FAIR Institute member Chip Block, from Evolver, reviewed the recently published NIST 800-160 Special Publication Systems Security Engineering and shared his considerations on what NIST 800-160 means for risk quantification, FAIR and IoT in an article that deserves to be shared with all of our members.
NIST 800-160, whose subtitle is "Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems", seeks to "address the actions necessary to develop more defensible and survivable (enterprise) systems, inclusive of the machine, physical, and human components that compose the systems and the capabilities and services delivered by those systems."
Here are the main takeaways from Chip's article:
- Chip notes a consistent theme in the early part of the publication that a driving factor in cybersecurity design should be the identification of asset loss and asset loss consequences.
- That concept, i.e. developing operating systems based on the risk of asset loss appears to him to be very much in line with the principles of the FAIR risk model.
- He highlights how that constitutes a departure from traditional systems engineering approaches that focused on overall systems protection, "treating the enterprise as an entity to be fortified".
He then poses the question of the measurement of the value of enterprise assets.
- How should you measure the value of those assets?
- His obvious answer is in financial terms, dollars and cents, the common language of the business.
Consequently, FAIR - as the standard quantitative risk model - appears to him to align directly with the NIST 800-160 objectives, by providing the measurement foundation. As such, he affirms that "FAIR should become a critical element in engineering design efforts using the approach recommended by NIST 800-160".
You can read the full article here.