People regularly ask questions regarding FAIR’s difficulty and the difficulty of quantitative risk analysis in general. It’s a logical question given how busy everyone is and the common (mis)perceptions regarding risk analysis. So let’s explore this…
Risk landscape complexity
It's not news that the cyber and operational risk landscapes are massively complex. There are seemingly countless combinations and layers of assets (technology, people, processes, data, etc.), threats, and controls. To make matters worse, these elements are in constant flux. Our visibility into the elements and how/when they change is also limited. So already it’s easy to understand why people are concerned when they are faced with the prospect of analyzing risk.
The good news is twofold:
- Nobody in their right mind would ever expect a 100% comprehensive and atomically granular evaluation of an organization’s risk landscape. Oh, I know, this expectation is implied in various externally imposed standards and self-imposed policies, but it’s ridiculous and a recipe for analytic paralysis. The bottom line on this point is that a pragmatic approach to evaluating the risk landscape is achievable.
- Many of the questions that FAIR analyses answer are relatively specific and constrained in terms of their scope. In other words, you don't have to boil the ocean when doing risk analysis.
I’ll discuss the challenges associated with changes in the risk landscape in another post, so stay tuned. For now, simply recognize that this aspect of the problem is also manageable.
Risk model complexity
Okay, so the risk landscape is complex but manageable through good analysis scoping. But what about risk? Isn’t that a miserably complex problem? Actually, no.
A few years ago, I gave a FAIR workshop to a group of professors of a major university. The audience was made up mostly of PhD’s in a variety of disciplines. After I was done, a gentleman who had dual PhD’s (Statistics and Quantitative Analysis) came up to me and said, “You know what you’ve done? You’ve codified risk.” I hadn’t thought of it in those terms before, but his words nicely captured the nature and purpose of FAIR. This is important because the FAIR ontology is intuitively simple and logical. In other words, risk itself is NOT complicated.
The problem is that people have tended not to make the distinction between the complex landscape and the question (risk) they’re trying to tease out of that landscape. One is complicated, and the other isn’t. By leveraging good analysis scoping methods to simplify the landscape component, and applying a clear model of risk, the problem of risk analysis complexity becomes quite manageable.
An inverse problem I’ve also seen is when someone over-complicates a risk model by applying extremely sophisticated modeling methods. In some cases, this seems to be done for marketing purposes (baffle them with BS!) more than to model things effectively. That, or they’re simply enamored with math. Either way, over-complication makes validating the results extremely difficult. Furthermore, the more complex the model, the more ways it can go wrong.
Make everything as simple as possible, and no simpler
Albert Einstein is widely quoted as saying, “Make everything as simple as possible, and no simpler.” My understanding is that this is paraphrased from what he actually said, but his point is critically important to our problem. Busy risk management professionals want to — no, have to — avoid burying themselves in over-complicated analysis busywork. If you combine that imperative with the wet-finger-in-the-air “analysis” that has dominated the industry forever, you frequently get resistance by people to anything that smells like more work (or unfamiliar work).
The problem is, there seems to be a belief (hope?) among many that you can simplify this stuff to the point where it’s all fully automated and point-and-click. Reality check friends — that’s never going to happen. At some point in the simplification process, the results no longer represent reality and can’t/shouldn’t be used to support decision-making. Of course, if all you want to do is put up window dressing for executives, the regulators and/or auditors, and hope that nobody ever digs in to see whether the results stand up, then have at it. Just don't expect to be able to defend your work to anyone who really examines it.
Not everybody is cut out to do risk analysis
The simple fact is that good scoping methods and an intuitive risk model doesn’t change the fundamental nature of analysis. Even a relatively simple risk analysis still requires critical thinking, which is always going to be more work than sticking a wet-finger-in-the-air and declaring "It's medium risk." Another fact is that not everyone is good at, or enjoys, critical thinking. That isn’t an indictment of their intelligence, professionalism, or value. It simply means that they aren’t wired to view things through multiple perspectives, aren't comfortable with uncertainty, or aren't self-reflective, which are required traits for good analysts.
If an organization wants to succeed in evolving from wet fingers to risk measurement, then it needs to ensure that personnel who are responsible for performing risk analyses (and anyone who manages those personnel) are critical thinkers. This is true whether you’re using FAIR or not. If the people responsible for measuring risk in your organization aren’t strong critical thinkers, you should be very worried about the reliability of their work. I've seen this over and over again.
At the end of the day, there is a sweet spot for risk analysis that manages the complicated nature of the landscape, recognizes the fundamentally simple nature of risk, and avoids over-complicating or over-simplifying the analysis problem. Even this sweet spot however, requires more work than a wet-finger-in-the-air, and it requires skills that currently may not be in place in some organizations.
So let's come back to the original question – How difficult is FAIR to use? The simple answer is that with the right skill sets in place, it isn't difficult at all. New FAIR-based applications such as RiskLens make it even easier, by guiding you step-by-step through quantitative risk analyses. Furthermore, the "extra cost" involved in terms of analysis person-hours and any tools an organization might employ can be more than compensated for by higher risk management efficiency – i.e., prioritizing more effectively, identifying the most cost-effective solutions for risk management problems, and getting better executive support for the program. At least that's been my experience.
Keep in mind though, that there is a difference between the questions, "How difficult is FAIR to use?" and "How difficult is it to adopt FAIR within an organization?" The second question often has a different answer – i.e., it can be challenging to adopt FAIR in some organizations, for a number of reasons. I cover the most common obstacles and how to overcome them in my earlier blog post series "Overcoming Obstacles to Risk Quantification".