FAIR-CAM™, the Controls Analytics Model based on the FAIR standard, let in a wave of fresh insights into how cybersecurity controls are deployed and evaluated.
Just as medicine moved up from understanding anatomy, a static list of organs, to understanding physiology, a dynamic system of interrelationships among organs, cyber risk management could now move from a focus on frameworks (checking off more controls from a list equals less risk) to actively measuring the risk reduction effect of controls singly or as a system.
FAIR-CAM accounts for the dependencies and feedback loops that exist among controls within a risk management program - and the complexity of the cybersecurity landscape with many potential pathways for attackers.
Here are some of the key insights from the groundbreaking FAIR-CAM White Paper (a free FAIR Institute membership required to view) written by FAIR creator Jack Jones:
Insight #1 Controls and Control Functions Are Two Different Things
In FAIR-CAM, a control is anything that can be used to affect the two parameters of a loss event in FAIR, frequency and magnitude. A control function is how the control affects frequency and magnitude of loss, directly or indirectly. A control can have multiple functions, each of which is measurable, giving FAIR-CAM a high degree of flexibility, granularity and accuracy.
FAIR-CAM groups control functions into three broad categories:
Loss Event Control Functions - directly affect loss events
-
Examples: Authentication, Access Privileges
Variance Management Control Functions - indirectly affect loss events
-
Examples: Patching, Auditing
Decision Support Control Functions – also indirectly affect loss events
-
Examples: Asset Management, Threat Intelligence
Insight #2 Controls Can Vary in Efficacy
While the framework-compliance approach asks if a control is present or absent, FAIR-CAM takes a more nuanced approach, asking if a control is working at its intended efficacy or in a variant state, for example anti-malware gone out of date. FAIR-CAM further rates a control’s Operational Efficacy, that is a combination of intended and degraded efficacy. Operational Efficacy is what’s used in determining a control’s risk reduction value.
In FAIR-CAM, Variance Management Controls affect the reliability of other controls. A subcategory, Variance Prevention controls, reduce the frequency of changes that might introduce variant control conditions, for instance by restricting local admin privileges.
Insight #3 Among Controls, One Bad Apple Can Spoil the Bunch
FAIR-CAM documents the interrelationships among controls – for better or worse. For example, an effective patching process depends on the organization’s capabilities for effective vulnerability identification and threat intelligence.
Insight #4 Humans Are Controls, Too
One of the innovations of FAIR-CAM: Providing a mental construct to identify and quantify the human behavior that is so often at play in cyber risk management. Decision Support Controls affect the ability of the organization to make well-informed decisions. Functions in this controls set include
– Mis-aligned Decision Prevention, including subcategories for Define and Communicate Expectations and Objectives to decision makers and provide them with the necessary situational awareness and evaluation skills. Also provide them with data, for instance on the assets at risk; in that sense, FAIR-CAM considers asset inventories and CMDBs as Decision Support Controls.
–A human can directly act as a Loss Event Control, for example by deciding to click or not on a link in an email…or indirectly affect performance of a Loss Event Control, for example by deciding for or against installing unauthorized software.;
Insight #5 FAIR-CAM Feeds the FAIR Model
How does FAIR-CAM relate to the standard FAIR Model? As shown in this diagram, the FAIR-CAM Loss Event Functions feed the various factors in FAIR, bringing quantification even to some areas that formerly were left to guesswork by subject matter experts – notably Susceptibility (on the left).
How FAIR-CAM Loss Event Functions (at bottom of chart) Feed into FAIR
Insight #6 FAIR-CAM Works with the Popular Risk Management Control Frameworks
Don’t think that FAIR-CAM practitioners just dismiss NIST CSF or other frameworks as outdated anatomy charts. FAIR-CAM doesn’t displace the frameworks, it compliments them by coming at controls from a fresh angle. The frameworks are descriptions of good practices and desirable outcomes – FAIR-CAM doesn’t compete with that. Instead, it provides explicit descriptions of the control functions that affect risk, as well as the relationships and interdependencies between control functions.
In fact, FAIR Institute members, led by Jack Jones, have made a major effort to map the frameworks to FAIR-CAM – a difficult task to make the often loosely defined framework categories match up with the precise and granular definitions of FAIR-CAM. The effort started with mapping NIST CSF 1.1 and continued with the CIS controls. As the CSF document describes the benefit of mapping, “Personnel can better and more reliably account for how a [CSF] subcategory’s condition could/should affect risk in an analysis. This also should reduce unproductive debate amongst those involved in the analysis process.”
Read the FAIR-CAM White Paper (a free FAIR Institute membership required to view)
