To Make Your Risk Management Program Fly, First Fix Your Language

August 20, 2019  Rebecca Merritt

In 1999, NASA lost its $125-million Mars Climate Orbiter because the navigation team used the metric system to operate the spacecraft while the manufacturer had set it up to run on the English inches/feet/pounds system. “It is going to be the cautionary tale until the end of time,” a leading scientist said back then.

Well, as RiskLens risk consultants, we still see the Mars Orbiter syndrome in organizations all the time.

Think about it for a moment:

  • How do you define risk, threat, assets, and vulnerability?
  • Do each of the terms have the same meaning amongst the peers on your team?  How about your organization?

It’s been our experience that each of these can and do have differing definitions within an organization (and throughout the industry) which makes holding a meaningful conversation among risk professionals difficult to say the least.

And that’s why we introduce our clients to Factor Analysis for Information Risk – the FAIR standard.

As Jack Jones, creator of FAIR, explains in his book, Managing and Measuring Information Risk, although definitions already exist within the information security landscape, none provide a clear and logical representation of the fundamental problem our profession is tasked with managing – the frequency and magnitude of loss.

One of my favorite examples in Jack’s book talks about how risk professionals interpret something like a threat incorrectly.  As Jack writes, “Someone might refer to a puddle of water on the floor as a ‘threat’, when in fact it is not. It is passive, inanimate, and not an actor in any meaningful way. A person stepping on it is the threat actor.”

At RiskLens we follow a standard set of terms from the FAIR methodology that can be used across the risk profession. We define those key words that we use daily as:

  • Risk: The probable frequency and probable magnitude of future loss, i.e. how often bad things are likely to happen, and how bad they’re likely to be when do happen.
  • Threat: Any agent capable of acting against an asset (human–like a criminal, technological–like a self-propagating virus, or natural–like a tornado) that can result in loss.
  • Asset: Anything that can be affected in a manner that results in loss. Examples include: facilities, data, systems, people, etc.
  • Vulnerability: A derived value that represents the probability that a threat agent’s actions will result in loss.

What’s more, the FAIR model shows how the key terms stand in relation to each other, flowing upward to define risk.

This is just a broad overview of key terms; to go deeper read the FAIR book. But the beauty of FAIR’s approach to measurement is that you don’t need to change your existing risk models—or even use the RiskLens platform—to start to benefit.

Start with the highest level of the FAIR model (risk = probable frequency and probable magnitude of future loss), apply it to the pain points of your organization, get your colleagues onboard, and you’re on your way to saving your risk management team from the Mars Orbiter syndrome.

For more tips on how to move your organization toward an effective, business-focussed form of risk management, read the eBook by Jack Jones, An Executive’s Guide to Cyber Risk Economics.