A FAIR Artificial Intelligence (AI) Cyber Risk Playbook
The FAIR Institute presents FAIR-AIR, a FAIR-inspired approach to help you identify your AI-related loss exposure and make risk-based decisions on treating this new category in cyber risk management – new but a puzzle to be solved using the FAIR techniques of modeling and quantifying cyber risk that our community has validated for years.
Download now:
Using a FAIR-Based Risk Approach to Expedite AI Adoption at Your Organization
The Playbook, created by FAIR Institute Member Jacqueline Lebo of Safe Security (technical adviser to the Institute), breaks down the generative artificial intelligence (GenAI)/large language model (LLM) challenge into five steps:
1. ContextualizeRecognize the five vectors of GenAI risk (Shadow GenAI, Creating Your Own Foundational LLM, Hosting on LLMs, Managed LLMs and Active Cyber Attack
2, Identify Risk ScenariosHow to think through probable loss exposure for your organization from each of the five vectors using the familiar threats/assets/effects of Factor Analysis of Information Risk.
3. Quantify Scenarios with FAIRUsing your internal data or industry data, apply FAIR analysis to produce results like this:
There is a 5% probability in the next year that Employees will leak company-sensitive information via an open-source LLM Model (like chat GPT), which will lead to $5 million dollars of losses.
4. Prioritize/Treat AI RisksTo clarify the path to decision-making, identify the key drivers behind the risk scenarios. Example: For the Active Cyber Attack Vector, a risk driver could be phishing click rate among employees with access to large amounts of sensitive data.
5. Decision MakingBringing it all together – comparing treatment options, taking into account the quantitative values you uncovered, controls and key risk drivers.
As the Playbook concludes “The purpose of this approach is to meet the business needs, not create additional obstacles to AI deployment.”
More Resources on Quantitative Risk Analysis for GenAI from the FAIR Institute
It’s early days on risk management for AI-related cyber risk, but the FAIR community is already developing solid advice for applying the rigor of FAIR thinking to this frontier of risk analysis. The FAIR Institute has been selected as a participant in the National Institute of Standards and Technology’s US AI Safety Institute Consortium (AISIC).
Some of our recent content:
Webinar: Intro to the NIST AI RMF
The NIST Artificial Intelligence Risk Management Framework is a good starting place to get your arms around the new threat and risk landscape – and our webinar with NIST’s point man Martin Stanley is a good place to start with understanding the AI RMF. FAIR practitioners used to thinking in terms of risk scenarios and probabilistic outcomes, will find NIST’s advice on managing artificial intelligence risk familiar ground.
The Good News on AI Risk – We Can Analyze It with FAIR
In this video from a session at the 2023 FAIR Conference, two veteran FAIR analysts, Taylor Maze and Tyler Britton, relate the steps they took to launch FAIR analysis at Dropbox, starting with a general look at the problem space with the NIST AI RMF and working their way down to analyzable FAIR scenarios. Their advice: Apply the FAIR principle of analyze what’s a probable – not potential - cause of harm to your organization, is even more important when we don’t yet know the full effects of AI.
Also see:
How to Get Started with FAIR Analysis for GenAI Risk
FAIR Cyber Risk Analysis for AI Part 1: Insider Threat and ChatGPT
Join us in exploring the AI frontier of cyber risk management – become a FAIR Institute member now.