Risk Management Framework Example - FAIR

Factor Analysis of Information Risk (FAIR) takes a slightly different approach to risk management. Instead of the abstract low, medium, and high risk ratings that we’re used to, FAIR proposes a model to measure Value at Risk (VaR). Value at Risk is intended to measure the value of any data, systems, processes, reputation, relationships, etc. that might be affected as the result of a risk occurrence. In other words, VaR assigns a dollar value to a risk’s Impact. The model also requires that an estimate of the rate of occurrence is used to reach the total value at risk over a specific period of time --- meaning that if you expect a risk to occur 4 times per year than the value of assets would be increase by a factor of 4 to reach the anticipated VaR for the year.

The benefit to the approach is that it removes some ambiguity and bias that might be present in rating risks and low, medium, high, critical, or etc. It creates a financial risk target that risk managers can attempt to reduce by applying certain controls. The challenge is that this approach can require much more effort than traditional approaches, value of data, customer relationships, and other information can be difficult to calculate, and security controls won’t always be applied directly to the risk in questions.

You can use the link below to access the FAIR-U risk assessment tool. The tool can be used to perform single FAIR model-based assessments and learn more about how FAIR works:
https://www.fairinstitute.org/fair-u

FAIR Walkthrough

If you navigate to the FAIR website, you can access a free FAIR Risk tool where you can create guided risk assessments based on the FAIR model. Prior to attempting your own assessment, you should spend some time walking through the Example Phishing Database Breach assessment.

The FAIR-U tool can be found here: https://www.fairinstitute.org/fair-u

You can see here that Annual Loss Exposure is calculated based on Loss Event Frequency (likelihood) and Loss Magnitude (impact). Loss frequency is based on an estimation of how many times an event might occur given the assessor’s knowledge of the business and its vulnerability to a specific risk (given the risk and the organization’s defenses). Loss Magnitude is based on the expected Primary Loss (direct financial consequences) and Secondary Loss. Secondary Losses are those that might result from reputation damage, customer loss, or other factors.

In this example, you can see that the median expected loss based on a successful phishing event is $2.4M and the maximum expected loss is $7.1M. I think this demonstrates some of the controversy related to putting a price tag on security risk. Assuming that the risk is calculated correctly at $2.4M-$7.4M on an expected 2 phishing events yearly it would make sense that the organization would be willing to invest a healthy amount to remediate this risk but I’m not sure we understand the right amount to spend. I’m also not confident we understand where the risk needs to be addressed. Do we invest heavily in datastore security or do we invest heavily in anti-phishing technology?

That isn’t to say that FAIR is without value. In fact, I think its incredibly valuable to create a model capable of demonstrating expected loss but I do think it is very challenging to assess all organizational security risk in this way.