FAIR Institute Blog

Pro Tip for FAIR Risk Scenario Analysis: Map It

[fa icon="calendar"] Apr 10, 2017, 10:41:26 AM / by Cody Whelan

Cody Whelan

I just wrapped an engagement helping a really great customer identify their top ten risks. Talk about commitment: They organized a book club where members of Information Security,  Privacy and Audit were actively studying the FAIR book, Measuring and Managing Information Risk.

At the last club meeting, somebody said “I love the FAIR model and risk quantification. But how do I apply this to the risks that face me and my department?”

My answer: mapping.

That’s the term I use for assigning core nodes in the FAIR ontology…

Basic_FAIR_ontology.jpg

…to a risk scenario.

Let me show you how this worked with a scenario we analyzed as part of this engagement:

 “How much risk is associated with compromised customer credentials leading to fraudulent transactions?”

So let’s start mapping, starting with the left side of the ontology:

Loss Event Frequency

In this scenario, what data would represent the Loss Event Frequency?  As we have a well-scoped analysis, not to toot my own horn, it’s pretty obvious:

Loss Event Frequency would be how many times per year a successful fraudulent transaction occurs due to compromised customer credentials. 

Because we often want to show the efficacy of a control, we derive the Loss Event Frequency from Threat Event Frequency and Vulnerability. 

Threat Event Frequency

With that in mind, what would represent the number of attempted compromises, or our Threat Event Frequency?  If Loss Event Frequency represents the number of successful fraudulent transactions, then:

Threat Event Frequency would need to be the number of times accounts are taken over, yet do not result in successful transactions

Vulnerability

Now for one of our key control areas…

 What prevents those Threat Events from becoming Loss Events, in other words, our Vulnerability? 

In this scenario, it represented the alerting and wire recall processes of the customer’s Fraud department.  

Secondary Loss Event Frequency

Moving to the right side of the ontology, the driver of the other nodes is Secondary Loss Event Frequency. And the question is, when there is a fraudulent transaction due to compromised customer credentials…

 What percent of the time do we anticipate adverse impacts from Secondary Stakeholders

 We use mind mapping software to think through risk scenarios. Here’s how it mapped out:

mapping-to-fair-ontology.jpg

And the answer is…

When we considered that the compromise occurred on the customer’s end, as well as all of the efforts the Fraud department makes in an attempt to get the money back, this impact was relatively small.   

As you can see, by assigning those core nodes of the ontology to the scenario we’re analyzing, we know exactly what the Loss Event is for this specific scenario, which is absolutely critical to scoping any analysis, as well as what information we need to go hunt down in order to quantify this scenario. 

Initially, this process can be a little challenging to complete.  It’s forcing you to logically think through the problem,  probably way more than you’ve done previously.  Yet I will say,  the more of these that you do, the easier they get.  For me, solving this problem is half the fun.  I hope it’s the same for you.

Topics: FAIR, Case Studies

Cody Whelan

Written by Cody Whelan

Network and Learn - Join a FAIR Workgroup

Subscribe to Email Updates

417NjDVYgtL._SX404_BO1204203200_.jpg
Learn How FAIR Can Help You
Make Better Business Decisions

Recent Posts