Risk managers are always seeking to address the cybersecurity and technology risks that matter most to their organizations. But you can’t analyze and prioritize what you don’t identify. We can never be certain that we’ve thought of every bad thing that could happen that would result in loss, but we can identify the most probable risk scenarios with Factor Analysis of Information Risk (FAIR™).
No matter how you tackle risk identification — through risk workshops, risk and control self-assessments, informal surveys, etc. — there are some key questions that should be a part of every risk identification effort, especially when quantitative analysis is new to an organization.
1. Where are we experiencing loss today?
Risk management is focused on limiting loss to the organization, not just losses from hard-to-predict future events. Risk analysis and evaluation efforts should be focused on the most probable risk scenarios -- and what could be more probable than a loss that’s happening in the present?
How much is the company paying in refunds to clients for problems that could be solved with better internal process design? How much are we paying vendors who don’t meet our expectations because we never built robust performance monitoring against contractual service level agreements?
Join the FAIR Institute. It’s free to qualified professionals. Gain access to a community of business and security leaders sharing knowledge. Every membership starts with a personal session with a FAIR Enablement Specialist.
Many organizations lack solid loss event tracking, which includes processes for reporting losses, a centralized repository for cataloging and categorizing them, and a process to analyze their root causes.
Without robust loss event tracking, many losses fly under the radar because, while they may happen frequently, they aren't that costly on an individual basis. Losses like this can nickel-and-dime a big hole in an organization's wallet unless someone with a high level of awareness points out the larger problem.
A well-executed quantitative analysis that shows leadership how much money could be saved over a given year just by solving currently existing problems can be an immediate catalyst for risk mitigation and help your risk management program demonstrate value early on.
>>Start small. Choose a well-defined problem that you can analyze with FAIR in a relatively short period of time. “Being able to quickly demonstrate the value of sophisticated risk measurement can help jumpstart a [quantitative risk management] program,” writes FAIR creator Jack Jones in An Executive’s Guide to Cyber Risk Economics.
>>As a longer-term project, re-work your risk register so that all the entries are phrased as loss events in FAIR terms. Watch this video: How to Turn Your Risk Register Items into Risk Scenarios You Can Quantify with FAIR.
FAIR training by experienced practitioners of quantitative risk analysis. Courses approved by the FAIR Institute – learn more.
2. What keeps you up at night?
Asking business leaders to identify the scenarios that give them goosebumps is a great way to learn about potential risk scenarios. But proceed with caution — this can result in the identification of highly improbable perfect-storm scenarios and overlook more likely business process failures, application outages, compliance concerns, etc.
It can be helpful to quickly follow this question with ones that sound less hyperbolic, for instance: “It seems like you’re concerned about the order fulfillment process not completing successfully — what are some of the more likely ways that could happen?” Helping leaders focus their attention on more probable scenarios will allow you to analyze the scenarios that are more likely to occur before you get to their nightmarish worst-case concoctions.
>>Your FAIR training will serve you well in breaking down a seemingly large problem into quantifiable factors. Coupled with well-thought-out risk scenarios, you’ll clearly lay out a range of options for decision-makers based on probable loss exposure.
>>Look for ways to integrate FAIR analysis into ongoing processes that business leaders are already comfortable with. Jack Jones gives these examples in the Executive’s Guide:
- Audit finding analysis
- Policy exception management
- Change management approvals
- Project management
- Third-party risk management
>>Setting a risk appetite for the organization goes a long way to reducing goosebumps and fostering a more rational outlook on risk. As this blog post (Define Your Company’s Appetite for Risk with FAIR Analysis) explains, the process involves identifying your loss types according to FAIR, then set thresholds for each in terms of loss event frequency and loss magnitude.
3. What are our most valuable assets, and what could happen to them that would lead to loss for our organization?
If you want to identify scenarios for which analysis would be valuable, starting with the assets involved in the most damaging potential losses is advisable.
What business process accounts for the largest amount of the organization’s revenue? Dive deep into the individual steps involved in that process and ask how each step could go wrong in a way that would result in loss to the organization from the process not completing successfully.
What applications or databases store the largest amounts of data valuable to the organization? What are the most probable ways that data could be compromised from an availability, integrity, or confidentiality perspective?
These lines of questioning will allow you to build what is hopefully a comprehensive list of the probable ways your organization’s most valuable assets could be impacted resulting in loss, all of which are fodder for high-value risk analyses.
>>A top-risks analysis should be an early deliverable for any quantitative risk program. This can be done as a high level triage using FAIR (as Jack Jones explains in a blog post Best Approach to Prioritizing Risks) to identify 10 or so top risks, followed by a quantitative analysis of each.
Keep in mind that you won't be able to use FAIR to analyze the concerns identified by asking these three questions until you properly scope them, clearly defining the threat, asset, effect, and loss event involved in the scenario.
Without a properly scoped scenario you can't make estimates of loss event frequency or loss magnitude. Translating the concerns of business leaders into well-scoped scenarios ready for FAIR analysis is a vital task all risk analysts should be able to perform.
By asking these questions and employing your detective skills to hunt down probable risk scenarios you’ll quickly build a library of high-value analyses to complete and maintain, ultimately allowing your organization to identify the scenarios that matter most and properly allocate resources to mitigate them. The faster you can achieve this goal the faster your organization’s risk profile will fall within tolerances and the more value your risk management program will provide.