In a previous blog post, I wrote about how the FAIR quantitative risk model can be used to meet various regulatory and compliance requirements (specifically those that indicate the need for a formal risk assessment).
Certain entities, such as the PCI Security Standards Council, offer guidance that explicitly cites FAIR as a model that can be leveraged to complement traditional cyber risk frameworks such as OCTAVE, ISO, and NIST. Other entities offer little to no guidance on “how” risk assessments should be performed.
The Federal Financial Institutions Examination Council (FFIEC), on the other hand, has developed its own resource, called the Cybersecurity Assessment Tool (CAT) to help financial institutions utilize a repeatable process to measure their cybersecurity preparedness over time.
However, the tool itself, uses a qualitative scale (Least, Minimal, Moderate, Significant, Most) to determine risk vs. truly “measuring” risk in terms of dollars and cents. A number of organizations have adopted the CAT in absence of not having explicit guidance otherwise on “how” to meet the examiner’s requirements.
Certain banking organizations, however, are beginning to challenge the norm. One banking CISO in particular stated that he could no longer justify a qualitative approach as a “strong risk assessment program” to the regulators. It was ultimately his “nirvana as a math geek is to find a quantitative way to do repeatable risk assessments.” So, he turned to FAIR.
The next few paragraphs reference excerpts from the FFIEC’s Information Technology Examination Handbook for Information Security and discuss how FAIR can be used to meet the examination requirements in a consistent and meaningful way. At a high level, it highlights the FFIEC’s ask for a more prescribed risk assessment program/methodology and for correlation of the integration of controls based off of this strong risk assessment program.
Financial institution uses metrics to measure risk
The FFIEC requires financial institutions under its jurisdiction to “identify, measure, mitigate, monitor, and report cybersecurity-related risks” in accordance with the organization’s IT Risk Management Process. Objective 3 of the examination procedures specifically calls out that organizations should have an “effective information security program that supports the measurement of risks.”
One of the value propositions of FAIR is that it provides a consistent and reliable model for measuring risk by decomposing it into its core components of frequency and magnitude, which is arguably the missing component of other risk frameworks. The FFIEC IT Handbook brings this to light when it asks that that the analysts have the appropriate, “visibility to assess the likelihood of threats and potential damage to the institution.” FAIR not only provides a consistent means to identify these values; but leverages a process that provides defensible results using data and calibrated estimates to support these values.
FFIEC also cites the importance of leveraging measurable data points and metrics when conducting risk assessments. Objectives 5 and 6 of the examination procedures looks to organizational management to perform the following:
- Determine whether management measures the risk to guide its recommendations for and use of mitigating controls
The FFIEC also looks for management to develop and use metrics to:
- Quantify and report risks in the information security program
- Measure security policy implementation, the adequacy of security services delivery, and the impact of security events on business processes
- Demonstrate the extent to which the information security program is implemented and whether the program is effective
- Determine the impact of security events on business processes
Using the FAIR model to quantify risk in financial terms can help to answer the above questions with data that is defensible–each input into the model leverages data values (captured in ranges to account for uncertainty) that are backed by clear rationale.
Financial institution uses a model for assessing risk
Objective 4 of the FFIEC’s examination procedures states that risk assessments should leverage a “method or taxonomy for categorizing threats, sources, and vulnerabilities.”
FAIR provides an accurate model for risk that defines each element of its model (including those previously mentioned). This, in turn, ensures that each risk analysis performed is conducted in a consistent and repeatable manner and communicated in terms that are consistently understood throughout the organization.
The FFIEC’s examination procedures further say that organizations should use “a process to determine the institution’s information security risk profile.” Using the FAIR model to quantify risk in financial terms allows for more effective communication of risk that the organization can understand – in dollars and cents. These results are also actionable, allowing organizations to prioritize mitigation efforts based on quantitative values in financial terms so that management can cost-effectively apply resources to the activities that need them the most. Quantitative risk analyses can also eliminate the need to take further action on activities that represent low risk, saving valuable time and resources that should be focused elsewhere.
Financial institution utilizes a defined risk appetite for decision-making
Objective 3 of the FFIEC’s examination procedures looks for ways to determine whether the organization is able to continually assess the capability of its security landscape “based on the size, complexity, and risk appetite.”
Elements such as risk appetite can be much better articulated and understood when they are quantified. FAIR can help not only quantitative assessment of an organization’s risk exposure, but help organizations define “acceptable” risk appetite figures which can then directly be compared to an assessed level of risk. .In addition, the FFIEC also looks for organizations to monitoring changing levels of risk and report the results of the process to the board and senior management. Since FAIR enables organizations to quantify risk exposure in terms of dollars in cents, it provides greater visibility and insight amongst risks that otherwise would have the same qualitative rating (e.g., two risks with a "high" rating).