I have a confession to make. Prior to joining RiskLens, the only “fair” I knew was the county one by my house with great lemonade. Like many of you, I had to start at the most basic level before getting to the point I am at today with Factor Analysis of Information Risk (FAIR™). While there’s a learning curve to be expected with any new thing, the one for learning the benefits and use cases of FAIR is not particularly steep. The reason?
Taylor Maze is a risk consultant and product manager for RiskLens
Context.
FAIR is all about context.
It is taking all the component parts of your organization that people think about in different ways and bringing them together to understand the ecosystem at large. In a FAIR risk quantification program, we call that establishing risk landscape clarity.
What is risk landscape clarity?
It is putting in context the things we are trying to understand and manage. From a risk perspective, context focuses on:
- The concerns that are the most prevalent (and grounded in reality)
- The areas in the business most likely to be impacted by an event
- The areas that would cause the greatest harm if impacted, and
- The events most likely to cause those impacts.
The value of this context is immeasurable. This allows you to prioritize your endless infosec to-do list and decide which problems to tackle first and which can wait. It can also help you to identify where you may be able to reduce control investment or where your existing control investments aren’t pulling their weight. It all comes back to the ability to make effective decisions and it all starts with three main components: concerns, assets, and threats.
Concerns
Concerns are the high-level themes or ideas that likely keep you and executives up at night. These tend to be centered around data breaches and business interruption events. You may also be worried about integrity events like fraud or account takeover.
Assets
Each component acts like a building block on top of the previous. Now that we have the concerns documented, the next step is to determine which assets (systems or other things of value) are most likely to be targeted or impacted in those events. This isn’t an exact science, but it’s important to remember that you never want to boil the ocean. It’s better to focus on the bigger, more impactful systems first rather than try to document every single system.
You can always circle back and do the same exercise again with a lower tier of assets.
At the end of this component, you should have a list something like this:
Data Breaches:
Customer Database
Key HR Database
IP Database
Business Interruptions:
Customer-Facing Web App
Support Portal
Data Center
Integrity:
Customer-Facing Web App
Customer Database
Key HR Database
It will vary by company, but I’d expect anywhere from 3-10 systems per category.
Threats
Now that you have identified the assets most applicable to your concerns, you need to think about which threat actors would be most likely to impact those assets, intentionally or unintentionally. At the most basic, you want to think about whether a bad actor outside the company, a malicious employee, or an employee by mistake is most likely to cause the event to occur.
Some concern and asset combinations will have more than one threat actor in scope for them, but you should try to keep the list as short as possible. The emphasis here is on the most probable combinations, not all possible.
Now your list should look something like this:
Data Breaches:
Customer Database
- External actor
- Employee error
Key HR Database
- Malicious employee
IP Database
- Malicious employee
Business Interruptions:
Customer-Facing Web App
- Employee error
- External actor
Support Portal
- Employee error
Data Center
- External actor
Integrity:
Customer-Facing Web App
- External actor
Customer Database
- External actor
- Employee error
Key HR Database
- Employee error
At this point the hardest part is over. Now that you have clearly defined your events (in FAIR we call that the scope), you can begin quantifying them.
While that might sound intimidating, it is once again primarily about gathering specific information about your business along with data from your industry and bringing it together to create a shared context.
Learn more from additional resources:
The FAIR Model Explained in 90 Seconds