Two of the most important elements of a successful risk management practice are measuring and communicating risk. A repeatable, consistent framework for measuring risk is vital. We also need a way to communicate the results of those assessments to business partners in a manner relevant to them.
From the Factor Analysis of Information Risk whitepaper “FAIR provides a framework for understanding, analyzing, and measuring information risk. The outcomes are more cost-effective information risk management, greater credibility for the information security profession, and a foundation from which to develop a scientific approach to information risk management.”
This presentation will show how FAIR provides a common taxonomy for assessing risk, how it allows us to measure risk in a manner that is repeatable and supportable and finally how we can communicate that risk effectively.
28. Risk Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Loss Frequency
29. Risk Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Loss Frequency Probable Loss Event Frequency
30.
31.
32. Risk Primary Loss Effect Duration Loss Magnitude Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Loss Frequency Probable Loss Event Frequency
33. Risk Primary Loss Secondary Loss Loss magnitude Effect Duration Loss Magnitude Loss Frequency Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Loss Frequency Probable Loss Event Frequency
34. Risk Primary Loss Secondary Loss Loss magnitude Effect Duration Loss Magnitude Loss Frequency Probable Loss Magnitude Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Loss Frequency Probable Loss Event Frequency
35. Risk Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Primary Loss Secondary Loss Loss magnitude Effect Duration Loss Frequency Loss Magnitude Loss Frequency Probable Loss Event Frequency Probable Loss Magnitude Taxonomy
50. Threat Event Frequency (TEF) Threat Capability (TCap) Resistance Strength (RS) Vulnerability (Vuln) Loss Event Frequency (LEF) VL H VL
51.
52. Threat Event Frequency (TEF) Threat Capability (TCap) Resistance Strength (RS) Vulnerability (Vuln) Loss Event Frequency (LEF) VL H VL VH
53.
54. Threat Event Frequency (TEF) Threat Capability (TCap) Resistance Strength (RS) Vulnerability (Vuln) Loss Event Frequency (LEF) VL H VL VH VL
55.
56.
57. 1) Identify the most likely threat community action(s) 2) Evaluate the probable loss magnitude for each loss form 3) Sum the magnitudes Estimating Probable Loss Magnitude (PLM)
58. Evaluating Loss Magnitude Deny Access Modification Disclosure Misuse Access Reputation Comp. Adv. Fines/ Judgment Replacement Response Productivity Threat Actions Loss Forms
59.
60. Evaluate Worst Case Loss Magnitude -- -- -- H M L Deny Access Modification Disclosure Misuse Access Reputation Comp. Adv. Fines/ Judgment Replacement Response Productivity Threat Actions Loss Forms
61. Evaluate Probable Loss Magnitude -- -- -- Sg L VL Deny Access Modification Disclosure Misuse Access Reputation Comp. Adv. Fines/ Judgment Replacement Response Productivity Threat Actions Loss Forms
62.
63.
64. PLM LEF Derive Risk Very High High Moderate Low Very Low M M M L L Very Low M M M L L Low H H M M L Moderate C H H M M Sig. C C H H M High C C C H H Severe Risk
65. Threat Event Frequency (TEF) Threat Capability (TCap) Resistance Strength (RS) Vulnerability (Vuln) Loss Event Frequency (LEF) Probable Loss Magnitude Worst-case Loss Magnitude Risk VL H VL VH VL Sg H M Articulate Risk
66.
67.
68. Kevin Riggins, CISSP, CCNA Senior Information Security Analyst Security Review and Consulting Team Lead Principal Financial Group [email_address] InfoSec Ramblings http://www.infosecramblings.com [email_address] Twitter: @kriggins Questions?