Time and time again I see analysts perform a FAIR risk analysis but get caught up in searching for the absolute perfect data or second guessing the results. Remind yourself that the Law of Diminishing Returns always comes into play. It’s important to get an awesome, defensible analysis out the door, but at what costs? Like many things in life, it comes back to the basic advice my parents always gave me:
- Use what you know
- Practice makes perfect
- Test out the water and be ready to revise
- If at first you don’t succeed, try and try again
- Learn from your mistakes
Use what you know - FAIR is defensible
Performing a risk analysis can seem daunting without any sort of framework; lucky for us we have FAIR on our side. FAIR, or Factor Analysis of Information Risk, is a very comprehensive and powerful framework. Not only does it help you think through the loss magnitude side of risk, how much money you could lose, but it also takes into account the frequency side of any given scenario. FAIR uses measurement concepts useful when trying to understand potential loss exposure: calibration, distributions, probability vs. possibility and accuracy vs. precision, just to name a few.
By using distributions, the analyst is able to maintain a level of accuracy that can't be achieved with just a single data point. Let’s look at the example below:
Say you performed an analysis without the FAIR framework as a guide and came to the conclusion that this ‘loss event’ will occur twice a year and each time at $1,000, or $2,000 total per year. There’s still going to be a great deal of uncertainty when delivering these results because it highly likely that the event will not fall exactly on that single data point of $2,000/year.
Using distributions, a range of values accounts for that uncertainty! Here's the same example, taking the uncertainty into account.
We know that there is a possibility of this happening between 1-6 times per year and the overall loss per event coming in between $500 - $10,000. Using the distributions, you are still able to present accurate results and gain additional precision over time.
Practice makes (near) perfect
I can promise you that LeBron James was not born with the skills to become one of the best basketball players in the world; he most likely practiced every day and was extremely dedicated to the sport. Now I’m not saying you should run a FAIR analysis every day, but I will say things may start off a little rocky. Continue to put on your FAIR cap to think through problems in business or even your everyday life. How can you break down a problem and analyze it using what you know? Practice, practice, practice and I promise you, you will get better over time.
The reason I say near perfect is because perfection is usually not a realistic goal to strive for when running risk analyses. I like to refer to the Law of Diminishing Returns. Decisions need to be made, and if your analysis is playing a role or could potentially add value, you may miss your opportunity to showcase your analysis if you overanalyze it for days, weeks, or months. Don’t fall victim to perfectionism.
Test out the waters and be ready to revise
Before taking results to the board of directors, start small. I know anytime I run an analysis I first start with a simple Q&A to myself, maybe even with someone on my team who is familiar with the analysis, to get an understanding of the results and where they could use some refinement. Then run it by the subject matter experts you worked with to get their perspective on the results. If it doesn’t seem accurate to them, again, put on your FAIR cap and determine what data point needs to be adjusted to better represent your scenario.
If at first you don’t succeed, try and try again
Once you have gone through each of these steps and you’re starting to feel more confident with your analysis you may look to take it to the board of directors, a steering committee, or another form of senior-level management within your organization. This is great, but I warn you, there are many reasons that people may shut down your results. Naysayers will almost always be part of business – you’re bringing different people, with different opinions together to make one decision – that’s difficult. Which brings us to our next, and final point:
Learn from your risk analysis mistakes
Find out what your audience believes to be wrong with the analysis and use your critical thinking and your FAIR knowledge to figure out what needs to be updated. Maybe it’s the delivery or some of the data points, make those adjustments for the next go-around and it may be better perceived.
Always remember – the process remains relentless. With a good framework, reliable subject matter experts, and plenty of practice you should feel confident in your FAIR analysis.
Become a member of the FAIR Institute to join an exclusive community of information risk officers, cyber security leaders and business executives who share their experience and knowledge on the growing discipline of information risk management.