(To the tune of Ice Ice Baby)
Alright, stop! Collaborate, and listen. FAIR is back to give advice you been missin’
If Risk has grabbed ahold of you tightly, run an analysis, quantify it rightly.
Do you have the info? Yup, that I know! Check with the SMEs, they’ll tell ya so.Okay, so it is good I found a career in risk consulting because clearly my rap career was not going to pan out. Although a career as a rap god was not among them, I did learn a few things as a FAIR quantitative risk analyst from the one and only Vanilla Ice: Stop, Collaborate, and Listen!
Before you even begin to gather data for your risk analysis, stop! The first thing you need to do is to define your scope. Your scope should specifically outline the asset, threat, and effect that you are analyzing.
Asset– the thing of value you are trying to protect
Threat– the person or thing attempting to cause harm to your asset
Effect– the ultimate outcome if the threat is successful in affecting your asset
It is important you define these elements first so that all parties involved are on the same page in terms of what specifically is being analyzed, and by the same token, what is NOT being analyzed. This will reduce scope creep and confusion.
Risk analysis is not meant to be conducted in a vacuum. Just because you don’t know the data point off hand does not mean it does not exist. In order to complete a successful analysis, you must involve the key Subject Matter Experts (SMEs) in your organization. Enable a collaborative environment and be sure to state all assumptions that are made throughout the discussions. Utilize calibrated estimates to reduce uncertainty around less well-known data points and remember, no data is data.
Remember that thing I said about assumptions! One of the most important parts of a risk analysis is to listen! More importantly, listen to understand the assumptions that are being made and any uncertainties around data points. These are important things to take note of and document in your rationale.
On the subject of rationale, also ensure you are listening to who is providing which estimates and what data points they are using to derive the values. Are there specific controls you considered? Document them. Were there any controls you specifically excluded? Document them. Was there any industry or third- party data you used to supplement your organizational data? Document that.
If you keep this advice like mind you’ll…
Quant’ that risk like a pro! Defend your results, got that data in the know
FAIR is the international standard for quantitative risk analysis for cyber, technology and operational risk.