Two FAIR cyber risk analysis veterans from Dropbox set out to explore the frontier territory of artificial intelligence (AI) and returned with good news for the FAIR community: We can analyze the associated risk with the proven principles and practices of Factor Analysis of Information Risk.
“AI is one of the buzzwords that sounds really scary. But what we learned along the way is, it’s really not that new or special,” Taylor Maze, Risk & Governance Manager, reported to the 2023 FAIR Conference (FAIRCON23) along with Security Engineer Tyler Britton.
Watch the video of their FAIRCON session for a step-by-step presentation of an AI risk analysis case study:
Quantifying Multi-Product Security and Privacy AI Risk with FAIR and NIST AI RMF
A free FAIR Institute membership required to view. Join the FAIR Institute now!
Taylor and Tyler started the risk analysis process with the NIST AI RMF Playbook for a general sense of the AI risk landscape, then refined that knowledge into a list of risk categories to further refine to a list of FAIR-style risk scenarios, with an attack chain, an asset and an impact.
At every step, Tyler and Taylor urged risk analysts to be skeptical, applying the old FAIR principle of analyze what’s probable to cause an impact on the organization (a loss of proprietary data leaked through Chat GPT) vs. what’s potential (AI robot overlords destroy the world). Pro tip: try working at the lower levels of the FAIR factors like Susceptibility, in other words, would anybody really suffer if our AI instance hallucinates.
Next the big question: How to find data for a new type of risk? Their advice: There’s probably more data around than you think, for instance, help desk tickets or user testing records. But to be sure, don’t get hung up reporting on precise numbers. Taylor said “This is such a new area there isn’t that kind of data…We are really going for directional accuracy at this stage of our understanding of the environment.”
Get your AI risk assessment program going. Learn from the Dropbox experience in this video:
Quantifying Multi-Product Security and Privacy AI Risk with FAIR and NIST AI RMF
Learn more about FAIR cyber risk analysis and AI.
