Forget what you’re thinking; gathering data for FAIR risk analysis is actually a multiple-step process that takes a careful plan. I am going to break down some steps that I find to be the most important and value-adding based on my experience.
1. The Prep
This is one we often don’t think about as being its own step. We have the analysis scoped and we can just start reaching out to individuals in the business, asking for data, right? I’m sorry my friend, but it is not that simple.You need to go into any data gathering session with a game plan.
I start by first, scoping the analysis in the RiskLens application and going over the workshop questions I need to answer for the analysis, eliminating any that may not be relevant for my scenario (e.g. Loss Types, Data Types, etc.). Not only is this an important step, but it will also help you to "zero out" some questions.
Now that you know what data you need, start by identifying subject matter experts (SMEs) in your organization who can answer these questions for you. If you have one person who can answer multiple data points, great!
This is one of most vital steps for a successful analysis, if you can get the right people in the room, on the phone, or contacted over email you are just that much closer to having a solid, defensible analysis.
2. The Session
This next piece is partially prep, but also very important during the session. I once heard ‘ No agenda, no attenda” and it is something I will never forget. You can’t expect to schedule a meeting with someone in the business and that they'll come prepared with data if you don’t even brief them on what you will be discussing.
Start with a one-liner to explain the scope of the analysis and list out just a few bullet points, explaining high-level what kind of data you’ll be asking for. Maybe you are asking for the resistance strength of a certain database that you’re concerned about getting breached. You could start by asking:
What controls are in place to prevent a cybercriminal from getting onto database X?
What percent of the time would these controls prevent a cybercriminal from getting onto database X?
Min: %/time
Max: %/time
Another helpful tip is to anticipate the outcome of the meeting, prepare for the worst. Have some tricks in your back pocket if you aren’t able to come to a data point in the original way you planned.
Say you originally planned to estimate reputation damage with a loss in market share, maybe your SME has no knowledge of this, but does have estimates of how many customers you could potentially lose if you were to experience a data breach – run with it!
3. The Inputs
It’s good to gather data, or sometimes let your SMEs talk a bit, so you can learn about their business processes, controls, etc., but avoid getting too far into the weeds. Think of the law of diminishing returns – we want to get valuable data, but we don’t want to take a week of our SMEs time to get there, unless they are extremely willing. Most people don’t have the time or patience to sit around with us every time we need data. If your SME starts going off on a tangent, try to reel them back in and revisit what outcome you are really trying to get.
As time goes on you may become more and more familiar with the data gathering process and may be able to skip some of these steps, or at least fly by them. Be sure to carefully plan out your sessions so you can get the most out of them and you walk away with defensible data – because defensible data = defensible analysis. Add in any and all rationale to the workshop so you can come back to the analysis at any time and know where you got it from and how you arrived there, in case you are questioned.