Introduction to FAIR
Factor Analysis of Information Risk
                         by

  Patrick Florer, Principal Consulta...
Let’s talk about risk




       © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)
                                 Definition of Risk
risk (rĭsk) [French risque,...
Factor Analysis of Information Risk (FAIR)
             Definition of Risk

                risk:
                 Risk is...
Factor Analysis of Information Risk (FAIR)
                                  Definition of Risk

risk:


The probable freq...
Factor Analysis of Information Risk (FAIR)
                                 IT – Related Risk
The net mission impact consi...
And now, let’s talk briefly about a few other
 concepts that will be important in helping
           you to understand FAI...
Factor Analysis of Information Risk (FAIR)
                             Possibility vs. Probability
What’s the difference?...
Factor Analysis of Information Risk (FAIR)
                    Possibility vs. Probability

Possibility – a set of outcome...
Factor Analysis of Information Risk (FAIR)
                        Possibility vs. Probability
Using a coin as an example ...
Factor Analysis of Information Risk (FAIR)
                                  Precision vs. Accuracy
What’s the difference?...
Factor Analysis of Information Risk (FAIR)
                       Precision vs. Accuracy
Why does this matter?
Precise Acc...
Factor Analysis of Information Risk (FAIR)
          Qualitative vs. Quantitative Methods
What’s the difference?
Qualitati...
Factor Analysis of Information Risk (FAIR)
          Qualitative vs. Quantitative Methods
What’s the difference?
Quantitat...
Factor Analysis of Information Risk (FAIR)
                            Measurement
What’s the purpose of taking a measurem...
Factor Analysis of Information Risk (FAIR)
                              Variability and Uncertainty
What’s the difference...
So, now that we have addressed all of that –
              What is FAIR?




                 © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)
                        Defensible Risk Analysis
 Framework of interconnected ...
Factor Analysis of Information Risk (FAIR)
                       Defensible Risk Analysis

Future development underway in...
Factor Analysis of Information Risk (FAIR)
                     How is FAIR Different

 Emphasis on Risk

 Logical and R...
Factor Analysis of Information Risk (FAIR)
                         FAIR is being used to…
 Prioritize risk issues for me...
Factor Analysis of Information Risk (FAIR)




                 © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)




                 © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)




                 © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)




                 © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)




                 © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)




                 © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)




                 © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)




                 © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)




                 © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)




                 © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)
The Relationship between Primary and Secondary Loss:


                        ...
Factor Analysis of Information Risk (FAIR)




              Aliado Accesso Confidential and Proprietary
                 ...
Factor Analysis of Information Risk (FAIR)




                 © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)




                 © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)




                 © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)




                 © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)




                 © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR)
                                 About Aliado
 Mission: Develop risk analysis ...
Factor Analysis of Information Risk (FAIR)
                          What Aliado does …
Aliado’s risk management software ...
Factor Analysis of Information Risk (FAIR)
            FAIR Decision Analysis Packages

 Payment Card Industry (PCI)

 P...
Factor Analysis of Information Risk (FAIR)
              FAIR Decision Analysis Offering

FAIR Decision Analysis Offering ...
Factor Analysis of Information Risk (FAIR)
                 Contact Us



                    Jody Keyser
              jk...
Upcoming SlideShare
Loading in...5
×

Risk Analysis Webinar

1,018

Published on

Introduction to FAIR
Factor Analysis of Information Risk
by
Patrick Florer, Principal Consultant
April 28,

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,018
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
50
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Risk Analysis Webinar

