Prior to adopting FAIR to define and quantify risks as loss events, most organizations grapple with the all too common misconception that control deficiencies are the same things as risks. This confusion not only alters the way organizations think about risk, but also the way they discuss and communicate risk among peers and management, as well as identify issues to analyze and ultimately make substantial financial decisions. Needless to say, this is no minor issue; if you can't define and measure risk, you can't effectively manage it.
But, before we get into why a control deficiency is NOT the same thing as a risk, we should go through what risk means in FAIR quantitative risk analysis. Risk according to FAIR is “the probable frequency and probable magnitude of future loss”; otherwise known as how frequently the bad thing is likely to occur, and how costly it will be in dollars and cents. (See the FAIR Model on one page.)
What you should be able to pick up from this definition is that in order to qualify as a risk according to FAIR, you need to define a LOSS EVENT, with a frequency and a magnitude. This makes sense when you consider that our goal via risk quantification is to MEASURE our level of exposure when some event occurs.
How do we define a measurable event?
The image below is an abbreviated version, but at a high level what you need to know is that in order for a LOSS EVENT to occur, an event we can tie a frequency and a magnitude to, some threat needs to take some action against a thing of value, which has a material effect to you or your organization.
Here’s an example of a measurable loss event (i.e. risk): The risk associated with DDoS attacks causing an outage of a client portal. We can estimate the frequency of DDoS attacks against the client portal and estimate the relative impact when its inoperable.
As a recap, in order to qualify as a RISK, according to FAIR:
- Risk is a measurable event; only events can have frequencies of occurrence and magnitudes of loss
- A loss event is comprised of a threat taking action against a thing of value causing an effect (CIA)
How control deficiencies are different from risks
Now that we’ve defined what risk means in FAIR terms, and how to define a measurable loss event, lets now take a look at a few control deficiency statements from infosecurity that commonly get miscategorized as cyber risks.
“Vendors, including offshore entities, have not defined or do not meet defined service levels.”
“The organization is unable to associate individual accounts with a specific user.”
“Unauthorized personnel have administrative access to IT systems or business applications.”
“Employees share passwords or utilize shared accounts to access business systems.”
Referencing back to the risk criteria above, do any of the above statements meet those requirements?
- Risk is a measurable event; only events can have frequencies of occurrence and magnitudes of loss. NO. Not one of the statements clearly defines an event that we can tie a frequency or a magnitude to without making a great many assumptions.
- A loss event is comprised of a threat acting against a thing of value causing an effect (CIA). NO. Not one clearly defines all aspects of a loss event.
This must mean that what we have listed here are NOT risks.
So, what’s the fix?
In the short term, it would be normalizing these control deficiencies to FAIR: Identifying what are the relevant assets (thing of value), threats (acting force), effects (how the loss materializes) ultimately pulling it all together to define a measurable loss event. This can be done for one-off analysis, or for an entire risk register.
In the long term though, to ensure we fix the cause of the problem and not just its effects, we need to reshape the way people think about and define their risks. More than anything else this is achieved through education. Educating stakeholders on the pitfalls and drawbacks of their current risk analysis approach, along with guiding and enlightening them on the benefits of using a structured framework to critically think about and quantify their risks in financial terms. FAIR training classes aim to accomplish just these things. These are fantastic building blocks for any organization that would like to get a risk analysis program on a solid foundation.
More than 3,000 risk professionals like you have joined the FAIR Institute to learn about quantitative cyber risk analysis.You should join, too (it's free).