security budget and resources year after year. Our consultants can either implement a program from scratch or validate your current program.

FAIR is a software and methodology for your on-going risk management program.

No more:• High/Medium/Low Categories • Checking Boxes for Frameworks• Implementing the Latest Security Software• Selling by FUD

Factor Analysis of Information Risk (FAIR)What Aliado does …



Payment Card Industry (PCI)

Privacy

Application Security

Data Loss Prevention (DLP/ILP)

Cloud Computing

Root Cause Analysis

Decision Analysis

Factor Analysis of Information Risk (FAIR)FAIR Decision Analysis Packages



FAIR Decision Analysis Offering - $995

For the month of May, we are offering a special promotion on our FAIRLiterisk analysis offering. This assessment includes the following:

Consult with you to perform a FAIRLite quantitative analysis of a single scenario.

Provide a written summary and verbal explanation of the results.

Within 6 months, provide a re-analysis of the same scenario with updated information for $295.

For more information or to sign up, please contact [email protected].

Factor Analysis of Information Risk (FAIR)FAIR Decision Analysis Offering


mailto:[email protected]

Jody Keyser

[email protected]

www.aliadocorp.com

1-888-373-0680

Factor Analysis of Information Risk (FAIR)Contact Us


mailto:[email protected]

http://www.aliadocorp.com/

risk analysis webinar

Documents