A FAIR Artificial Intelligence (AI) Cyber Risk Playbook

The Playbook, created by FAIR Institute Member Jacqueline Lebo of Safe Security (technical adviser to the Institute), breaks down the generative artificial intelligence (GenAI)/large language model (LLM) challenge into five steps:

1.  Contextualize

Recognize the five vectors of GenAI risk (Shadow GenAI, Creating Your Own Foundational LLM, Hosting on LLMs, Managed LLMs and Active Cyber Attack

2,  Identify Risk Scenarios

How to think through probable loss exposure for your organization from each of the five vectors using the familiar threats/assets/effects of Factor Analysis of Information Risk.

3.  Quantify Scenarios with FAIR

Using your internal data or industry data, apply FAIR analysis to produce results like this:

There is a 5% probability in the next year that Employees will leak company-sensitive information via an open-source LLM Model (like chat GPT), which will lead to $5 million dollars of losses.

4.   Prioritize/Treat AI Risks

To clarify the path to decision-making, identify the key drivers behind the risk scenarios. Example: For the Active Cyber Attack Vector, a risk driver could be phishing click rate among employees with access to large amounts of sensitive data.

5.   Decision Making

Bringing it all together – comparing treatment options, taking into account the quantitative values you uncovered, controls and key risk drivers.

As the Playbook concludes “The purpose of this approach is to meet the business needs, not create additional obstacles to AI deployment.”

More Resources on Quantitative Risk Analysis for GenAI from the FAIR Institute

It’s early days on risk management for AI-related cyber risk, but the FAIR community is already developing solid advice for applying the rigor of FAIR thinking to this frontier of risk analysis. The FAIR Institute has been selected as a participant in the National Institute of Standards and Technology’s US AI Safety Institute Consortium (AISIC).