Many people believe that FAIR focuses strictly on quantitative risk statements, but they couldn’t be further from the truth. The numbers simply allow us to recognize conditions and convey information better than we could do in any other way. Sometimes, however, numbers don’t tell the whole story.
In this post I’ll describe two conditions defined within the FAIR framework that help us to ensure management understands the nature of some risk scenarios that would be very difficult to describe quantitatively or qualitatively.
Suppose we have a scenario where the threat landscape is very active but, due to a single extremely effective control, we actually have a very low probability of loss. If we were to plot this condition as a point on an X-Y chart, it might look something like this:
Now, if all we provided management was this point on a chart, there’s a decent chance they’d be fine with it. After all, the frequency is low and the magnitude isn’t outlandish. What isn’t conveyed in the chart however, is the fact that if the single control fails, the point moves rapidly to the right — i.e., there is no “grace period” or window of time in which we might avoid compromise. The threat event frequency is just too high.
In order for a decision-maker to make a well-informed decision about how to manage the risk scenario, they need to understand both the amount of current risk as well as the implications associated with the condition’s fragile nature. With this information they may decide to introduce another layer of protection (defense-in-depth) and/or apply measures that make the control more robust and less likely to fail. Or, of course, they may decide to do nothing, but at least it would be an informed choice.
Another scenario can exist where threat activity is inherently low but we have few or no resistive measures in place — i.e., our vulnerability is high. Here again, the point on an X-Y chart would look just like the fragile condition above, and management might not be too concerned. What the numbers don’t tell us though, is that we’re essentially rolling the dice every day and counting on bad things not happening. We aren’t actively managing the situation.
Here again, by letting management know about the unstable nature of the scenario, they’re able to make an informed decision about their control options.
Another important aspect of unstable conditions is that in some cases the lack of preventative controls may be construed as an absence of due diligence by external stakeholders — particularly if something bad happens.
Why it matters
Many of us would intuitively recognize the nature of these conditions when evaluating a scenario, so you may be asking what the big deal is about formalizing their definition. Well, because it’s difficult to convey these conditions quantitatively or qualitatively, what tends to happen is that people “adjust” the assigned risk level for scenarios like these so they’ll land in the high-risk category — essentially equating these scenarios to scenarios where the loss event frequency is actually high. Unfortunately, in doing so they misinform their decision-makers. The fact is, these conditions are importantly different from scenarios where the frequency/likelihood of loss are high, and management needs to recognize this difference and decide accordingly.