  1. 1. Introduction to FAIR Factor Analysis of Information Risk by Patrick Florer, Principal Consultant April 28, 2010 © 2010 Aliado Accesso LLC
  2. 2. Let’s talk about risk © 2010 Aliado Accesso LLC
  3. 3. Factor Analysis of Information Risk (FAIR) Definition of Risk risk (rĭsk) [French risque, from Italian risco, rischio.] 1. The possibility of suffering harm or loss; danger. 2. A factor, thing, element, or course involving uncertain danger; a hazard. 3. The danger or probability of loss to an insurer. 4. The amount that an insurance company stands to lose. 5. The variability of returns from an investment. 6. The chance of nonpayment of a debt. 7. One considered with respect to the possibility of loss: a poor risk. from The American Heritage® Dictionary of the English Language, Fourth Edition. Copyright © 2006, 2000 by Houghton Mifflin Company © 2010 Aliado Accesso LLC
  4. 4. Factor Analysis of Information Risk (FAIR) Definition of Risk risk: Risk is the possibility of suffering harm or loss. It is the potential for realizing unwanted negative consequences of an event. It refers to a situation where a person could do something undesirable or a natural occurrence could cause an undesirable outcome, resulting in a negative impact or consequence. from An Introduction to the OCTAVESM Method by Christopher Alberts and Audrey Dorofee, Software Engineering Institute, Carnegie Mellon University; last updated January 30, 2001 © 2010 Aliado Accesso LLC
  5. 5. Factor Analysis of Information Risk (FAIR) Definition of Risk risk: The probable frequency and probable magnitude of future loss. from the Factor Analysis of Information Risk (FAIR), ©2008 Risk Management Insight, LLC © 2010 Aliado Accesso LLC
  6. 6. Factor Analysis of Information Risk (FAIR) IT – Related Risk The net mission impact considering: 1. The probability that a particular threat-source will exercise accidentally trigger or intentionally exploit) a particular information system vulnerability 2. The resulting impact if this should occur. IT-related risks arise from legal liability or mission loss due to: 1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information 2. Unintentional errors and omissions 3. IT disruptions due to natural or man-made disasters 4. Failure to exercise due care and diligence in the implementation and operation of the IT system. from NIST Special Publication 800-30 © 2010 Aliado Accesso LLC
  7. 7. And now, let’s talk briefly about a few other concepts that will be important in helping you to understand FAIR © 2010 Aliado Accesso LLC
  8. 8. Factor Analysis of Information Risk (FAIR) Possibility vs. Probability What’s the difference? Possibility – “capable of happening, existing, or being true without contradicting proven facts, laws, or circumstances known to be true” Probability – “The likelihood that a given event will occur” And, in statistics - “A number expressing the likelihood that a specific event will occur, expressed as the ratio of the number of actual occurrences to the number of possible occurrences” (All quotes from the American Heritage Dictionary of the English Language, Fourth Edition) © 2010 Aliado Accesso LLC
  9. 9. Factor Analysis of Information Risk (FAIR) Possibility vs. Probability Possibility – a set of outcomes, sometimes binary – yes or no – something that could happen. Understanding the possibilities does not necessarily require data, just a knowledge of possible outcomes Probability – a mathematical calculation with a result where 0 <= P(x) <= 1 Probability is sometimes expressed as a percentage (0 – 100%) , or as an odds ratio (3 out of 4) Probability calculations require data – either actual/historical or estimates © 2010 Aliado Accesso LLC
  10. 10. Factor Analysis of Information Risk (FAIR) Possibility vs. Probability Using a coin as an example … The possibilities are … The probabilities are … Knowing the possibilities does not, in any way, allow you to predict whether the coin will come up heads on the next toss, or on any toss. Knowing the probabilities does not allow you to do this, either, but it does allow you to predict the number of heads that will come up if you toss the coins a large number of times. © 2010 Aliado Accesso LLC
  11. 11. Factor Analysis of Information Risk (FAIR) Precision vs. Accuracy What’s the difference? Precision – “the ability of a measurement to be consistently reproduced” Accuracy – “the ability of a measurement to match the actual value of the quantity being measured” (All quotes from the American Heritage Dictionary of the English Language, Fourth Edition) © 2010 Aliado Accesso LLC
  12. 12. Factor Analysis of Information Risk (FAIR) Precision vs. Accuracy Why does this matter? Precise Accuracy – This would be great, but it is often not achievable. Precision – For example, my watch may run 10 minutes slow with great precision. If you ask me the time, I may tell you the wrong time. Accuracy – My watch runs slow at times and fast at times. If you ask me the time, I will likely say – it’s about 10:00 o’clock – imprecise, perhaps, but good enough for the circumstances. © 2010 Aliado Accesso LLC
  13. 13. Factor Analysis of Information Risk (FAIR) Qualitative vs. Quantitative Methods What’s the difference? Qualitative – low, medium, high, or red, yellow, green, or 1 – 5, etc. Good for some types of quick assessments and quick prioritizations. But - Variability in assessment is a problem, both between different assessors and with the same assessor over time. Qualitative assessments cannot be manipulated arithmetically. Qualitative scales are problematic near the boundaries. Most of the time, when making a qualitative assessment, the assessor has a number in mind anyway – why not just use the number? © 2010 Aliado Accesso LLC
  14. 14. Factor Analysis of Information Risk (FAIR) Qualitative vs. Quantitative Methods What’s the difference? Quantitative – Uses cardinal numbers – everyone understands numbers 3 means 3 and $100k means $100k. You can add, subtract, or do whatever you wish with numbers – you don’t have to guess! But – Quantitative approaches require data, either actual/historical, or estimated. This may or may not be as big a problem as you might think! © 2010 Aliado Accesso LLC
  15. 15. Factor Analysis of Information Risk (FAIR) Measurement What’s the purpose of taking a measurement? To reduce uncertainty . Sometimes the “perfect” answer is unattainable. But, in many cases, it doesn’t matter. A reduction in uncertainty is what is required. How much do we need to reduce uncertainty? Only as much as required by the decision at hand. And if we cannot reduce uncertainty to that level, then what? We can either collect more measurements, or work with what we have. © 2010 Aliado Accesso LLC
