We like to say that the RiskLens platform is built on Factor Analysis of Information Risk (FAIR™) – but what does that mean exactly? Let me show you three ways that the platform starts you off on the risk analysis process with can’t-miss guidance.
As a Customer Implementation Specialist at RiskLens, I introduce and train new clients on the RiskLens platform. I always recommend that clients assigned to work with the platform complete our FAIR Analysis Fundamentals Course. The course is taught by RiskLens staff, online and live, with the goal of introducing learners to the FAIR quantitative risk analysis model and the foundational concepts involved in performing FAIR analyses. However, the platform is designed to be intuitive and RiskLens also offers quick training as part of onboarding that enables anyone to get started quickly.
What is the FAIR Standard? See this Infographic showing all the factors in Factor Analysis of Information Risk and how they are combined in risk analysis.
1. '1-1-1-1' Risk Scoping Equation
Scoping your loss event (or Risk Scenario) is the first and most crucial step in performing a risk analysis. The RiskLens platform requires that each Risk Scenario performed contain one and only one of each of the following four 'Scenario Components':
- Asset at Risk
- Threat Actor
- Threat Type (Malicious, Error, Failure, or Natural)
- Effect (Confidentiality, Integrity, or Availability).
Enforcing the existence of these 'Scenario Components' and requiring them to be singular, ensures that the scenario to be analyzed will be clearly understood by the subject matter experts you need to supply the data, and can be measured quantitatively by analysts.
2. Logical Risk Scoping Statement
The RiskLens platform also helps ensure that the last three chosen Scenario Components noted above (Threat Actor, Threat Type, and Effect) are logically composed.
For example, the RiskLens platform will not allow you to select a Threat Type of 'Error' and attribute it to an 'External Malicious Actor.' External Actors (due to their malicious nature) cannot cause an accidental ('Error') loss event to occur - e.g., a system outage (Availability Effect) or unauthorized disclosure of sensitive information (Confidentiality Effect).
RiskLens makes each of the Scenario Component selections simple by providing a system-generated drop-down-list of options and enforcing the logical associations of the components in real-time.
Further, RiskLens introduces a fifth Scenario Component when building a loss event scenario called 'Method and Sub-Method Categories'. This optional component defines the attack vector or method that the threat actor will take – providing a more precise and clear loss event scope. These also, in real-time, are filtered only to be logical associations of the other Scenario Components that have been selected.
Here's a screenshot of the Threat Event Builder in the Platform for the scenario of
“Malicious External Actor attempting Code Exploitation by Client Side targeting an Application resulting in a Loss of Confidentiality”
3. Scenario Workshop Questions Grouped by FAIR Standard
Finally, the RiskLens platform Scenario Analysis Workshop was purposefully designed to mirror the FAIR structure by categorizing quantitative analysis questions under four Workshop tabs:
- Threat Event Frequency
- Primary Loss Magnitude
- Secondary Loss Magnitude
This structure allows a FAIR trained analyst to mentally classify the analysis process into a logical flow.
RiskLens platform screenshot of the Workshop Question Categories:
Where does a FAIR analysis go from this point? Watch this video introduction to the RiskLens platform.