The most important step in conducting a quantitative cyber risk analysis is scoping - identifying the asset, threat, and effect related to the scenario at hand. But what happens if you are so excited to get into your FAIR analysis that you skip this crucial step?
It starts with good intentions. You are trying to maximize the time you have with a subject matter expert because of calendars filled with back-to-back meetings so you jump right into the data gathering phase before defining the scope of your analysis. Soon you’re knee deep in three years’ worth of infosec data and have gone on more tangents than a high school geometry class.
How Does it Happen?
There are plenty of ways this can happen, but here are a few common ones:
- You are pressed for time and do not want to spend the extra time scoping
- You feel you need more data before you can properly define the scope
- You are concerned that if you wait to schedule time with subject matter experts you will have a harder time doing so later
- You want to make the time you DO get with a subject matter expert as efficient as possible
While logical, these objections are misguided. To learn more about the risk of a poorly scoped analysis, click here.
How to Identify When You Are Off Track
If you feel like you may be getting off track, ask yourself the following questions:
- What is the scope of the analysis?
- Does what we are discussing align to the scope?
- What is the purpose of the analysis?
- Does the purpose of the analysis align to the scope?
These questions help create the guardrails for your analysis. If you answer “no” or “I’m not sure” to any of these questions during the analysis, it may be time to press pause and refocus.
How to Get Back on Track
When you’ve gotten off track in an analysis, refer back to your guardrails. Identify what information you currently have that is relevant to your scope and any areas where follow-ups may be required. Avoid high school geometry the second time around by writing context-specific questions for each data point you are gathering.
Next time, start off on the right foot by following analysis best practices.
SC Media calls the FAIR Institute "one of the most important industry organizations of the last 30 years." Join the Institute now!
