If a common objection to quantitative cyber risk analysis is that it takes too much time for decision-support at the speed of business, the answer is triage with FAIR™: running quick scenarios with enough accuracy to reveal the most urgent risks that require immediate attention or a deeper analysis.
This 30-minute video from the 2020 FAIR Conference covers the lessons learned from implementing triage at trucking company Werner Enterprises, with Alyssa Hinz, Senior Information Security Specialist and David Elfering, former Vice President of Information Security (now Senior Director of Information Security, ReSource Pro).
The key to speed in triage is in the preparation, mustering the elements below, each of which is a capability of the RiskLens platform that Werner used to enter, organize and apply the data, then run the RiskLens Rapid Risk Analysis that, in minutes, ranks risk scenarios based on different parameters for impact:
- Loss tables, based on industry and internal data, to capture exactly how and how much the business loses in revenue from a cyber event
- Asset library, documenting the at-risk assets, how they tie to the loss tables, their data types, vulnerabilities and resistance strengths
- Risk scenarios based on the FAIR construct of a threat acting on an asset resulting in a loss, filled out with the loss tables, asset library and estimates by subject matter experts (SMEs) for other elements such as probable threat actors or frequency of attack.
The good news is that each of these elements are re-usable and get better defined with each analysis, so triage becomes an iterative process, and faster over time.
To uncover the data to fuel triage is “a bit of a treasure hunt”, Elfering said, an opportunity for a FAIR analyst to “stop being a risk geek and talk to people,” meet the SMEs and business unit owners and identify in particular how money gets made and lost in the organization. Elfering and Hinz offer a load of tips on finding that treasure, including:
- The authoritative answers on losses may come from the least expected places; at Werner, it turned out that was not Accounts Payable but Customer Service.
- SMEs tend to first, over-estimate their own knowledge and second, want to give precise, know-it-all answers to questions. Gently challenge their assumptions and use calibrated estimation to draw out the ranges that FAIR analysis requires.
- For data gathering, “know when enough is enough,” said Elfering. “There’s a point when more really is less…This is triage, rapid response, and should be a responsive and relatively short process.”
One of the big benefits from these speedy risk analyses, according to Elfering: “Triage will populate risk statements in your risk register and allow you to sort through them dynamically by risk type or threat type or by asset or by range. You’ve got a multidimensional view of your risk.”
Learn more – watch the video on how to rapidly triage risks from the 2020 FAIR Conference.