Disclaimer - This article is just an a quick overview of a popular model for evaluating cybersecurity risk called Factor Analysis of Information Risk (FAIR). For the official documentation related to FAIR see the site https://www.fairinstitute.org/ and the book Measuring and Managing Information Risk: A FAIR Approach https://www.fairinstitute.org/fair-book
Factor Analysis of Information Risk (FAIR) Overview
For risk analysis to be useful it must have a frequency and magnitude component. This leads to the foundational construct that Risk (for a given scenario) is the Loss Magnitude times the Loss Event Frequency.
Let's delve into some key risk concepts and terms. Among the terms commonly used to assess risk, three stand out: probability, likelihood, and frequency. A notable shortcoming of probability and likelihood lies in their omission of the aspect of frequency. Yet, frequency assumes a pivotal role in effectively quantifying risk analysis. Neglecting to assess events in terms of their occurrence frequency—whether they're isolated instances or recurring over time—hampers the accuracy of risk-related decisions.
The concept of frequency, with its most familiar interval being annual, becomes highly relevant. This permits the conversion of probability percentages into a frequency estimate. For instance, a probability of 5% corresponds to a frequency of an event occurring once in twenty years. It's crucial to clarify that risk analysis doesn't aim to predict outcomes but rather entails forward-looking analysis. Ultimately, risk analysis involves the assessment of temporally-bound probability—a measure of the event's occurrence within a specific time frame.
Loss Event Frequency is a product of Threat Event frequency and Vulnerability.
The Threat Event Frequency is the number of times a threat agent will take action against an asset/system that could result in a loss. Threat events can be both malicious and non-malicious. For example, a business process or a maintenance conducted in error could be a threat event. However, the threat event only becomes a loss event if the asset/system has a vulnerability that is exploited by the threat.
Threat Event Frequency is composed of Contact Frequency and Probability of Action.
There are three types of contact frequencies:
Random
Regular
Intentional
The Probability of Action by the threat depends on several factors:
The threat agents value of acting against the asset/system
The threat agents' level of effort required to be successful in their negative action to the asset.
The threat agents' level of risk to itself (i.e., getting caught/compromised)
Moving over to Vulnerability. Vulnerability is the combination of Threat Capability and Difficulty (i.e., Resistance strength). In FAIR vulnerability is defined as a percentage probability a threat agents' actions will result in a loss. For example, if there are 100 threat events per year, and the asset/system is vulnerable to 10% of them you can estimate 10 loss events per year.
Some other notes about Vulnerability.
Threat Capability is analyzed on a continuum. The authors of Measuring and Analyzing Information Risk use the analogy of F1-F5 tornadoes as continuum used to analyze the capability of tornadoes to cause damage.
The term "vulnerability" is a ubiquitous concept within the realm of cybersecurity. In the context of vulnerability management, it is typically defined as a software flaw, such as a buffer overflow, necessitating a patch. It's important to distinguish a security compliance failure from a patchable software vulnerability. The former refers to an insecure system configuration, like weak password requirements, in violation of a defined hardening standard such as the Center for Internet Security (CIS) benchmark or Security Technical Implementation Guide (STIG) standard. In the FAIR model, both of these factors contribute to the Vulnerability aspect of the asset.
Moving onto the right side of the FAIR mode; Loss Magnitude is comprised of Primary Loss and secondary Loss.
Examples of Primary Loss:
Productivity loss. For example, inability to conduct transactions, idle workers, etc.
Lost revenues (Competitive Advantage loss, and Reputation loss)
Incident Response (IR) and Restoration (Response loss)
Replacement loss
Secondary loss can further be broken down to secondary loss event frequency and secondary loss magnitude.
Examples of secondary loss:
Credit monitoring costs for data breaches (Fines and Judgments loss)
Lost market share (Competitive Advantage loss, and Reputation loss)
Civil suits (Fines and Judgments loss)
Factor Analysis of Information Risk (FAIR) - Controls Impact
FAIR defines several types of base level controls:
Avoidance controls - Reduces contact with the asset
Deterrence controls - Monitoring, security cameras, etc.
Resistance controls - Hardening systems, complex passwords, etc
Responsive controls - IP blocking, Incident Response (IR), etc
Loss controls - Disaster recovery, backups, Incident Response (IR), etc
Looking at some example controls displayed on the FAIR model displays the impact these controls can have on the final result.
Other types of controls that provide additional benefit include:
Variance controls - The goal is to minimize asset variance over time (i.e., policies, standards, security awareness training, etc). For example, patching to a secure operating system that is then not able to be exploited.
Capability controls - Training workers so they don't make errors, documentation, process simplification.
Decision making controls - The identiifcation, alignment and correction of cybersecurity decisions that impact risk to the organization
Comments