Whether it is difficulty with data gathering, calibrating estimates, or presenting results, problems that come up in FAIR analysis tend to stem from the same source: a lack of a clearly defined risk scenario statement.
As David Musselwhite, the Dean of the RiskLens Academy for FAIR training, explains, “Your scenario statement is where you tell everyone involved in the analysis (analysts, SMEs, consumers of the analysis, etc.) what loss event you’re analyzing.”
I have broken down tackling the risk scenario into 3 sections: why it matters, how to improve, and what to do next.
Why the Risk Scenario Statement Matters
“A problem well stated is a problem half solved.”
- Douglas Hubbard, How to Measure Anything: Finding the Value of Intangibles in Business
The first step of a FAIR analysis is scoping: clearly articulating what it is that you are quantifying. The more FAIR analyses you do, the more apparent it will become that it is extremely important to know what you are measuring and why.
Here’s an in artfully phrased scenario statement: “How much risk do we have from the cloud?” It grammatically indicates that the cloud is creating risk for us, when assets, or containers of assets, can’t create risk. It’s like asking “How many symphonies will that pen write?” The pen doesn’t write the symphony, it is an instrument, an involved element in the event of the symphony being written.
Learn more: In a FAIR Risk Analysis, Don't Collect Data till You Scope
Our IT assets are just involved elements in the events that unfold that cause loss to us. We have to describe those events, in direct and unambiguous terms, if we hope to gain any reduction in uncertainty as to how much probable future loss they may cause us.
You may have risk associated with some scenarios that are related to the cloud, but risk comes from events, not things. Risk comes from uncertain future happenings, not from “the cloud.”
The loss event — the thing that happens that causes loss to you — is the breach of the confidentiality of the data. It’s when the asset is actually impacted in the way that leads to loss to you; when one or more of the characteristics that makes it valuable are impacted, thus rendering it less valuable or creating liability for you.”
In order to clearly define what it is that you are measuring, you first need to understand what the purpose or goal of your analysis. What question are you trying to answer? Who is your audience and what do they need to know in order to make an effective risk-based decision?
“If a measurement matters at all, it is because it must have some conceivable effect on decisions and behavior. If we can't identify a decision that could be affected by a proposed measurement and how it could change those decisions, then the measurement simply has no value” - Douglas Hubbard.
Watch the video: Doug Hubbard’s presentation at FAIRCON 2019
If you cannot clearly define what you are measuring and why, this will lead to many problems, the biggest of which is confusion. This comes in two forms: confusion in the data you are trying to collect and confusion in the results you are giving.
If you haven’t clearly defined what you are measuring it will be extremely difficult to collect the best data to support your analysis. Should you be focusing on questions around a specific method or in general? Do you care about internal actors or only external? Which controls are relevant and why? Ultimately, the way you define your scenario will drive your data gathering and determine which questions need to be asked.
The pain associated with a lack of a clearly defined scenario usually manifests in the amount of time it takes to gather data and the relevance of the data gathered. Being unable to clearly define questions due to your unclear scope may also result in getting a lot of “I don’t know” answers from subject matter experts (SMEs) or getting answers that are not relevant to the question you are trying to answer.
Taking it one step further, if you are able to gather information from SMEs to support your analysis, you will need to be prepared to get many more questions from your key stakeholders as well. If you have not clearly defined your analysis and are not confident in the ranges estimated, this will be evident when presenting your results. The audience may have questions you would have never expected or draw inappropriate conclusions from the information due to making inaccurate assumptions about the purpose and scope of the analysis. Avoid this pain by putting in the effort at the beginning
Learn more: 3 Tips on How to Talk to SMEs about Cyber Risk Quantification
How to Improve Loss Exposure Scenario Statements
This might leave you wondering how do you do this? The key to a well-defined scenario statement is the K.I.S.S. method (Keep it Simple, Stupid).
“Analyze the risk associated with malicious external actors breaching the confidentiality of sensitive company data accessible on a lost/stolen mobile device.”
Actors impacting some characteristic of an asset — short and sweet
What are the aspects of this? Well they clearly defined the who “External Malicious Actor”, the effect “breaching the confidentiality of sensitive data” and the where “mobile device”. They even took it one step further and specified the asset to only those that are lost/stolen vs every single mobile device.
Consider that scenario statement in comparison to this one:
"Analyze the risk associated with external attackers gaining access to sensitive company data contained on lost or stolen mobile devices, leading to a loss of confidentiality."
Actors gaining access to an asset which leads to them impacting some characteristic of the asset — “Wait a minute,” says the confused non-IT decision-maker, “What’s the difference between them gaining access and breaching it?”
And now doubt and confusion has been cast over your whole analysis because people aren’t quite sure exactly what scenario you’re talking about. You’ve introduced multiple terms, you’ve opened up space for their assumptions and more/differing interpretations of language and have moved farther and farther away from good, clean, direct, logical analysis.
As referenced above, phrasing your scenario statements in this way helps you later in the analysis, as well, as all the descriptors of the variables of your model can be built from a good scenario statement, which will be important for data gathering.
What to Do Next
Sharpen your analytical skills. The FAIR Institute blog and LINK discussion board (FAIR Institute membership required - sign up now) are great sources for tips on conducting FAIR analysis. And for the most advancement in the least time, the RiskLens Academy offers an in-depth training for analysts to have the opportunity to learn how to conduct an analysis from end-to-end. This is offered online and can be taken at your leisure.
5 Habits for Highly Successful Risk Analysis