  16. 16. Factor Analysis of Information Risk (FAIR) Variability and Uncertainty What’s the difference? “Variability is the effect of chance and is a function of the system. It is not reproducible through either study or further measurement, but may be reduced by changing the physical system” 1 “Uncertainty is the assessor’s lack of knowledge (level of ignorance) about the parameters that characterize the physical system being modeled. It is sometimes reducible through further measurement or study, or by consulting more experts” 1 1 David Vose, Risk Analysis, A Quantitative Guide, 3rd edition, 2008, pp. 47-48 © 2010 Aliado Accesso LLC
  17. 17. So, now that we have addressed all of that – What is FAIR? © 2010 Aliado Accesso LLC
  18. 18. Factor Analysis of Information Risk (FAIR) Defensible Risk Analysis  Framework of interconnected models that describe how key elements of the information risk landscape work.  Models that analyze the underlying dynamics of the information risk landscape.  Developed in 2001 and under continual evolution, FAIR was created by a CISO who was trying to find answers to : • How much risk do we have? • How much less/more risk will we have if ...? • What are our most significant issues? © 2010 Aliado Accesso LLC
  19. 19. Factor Analysis of Information Risk (FAIR) Defensible Risk Analysis Future development underway in 2009-2011 by Aliado Accesso:  Decision Analytics based upon the Value of Additional Information  Opportunity Risk applications  Risk Analysis SaaS delivered by the Aliado Accesso web portal (under development)  Risk Analysis Training via CBT and Instructor-led courses © 2010 Aliado Accesso LLC
  20. 20. Factor Analysis of Information Risk (FAIR) How is FAIR Different  Emphasis on Risk  Logical and Rational Framework  Quantitative  Flexible  Rigorous  Repeatable © 2010 Aliado Accesso LLC
  21. 21. Factor Analysis of Information Risk (FAIR) FAIR is being used to…  Prioritize risk issues for metric development and analysis  Identify and compare risk mitigation cost-benefit propositions  Design sophisticated what-if analyses  Business case development for security and risk management initiatives  Strategic development of a risk and security program while augmenting current risk frameworks  Opportunity Risk analysis  Breaking down communication barriers between business units and IT security enabling well-informed business decisions © 2010 Aliado Accesso LLC
  22. 22. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  23. 23. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  24. 24. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  25. 25. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  26. 26. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  27. 27. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  28. 28. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  29. 29. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  30. 30. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  31. 31. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  32. 32. Factor Analysis of Information Risk (FAIR) The Relationship between Primary and Secondary Loss: Scenario – a laptop is lost or stolen 1) Encryption, no sensitive data – small primary loss, no secondary loss 2) Encryption, sensitive data – small primary loss, no secondary loss 3) No encryption, no sensitive data – small primary loss, no secondary loss 4) No encryption, sensitive data – small primary loss, large secondary loss © 2010 Aliado Accesso LLC
  33. 33. Factor Analysis of Information Risk (FAIR) Aliado Accesso Confidential and Proprietary © 2010 Aliado Accesso LLC Copyright (c) 2010 Aliado Accesso, LLC
  34. 34. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  35. 35. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  36. 36. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  37. 37. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  38. 38. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  39. 39. Factor Analysis of Information Risk (FAIR) About Aliado  Mission: Develop risk analysis software and methodologies to deliver education, consulting, and certifications to the enterprise for an accurate and defensible risk management program.  Founded by security professionals who have designed and executed enterprise security programs.  Markets: Retail, Financial Services, Aerospace, Manufacturing, Government, and Education.  Strategic Position: To be the partnering source for the ongoing development of your company’s risk management program and the education of the people who execute the plan. © 2010 Aliado Accesso LLC
  40. 40. Factor Analysis of Information Risk (FAIR) What Aliado does … Aliado’s risk management software gives organizations the key to translate risk loss exposure into real dollar values so that decision makers can strategically manage their IT Security budget and resources year after year. Our consultants can either implement a program from scratch or validate your current program. FAIR is a software and methodology for your on-going risk management program. No more: • High/Medium/Low Categories • Checking Boxes for Frameworks • Implementing the Latest Security Software • Selling by FUD © 2010 Aliado Accesso LLC
  41. 41. Factor Analysis of Information Risk (FAIR) FAIR Decision Analysis Packages  Payment Card Industry (PCI)  Privacy  Application Security  Data Loss Prevention (DLP/ILP)  Cloud Computing  Root Cause Analysis  Decision Analysis © 2010 Aliado Accesso LLC
  42. 42. Factor Analysis of Information Risk (FAIR) FAIR Decision Analysis Offering FAIR Decision Analysis Offering - $995 For the month of May, we are offering a special promotion on our FAIRLite risk analysis offering. This assessment includes the following:  Consult with you to perform a FAIRLite quantitative analysis of a single scenario.  Provide a written summary and verbal explanation of the results.  Within 6 months, provide a re-analysis of the same scenario with updated information for $295. For more information or to sign up, please contact sales@aliadocorp.com. © 2010 Aliado Accesso LLC
  43. 43. Factor Analysis of Information Risk (FAIR) Contact Us Jody Keyser jkeyser@aliadocorp.com www.aliadocorp.com 1-888-373-0680 © 2010 Aliado Accesso LLC
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×