How to Model Controls in a FAIR Risk Analysis

As a former auditor, I understand the value a control has for an organization, a process or an application.  But, I’ll be honest I used to think a control was one dimensional. It didn’t really matter what the control protected, if the control wasn’t functioning properly or configured exactly to a ‘T’, it was failing. I was never really looking at the control holistically – the nature of the control or the relationship among controls, or how to measure/estimate the effectiveness of controls within a risk analysis. 

Chapter 7, "Interpreting Results", in Measuring and Managing Information Risk, the FAIR book, was the light at the end of the tunnel I needed to change my mindset and help me steer clients in the right direction. (If you're new to FAIR or need a refresher, check out What Is FAIR?or The FAIR Model Explained in 90 Seconds.)


3 Ways to Work with Controls in FAIR Risk Modeling

When running an analysis for a client or in a training, usually the most debated conversations are over how to model controls. It can differ for each client and each control – which is what makes the FAIR model so fun! When thinking through a control or process you want to implement, and you’re working to determine how to make the change accurately within your risk analysis, it’s key to think through what the purpose of the control is. There are three ways to look at it within the model:

FAIR-Model-Threat-Event-Frequency-Red1. Threat Event Prevention

What controls do you have that could cause you to have less loss events? Is your threat actor coming into contact less with your asset because of this new control enhancement? That would affect your contact frequency. Do you foresee there will be less action taken by the threat actor given the new control? Your probability of actionwill be reduced. Overall this would reduce your threat event frequencyand potentially your overall loss event frequency will be reduced.


2.  Vulnerability Management

Here you want to focus on those controls that would reduce the likelihood that your threat event will turn into a loss event. Are you planning to implement a control that will harden your asset – you could model that control here. You may note that the "Threat Capability" piece of the model is missing from the image below, but that is intentional. Think about it, is there any control or system you can implement that would reduce the resources, skills, or knowledge of your threat actor? I’ll let you be the judge for this one.


3.   Detection & Response

Anything that could change the potential losses you experience would be modeled here.


Again, the beauty of modeling is that it can be worked and altered based on your IT environment or the functionality of a control or system. This is the more subjective piece of the model, but wherever you choose to model this control, just make sure you have used your critical thinking and you have your FAIR hat on to properly defend this change in the model. Encryption is an example of where the modeling could be different for certain organizations – it's one we encounter quite a bit.

Controls Modeling Case Study: Encryption

Some organizations look at this scenario, "Loss associated with a breach of confidential information in System X due to an attack from a cyber criminal", and think  this is just going to be a smash and grab. If that’s the case I would probably model the implementation of encryption at your Secondary Loss Event Frequency – because you still may have some internal response, but your secondary response will significantly be reduced because the data is encrypted.


Now if we are looking at the same scenario, "Loss associated with a breach of confidential information in System X due to an attack from a cyber criminal", but imagine that the organization anticipates that the cyber criminal will sit on the network in search of data that is in plain-text and most likely skip over the encrypted database. This could in turn could be modeled at "Threat Event Frequency" – because the likelihood that the cyber criminal will take action against the encrypted database will be reduced.


Same control – encryption – modeled two different ways. Put on that FAIR hat and put your modeling to work!

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37