In writing the FAIR-CAM™ white paper, I took a short detour from the complex landscape of cybersecurity to explain the new FAIR Controls Analytics Model™ with an analogy that almost anyone can relate to.
Imagine for a moment that you are the parent of a six year-old daughter who just received her first “real” bicycle and now you’re faced with the prospect of trying to protect the most important person in your world from this newly added exposure to harm.
What is FAIR-CAM?
A model that:
- Categorizes controls by type and function
- Sets them in relation to each other; clarifying their interplay
- Shows the direct and indirect effect of controls on risk
- Assigns units of measurement for control performance enabling a quantitative approach for reliable analysis of the effectiveness of controls and controls systems.
Here’s a short guide to some of the key concepts of FAIR-CAM explained within our two-wheeler scenario – but I hope you’ll read the entire “use case” in the Laying a Basic Foundation section of the Introduction to the FAIR Controls Analytics Model white paper.
As you consider your options for reducing your daughter’s risk, you put together a list of controls that could apply, including a helmet, training wheels, a flag, even a safety class. To sort your list, you’re faced with some questions:
- Are some controls more valuable than others?
- How and where do you draw the line?
- Are there other controls you should consider?
FAIR-CAM guides you to think through these questions about the individual and aggregate value of controls.
1. Define “value”
Control value boils down to “How much risk a control reduces” from one or more loss event scenarios. As in FAIR risk analysis, loss event scenarios provide the context for evaluating the risk reduction value of controls.
2. Understand the effect of controls
A helmet can affect the magnitude of loss of an accident with a car, while a flag can affect the probability of an accident. These are examples of controls that directly affect risk, which FAIR-CAM refers to as Loss Event Controls (LECs). Strict rules that are laid down, communicated, and enforced by you requiring your daughter to wear her helmet, affect risk indirectly by affecting the operational efficacy of the helmet. The bottom line – different controls affect risk differently, as well as directly or indirectly. We need to understand these distinctions if we want to be able to understand and measure control value.
3. Understand controls performance and managing controls operation
You can readily find data about the protective quality of bicycle helmets – which FAIR-CAM defines as “ Intended Performance.” But the “Operational Performance” of a control can be less than the Intended Performance if, for example, your daughter puts the helmet on correctly or even leaves it at home. Controls that help to improve the Operational Performance of other controls are defined as “Variance Management Controls (VMCs).”
4. When there’s more than one control
So, your daughter is out riding with a helmet and a flag – both play a role in risk reduction but having two or more Loss Event Controls reduces each controls' share of the risk reduction pie. Generally speaking, the more Loss Event Controls added for a given scenario, the lower the risk reduction value for each control.
5. People can be controls, too
Whether it’s your daughter riding her bike or an employee opening an email that could be a phishing attempt, humans can act as Loss Event Controls. Consequently, the quality of their decisions affects their efficacy as a control, either directly (wearing the helmet or not) or indirectly (your success or failure to train your daughter about helmet wearing).
Wrapping up the bicycle scenario
As I write in the white paper, managing the risk associated with cybersecurity is vastly more complicated than our bicycle riding scenario. Regardless, it shouldn’t be too difficult to extrapolate from what was discussed in this scenario to the scores of cybersecurity Loss Event Controls organizations use, the many controls required to manage the Operational Performance of controls, as well as the myriad risk management decisions being made, explicitly and implicitly. The permutations and complexity of the cybersecurity control landscape should make it very clear that common control frameworks and mental models that might suffice for something as simple as the bicycle scenario can’t be relied upon for cybersecurity.
I hope you’ll go on from here to read the entire white paper for a detailed description of FAIR-CAM concepts and the application of this quantitative model to cybersecurity and risk management.