In my last post, I discussed the importance of scoping in risk analysis. When done well, identifying and gathering the data for a risk analysis is straightforward, stress-free and produces a result that meets the expectations of your stakeholders. On the other hand, when done poorly, ill-conceived assumptions and rushed thinking lead to additional work and ultimately a subpar analysis. Now, before I leave this topic entirely, I feel the need to further outline the importance of scoping’s relied upon counterpart…assumptions.
If you think back to every decision or every action taken throughout the course of the day, consciously or unconsciously, a series of assumptions formed the basis for your decision or action. Some of them I’m sure were well grounded in facts and experience, ultimately leading you to the desired result; while others, were made from ill-conceived ideas and limited understanding of a concept, which in turn did not lead you to the expected outcome. Assumptions possess an awesome power: they can be our friend or our foe. And just like in everyday life, assumptions play an equally important role in scoping an analysis.
To show you what I mean, let’s walk through an example. Let’s say this is the scenario we’d like to quantify:
“Active Directory credentials belonging to an employee are compromised and used by cyber criminals to fraudulently transfer funds to an outside bank account.”
Looks like a pretty good start according to the FAIR risk model, right? We have identified a:
- Threat actor: cyber criminals
- Threat effect: integrity, i. e. the alteration of client data facilitated the loss
- And even a loss event: the fraudulent transfer of funds
Yet underlying this analysis are a series of assumptions that have yet to be surfaced:
- Whose funds are we talking about? The bank’s funds? Their client’s funds?
- What is the asset, or assets we’re concerned with? Would we be looking to combine them into one asset for the scenario’s purpose, or would we need to break them out?
- What are the ways in which credentials are compromised and are we looking to include them all in the analysis?
- Are there different ways by which to transfer funds? If so, are we looking to consider them all or just specific ones?
- Does this scenario meet the purpose of the analysis, i.e. will it provide the necessary information to make a decision?
I’m sure there are more that you can think of, but hopefully, you get my point. Surfacing assumptions are critical during the scoping process, especially if performing a risk analysis with a group. The other people involved in the analysis do not live in your head, and thus at best only have vague understandings and inferences of what you were thinking and considering when scoping an analysis. To ensure that you are all on the same page, and ultimately working towards the same end goal, I advocate discussion, or better yet, writing out all the assumptions being made for an analysis.
Now to some, this practice may sound like I’m encouraging you to get very specific and granular about your analysis. Sometimes this is true by virtue of the decision we’re trying to inform. It requires that we get more specific and granular, yet, the overarching point that I’d like to get across is to be as clear as possible. Lay everything on the table to understand ahead of gathering any data, what is, and is not being considered as part of the analysis. By taking this approach, you will absolutely reduce the chances of having to do additional work half way through, or after the analysis is run.