Where are you at on your FAIR™ journey? Everyone has to start somewhere and often starting is the hardest part. Maybe you are FAIR trained and trying to figure out how to take the first step, maybe you use qualitative methods and still want to improve your program, maybe you have had some failures and are trying to understand what went wrong or maybe you are quantifying risk and looking for the next goal to tackle. As you take this journey, remember that, in the words of Rear Admiral Wayne E. Meyer, you will "Build a little. Test a little. Learn a lot."
Geoji Paul is Director of Information Security Risk at Centene Corporation and Nathan Thomack is Manager of Cybersecurity Risk Management at Emerson. See the video of their talk at the 2019 FAIR Conference, Various Stages of FAIR Adoption (a free membership in the FAIR Institute and the LINK discussion board required. Join now.)
Step 1: Unify Language
The first step is often the hardest but also the most impactful. If you know nothing, then anything will be more than you had. Unifying the language of risk is one of those fundamentals that will pay big dividends.
Nowhere is this more evident than when you tackle your risk register or have a conversation with security peers regarding a "new risk" found in an application or server. This step is crucial because it does two things.
First it sets a standard and vernacular for risk that can be understood and common when talking about how security issues turn into risks. Second, it is specific and focused on events that could happen i.e., probable and moves away from the fear of something bad i.e., possible.
In your next conversation with your red team start by explaining a few FAIR principles like asset, threat and effect. Use these to frame the scenario including the vulnerability or finding in question. You will start to see the conversation change and become more focused and clearer about the problem you are all trying to solve.
Step 2: Clean up the Risk Register
The next step is to clean out those dusty risk registers and put them in order. This will tell you a lot about where the organization is in terms of maturity and understanding of risk. Take this opportunity to explain FAIR and talk about how it brings clarity.You will have a lot of work here.Getting the right level of detail in your scenarios will be important so that you can have strategic discussions as well as start to drive tactical action.
Use the NIST 800-39 three-tiered risk management pyramid to guide your efforts. Think about how the risk should be categorized. Is it a tactical risk involving a single specific information system? Then it would be a "Tier 3" risk. Maybe the risk you are talking about is more strategic and involves any system that transmits, processes or stores Personal Data and would be a "Tier 1" risk.
Using this as a frame of reference, work through the list of existing risks and turn them into well-defined FAIR based risk scenarios that clearly state the asset, threat and effect. Look for patterns as you do this work and find opportunities to scale and make this process more defined.
Learn more: Jack Jones on What Belongs In a Risk Register?
Step 3: Quantify and Start Making Decisions
The last step is quantifying. Making decisions. Managing risk. Focus on decisions. The world is too big to quantify it all even though it may seem exciting. Having experience with the first two steps, you have by now a consistent way to describe risk and you also have experience in creating well-defined risk scenarios. In the quantification step, look for ways to reduce uncertainty of the level of impact.
The most important thing you can do at this stage is to get calibrated. This will be invaluable as you build risk quantification into a discipline. Calibration will allow you to quantify and establish your uncertainty quickly. Often a calibrated estimate with simple calculations can be sufficient for making a better decision.
Apply these techniques to your risk register and work through the list. If you have multiple analysts who are calibrated, then you can capture everyone's estimates and average them together for a "wisdom of the crowds" effect. After you have started with your calibrated estimates and established your current state of uncertainty, ask yourself if decomposing and going further down the FAIR ontology would help reduce uncertainty.
Learn more: Jack Jones on Is Cyber Risk Measurement Just "Guessing"?
Always use certainty as a guide to asking questions and use FAIR as your model for thinking through the problem. Look for data all around you and cite your sources. Create and maintain a table of the types of impacts and associated losses to help you find data points and speed your analysis.
Risk Quantification is a journey and there is not a prescription or a technology that you can ‘plug and play’ and expect it to spew out risk in dollar terms. More often than not, if you are being sold a technology offering such ‘instant quantification’, it should be a red flag. Quantification requires careful definition of risk, deliberate assumptions and reliable data (or calibrated estimates) for it to work. Perhaps most importantly, your FAIR journey requires a vision to make better decisions through quantified risk.
Why the FAIR Model…A 4-Point Primer on FAIR to Share with Your Organization
Meet and network with experienced FAIR professionals like Geoji and Nathan and 7,000-plus other security and risk professionals - join the FAIR Institute.