With the first flight of an American spacecraft carrying NASA astronauts launched from US soil since 2011, a FAIR Institute Member sent us a note pointing out that the NASA Risk Management Handbook shares a lot of the spirit of FAIR™.
The handbook, issued in 2011, covers NASA’s then recently developed Risk Informed Decision Making Process (RIDM) that feeds into an older Continuous Risk Management (CRM) process much as FAIR provides the risk analysis paradigm for the NIST CSF, leading to an overall program of risk management.
RIDM “fundamentally changes the focus from qualitative assessments to quantitative analyses, from the management of individual risks to the management of aggregate risk, and from eliminating or reducing the impact of single unwanted events to the management of risk drivers,” the handbook says.
“This quantification allows managers to discover the drivers of the total risk and find the interactions and dependencies among their causes, mitigations, and impacts across all parts of the program’s organization.
“In addition, quantification supports the optimization of constrained resources, leading to greater affordability.
“Armed with a set of performance requirements and knowledge of the decision maker’s risk tolerance, CRM is used to manage the individual risks that collectively contribute to the aggregate risk of not meeting program/project performance requirements and goals.”
Decision-Making Support for Choosing Among Alternatives
Just as with FAIR analysis for cybersecurity, NASA’s analysis process supports decision making by identifying and comparing among alternative courses of action. For space missions, those fall into four categories of performance:
- Safety (e.g., avoidance of injury, fatality, or destruction of key assets)
- Technical (e.g., thrust or output, amount of observational data acquired)
- Cost (e.g., execution within allocated cost)
- Schedule (e.g., meeting milestones)
For instance, more safety equipment for astronauts needs to be weighed vs. bigger engines for more thrust vs. cost vs schedule delay -- not so different from a risk-reduction controls decision for cyber.
“Quantification” for NASA largely relies on engineering specs and testing, plus data from the agency’s long history with project scheduling and costs. “Astronaut loss of life may not be directly quantifiable but quantification might assess reliability of vehicle,” says the handbook.
Like FAIR analysis, the NASA approach builds on risk “scenarios” leading to degraded performance in the four categories, with a “likelihood” and “consequences”. And, like FAIR, NASA embraces probabilistic modeling of performance using Monte Carlo simulation to account for the uncertainty of missions that push the frontiers of science and engineering.
NASA’s Collaborative Process
Interestingly, though aimed at quantitatively supporting decision making, the NASA handbook also gives due to the need for judgement calls by project leaders, with a lot of recommendations to ensure a collaborative process.
“Technical information cannot be the sole basis for decision making... Decision making is an inherently subjective, values-based enterprise.
“In the face of complex decision making involving multiple competing objectives, the cumulative judgment provided by experienced personnel is an essential element for effectively integrating technical and nontechnical factors to produce sound decisions.”
Read the NASA Risk Management Handbook
Related: Qualitative vs. Quantitative Analysis for Cyber Risk: What’s the Difference?