New to FAIR quantitative analysis for cyber risk? I want to warn you about a newbie mistake I see that’s sure to make you waste time: Putting data collection ahead of scoping in a risk analysis.
Scoping is the necessary first step in FAIR analysis in which you define the risk (or loss event, in FAIR terms).
You start with identifying the:
- Asset at risk. For instance, the data in the database.
- Threat actor, such as a company employee who’s careless about emailing data.
- Impact you’re worrying about – loss of confidential data, for example.
And you end up with a risk statement that directs the rest of the analysis process. It’s not that intensive of a process, really.
Scoping forces you to be specific in your problem to solve – I like to think of it as guardrails to stop you from wandering off topic when you go to the next step, collecting data from experts in the company (how many email breaches have we had, what have we paid out as a result, etc.)
All sounds like a logical starting point but some people skip scoping and go straight to data collection, for some understandable, though misguided reasons. Some explanations I hear are:
- It seems like scoping takes a long time and I have a tight deadline. Actually, scoping sessions can often be done in about 30 minutes.
- Quantitative risk analysis is very technical – first of all, I need data. First of all, you need critical thinking about your risk scenario.
- It’s hard to get appointments with the in-house experts – if I get the opportunity for the meeting I should grab it, collect as much data as I can and sort it out later. Or have to seek another appointment when you finally identify what you need.
Whatever effort you think you’re saving (or avoiding), you’re going to pay it back in wasted, guardrail-free effort, not just in data collection but the later phases of matching your risk statement to the FAIR model, then running your data through your quantitative risk analysis software or spreadsheet solution.
In my experience, resistance to scoping is a sign of a deeper problem: the organization hasn’t yet really adjusted to the FAIR way of thinking. Management may still be demanding analyses of vague “risks” like “passwords” or “the Cloud”. FAIR analysts focus in on risk as something definable with a probable frequency of occurrence and magnitude of loss.
The good news is that the more FAIR analyses the organization runs, the more accustomed the organization becomes to posing questions for analysis in FAIR terms, as loss events – and the more sense it makes to everybody to put the effort into solid scoping as a first step.