How IT Auditors Evaluate the Effectiveness of Controls with Risk Quantification

In a previous blog post, I discussed the benefit that auditors discover leveraging the FAIR quantitative analysis model to evaluate the risk associated with IT audit findings. Here, I’d like to spend time discussing another advantage for IT auditors from FAIR : the ability to analyze the effectiveness of controls using a consistent and repeatable model, communicated in financial terms (e.g., dollars and cents). In other words, evaluating controls through the lens of FAIR empowers organizations to directly communicate and make decisions based on the degree of influence that a given control has, in a language that can be understood by the business.

If you have spent time working with audit or risk, you may have heard references to these control categories: technical, process, preventative, physical and compensating. The problem with using these categories with the FAIR model, however, is that they may apply to multiple factors of the model. This is why the FAIR standard proposes a categorization (pictured below) that is mutually exclusive and speaks to how each control impacts risk.

According to the FAIR standard, controls can be categorized into four major buckets

1.  Avoidance controls seek to prevent threats from coming into contact with the targeted assets, thus reducing the Contact Frequency factor of the FAIR model. Examples of avoidance controls include physical security controls and network segmentation.

2.  Deterrence controls seek to deter actors from launching threat events. In other words, reducing the probability that the actor will take action to launch the threat event once it comes into contact with the asset. Examples of deterrence controls include acceptable use policies, network monitoring, and visible security cameras.

3.  Resistance controls seek to keep threat events from becoming loss events by hardening assets against attacks, thus increasing the Resistance Strength factor of the FAIR model. Examples of resistance controls include access management, configuration management, user authentication and patching.

4.  Responsive controls help to detect and break the threat actor’s contact with the asset or minimize subsequent loss thus limiting the severity of a loss event (Loss Magnitude). Examples of responsive controls include data redundancy and encryption.

As mentioned above, categorizing controls according to the FAIR model may help when determining the relative amount of risk associated with audit findings. For example, consider the following control gaps related to an ERP system:

  • One firecall ID was activated without documented approval
  • Patching for ABC server supporting the ERP system was not timely (i.e., high risk vulnerabilities were unpatched for greater than 30 days)
  • Access for two terminated employees was not removed timely from the ERP system
  • Password settings for the ERP system are not configured to align with corporate policy

Each of these findings map to the resistance control category within the FAIR model. Assuming the scenario we are most concerned with here is fraudulent activity on the ERP system by an external actor, we can determine the amount of impact the findings have on our risk model by performing a comparative risk analysis. In our case, this would involve performing a current state FAIR analysis in RiskLens given the control gaps noted above and then using RiskLens’ versioning feature to create a copy of this analysis but then make updates to the Resistance Strength inputs to reflect the increase in these values introduced by remediating the findings.

The below image illustrates the anticipated risk reduction introduced by remediating the above findings. In our example, the overall impact on risk reduction was approximately $400K of annualized loss exposure (the difference between the current and future state risk values).

In this example, the $400K risk reduction introduced by remediating the aforementioned controls may not be justifiable. One possible outcome (with additional analysis modeling using RiskLens’ versioning capabilities) may lead to the conclusion that the key controls that could significantly reduce the amount of risk are ones classified under avoidance (controls that prevent the external actor from coming into contact with the ERP system altogether).

The bottom line is that not all controls play an equal role in reducing risk. However, this is not always an easy message to convey when you use a qualitative risk management method. In contrast, leveraging the FAIR model is a beneficial way to illustrate and communicate the impact of various controls in reducing the amount of risk for a given environment.


RiskLens is the only application purpose built on the FAIR model, the international standard for quantitative cyber and operational risk analysis. RiskLens features “what-if” or “stress test” features that allow the analyst to adjust the effectiveness of various controls to see the potential impact on loss exposure. Support for cyber risk quantification is growing in the risk, security and audit professions: The Wall Street Journal recently reported that “FAIR is gaining traction, especially among large corporations that already have experience with cyberrisk analysis.”

Related:

How to Explain FAIR to Auditors

Making Your IT Audit Job More Than Compliance

When Internal Audit and Infosecurity Teams Play Nice Together