Welcome to the CXOWARE blog. We hope you’ll join us for lively and good natured discussion about risk and risk issues!  We’re risk geeks, plain and simple. We’re big advocates of the Factor Analysis of Information Risk (FAIR) framework for quantifying risk.

More than just numbers

By: Jack Jones

Find me on:

Many people believe that FAIR focuses strictly on quantitative risk statements, but they couldn’t be further from the truth. The numbers simply allow us to recognize conditions and convey information better than we could do in any other way. Sometimes, however, numbers don’t tell the whole story.

In this post I’ll describe two conditions defined within the FAIR framework that help us to ensure management understands the nature of some risk scenarios that would be very difficult to describe quantitatively or qualitatively.

Fragile conditions

Suppose we have a scenario where the threat landscape is very active but, due to a single extremely effective control, we actually have a very low probability of loss. If we were to plot this condition as a point on an X-Y chart, it might look something like this:

Now, if all we provided management was this point on a chart, there’s a decent chance they’d be fine with it. After all, the frequency is low and the magnitude isn’t outlandish. What isn’t conveyed in the chart however, is the fact that if the single control fails, the point moves rapidly to the right — i.e., there is no “grace period” or window of time in which we might avoid compromise. The threat event frequency is just too high.

In order for a decision-maker to make a well-informed decision about how to manage the risk scenario, they need to understand both the amount of current risk as well as the implications associated with the condition’s fragile nature. With this information they may decide to introduce another layer of protection (defense-in-depth) and/or apply measures that make the control more robust and less likely to fail. Or, of course, they may decide to do nothing, but at least it would be an informed choice.

Unstable conditions

Another scenario can exist where threat activity is inherently low but we have few or no resistive measures in place — i.e., our vulnerability is high. Here again, the point on an X-Y chart would look just like the fragile condition above, and management might not be too concerned. What the numbers don’t tell us though, is that we’re essentially rolling the dice every day and counting on bad things not happening. We aren’t actively managing the situation.

Here again, by letting management know about the unstable nature of the scenario, they’re able to make an informed decision about their control options.

Another important aspect of unstable conditions is that in some cases the lack of preventative controls may be construed as an absence of due diligence by external stakeholders — particularly if something bad happens.

Why it matters

Many of us would intuitively recognize the nature of these conditions when evaluating a scenario, so you may be asking what the big deal is about formalizing their definition. Well, because it’s difficult to convey these conditions quantitatively or qualitatively, what tends to happen is that people “adjust” the assigned risk level for scenarios like these so they’ll land in the high-risk category — essentially equating these scenarios to scenarios where the loss event frequency is actually high. Unfortunately, in doing so they misinform their decision-makers. The fact is, these conditions are importantly different from scenarios where the frequency/likelihood of loss are high, and management needs to recognize this difference and decide accordingly.

About The Author

Jack Jones
Jack Jones is the EVP of R&D and a Founder of RiskLens. He has worked in technology for over 30 years, the past 28 years in information security and risk management. He has a decade of experience as a Chief Information Security Officer (CISO) with three different companies, including a Fortune 100 financial services company. His work there was recognized in 2006 when he received the Information Systems Security Association (ISSA) Excellence in the Field of Security Practices award. In 2007, he was selected as a finalist for the Information Security Executive of the Year, Central United States, and in 2012, he was honored with the CSO Compass Award for leadership in risk management. Jones, who lives in Spokane, Washington, has served on the ISACA CRISC Certification Committee and RiskIT Task Force, as well as the ISC2 Ethics Committee. He is the author and creator of the Factor Analysis of Information Risk (FAIR) framework. He writes about that system in his book Measuring and Managing Information Risk: A FAIR Approach, which was inducted into the Cyber Security Canon in 2016, as a must-read in the profession.