“The purpose of any risk analysis is to provide decision-makers with the best possible information about loss exposure and their options for dealing with it.”
--from Measuring and Managing Information Risk: A FAIR Approach
Likewise, the purpose of FAIR is not to produce risk quantification but decision support – and within some realistic guardrails: the “best possible” information leading to a choice among the practical options. FAIR analysts always present their results as a range of probable outcomes for likelihood and impact of an event, with transparency about their level of confidence, so the business can make truly risk-informed, data driven decisions – and understand the uncertainty of any decision.
Here are five principles for risk analysis that drives decisions:
1. Start with a Risk Scenario
“In order to clearly define what it is that you are measuring, you first need to understand the purpose or goal of your analysis. What question are you trying to answer? Who is your audience and what do they need to know to make an effective risk-based decision?”
--How to Clearly Define a Risk Scenario Statement for FAIR Analysis
FAIR analysis always starts with a specific risk scenario with a defined threat actor, means of attack and a targeted asset to focus analysis on loss events that can be quantified – and keep us data-driven. Just as important, scoping keeps us focused on supporting decisions that address specific business problems, not general issues. A risk scenario statement:
2. Don't Let the Perfect Get in the Way of the Good
“In certain aspects of the information security profession it seems to be dismissed unless it can be a single perfect model that has 100 percent reliability…In no other field of risk management is such a high bar set.”
--Phil Venables, VP, CISO, Google Cloud, speaking at the 2020 FAIR Conference
Again, the purpose of FAIR is not analysis for analysis’ sake. Jack Jones has a clarifying catch phrase: What’s needed is “Accuracy with enough precision to be useful.” Doug Hubbard, the pioneering researcher on risk analysis techniques and a major influencer for the FAIR movement, advises against the trap of over-eager data gathering. ”The more uncertainty you have the more uncertainty reduction you get from the first few observations…The belief that we have more uncertainty so we need more data – mathematically just the opposite is true,” Doug said at the 2019 FAIR Conference.
3. Deliver Analysis at the Speed of Business
Analysis delayed is decision support denied. Risk teams must develop the skills and processes to deliver relevant risk information when deciders need it, an increasingly shorter time frame in the current threat environment. That’s why so much attention in the FAIR movement is now turning to automating all the aspects of FAIR, particularly on the risk event frequency side with the introduction of the FAIR Controls Analytics Model (FAIR-CAM). Before FAIR-CAM, controls analytics relied on subjective estimation of controls efficacy, a problem for reliably scaling analysis for automation.
Jack Jones’ blog-post series on automating FAIR cyber risk quantification, lays out three requirements for automation: A clear scope, an analytics model (FAIR) and data. “On the surface, these don’t sound too intimidating, but all three need to be done well to get accurate results,” Jack wrote.
4. But Is It Cost-effective?
To deliver a complete value to the business decision makers who own the risk, cost out the options to mitigate risk as part of your analysis. With FAIR-CAM, you can quantify the risk reduction effect of controls, running what-if analysis on the
effect on loss exposure of reducing discrete risk factors. FAIR-MAM (the FAIR Materiality Assessment Model) is a guide to finding and maintaining loss exposure data down to a granular level, so you can achieve highly accurate cost estimates at speed.
5. Speak the Language of Your Audience
You may be proud of the excellence of your FAIR analysis but talking “ALE” or other FAIR-speak may cause your stakeholders to tune out. A perfect case study came from the FAIR Institute’s 2023 London Conference in the presentation by the FAIR team at Maersk, the shipping giant, on analysis for a merger. The merger team “couldn’t care less” about the risk and cost-benefit results presented, said Senior Cybersecurity Risk Manager Pooya Alai. The FAIR team quickly recalibrated and translated results into impact on EBITDA, a meaningful metric in M&A. “The best way to talk about risk is not to talk about risk but about the variance around the metrics that matter” to decision-makers, he said.
Learn more about techniques to keep your analyses risk aligned and data driven here:
Scaling a FAIR Program at Netflix
