Measuring And Communication Risk The Fair Way Kevin Riggins

Measuring and Communicating Risk the FAIR Way

What’s the problem?

How do we solve it?

What’s FAIR?

How’s it work?

What did we talk about?

Agenda

What’s the problem?

“ There are risks and costs to a program of action. But they are far less than the long-range risks and costs of comfortable inaction.”

~ John F. Kennedy

How much?

Could be a little bit of risk Gerbil (It is NOT a rat!)

Or, a whole lot of risk! Elephant (also NOT a rat)

Got to measure it!

The risk is ….

Low

Moderate

High

How do we solve it?

Rock, Paper, Scissors, Lizard, Spock

Factor Analysis

of

Information Risk

(FAIR)

What’s FAIR?

Components

Risk Landscape Assets Threats Organization External Environment

Assets

Threats

The Organization

External Environment

Risk =

probable frequency probable magnitude of future loss Defining Risk

Probability

Possible, but not probable!!

Risk Loss Frequency Loss Magnitude Taxonomy

Risk Action Threat Event Frequency Contact Loss Frequency

Risk Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Loss Frequency

Risk Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Loss Frequency Probable Loss Event Frequency

Loss

Forms of Loss

Productivity

Response

Replacement

Fines and Judgments

Competitive Edge

Reputation

Risk Primary Loss Effect Duration Loss Magnitude Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Loss Frequency Probable Loss Event Frequency

Risk Primary Loss Secondary Loss Loss magnitude Effect Duration Loss Magnitude Loss Frequency Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Loss Frequency Probable Loss Event Frequency

Risk Primary Loss Secondary Loss Loss magnitude Effect Duration Loss Magnitude Loss Frequency Probable Loss Magnitude Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Loss Frequency Probable Loss Event Frequency

Risk Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Primary Loss Secondary Loss Loss magnitude Effect Duration Loss Frequency Loss Magnitude Loss Frequency Probable Loss Event Frequency Probable Loss Magnitude Taxonomy

How’s it work?

Identify Scenario Components

Evaluate Loss Event Frequency

Evaluate Probable Loss Magnitude (PLM)

Derive and Articulate Risk

Four Stages

Identify Scenario Components

Stage 1 Assets Threats

Assets are inside My House (not really)

Threat == Burglar (Yeah, it’s a pirate, work with me!)

Estimate the probable Threat Event Frequency (TEF)

Estimate the Threat Capability (TCap)

Estimate Control strength (CS)

Derive Vulnerability (Vuln)

Derive Loss Event Frequency (LEF)

Evaluating Loss Event Frequency Stage 2

Estimate Threat Event Frequency

<.1 times per year Very Low (VL) Between .1 and 1 times per year Low (L) Between 1 and 10 times per year Medium (M) Between 10 and 100 times per year High (H) >100 time per year Very High (VH) Description Rating

VL Threat Event Frequency (TEF) Threat Capability (TCap) Control strength (CS) Vulnerability (Vuln) Loss Event Frequency (LEF)

Estimate Threat Capability (Tcap)

Bottom 2% when compared against the overall threat population Very Low (VL) Bottom 16% when compared against the overall threat population Low (L) Average skill and resources (between bottom 16% and top 16%) Medium (M) Top 16% when compared against the overall threat population High (H) Top 2% when compared against the overall threat population Very High (VH) Description Rating

Threat Event Frequency (TEF) Threat Capability (TCap) Resistance Strength (RS) Vulnerability (Vuln) Loss Event Frequency (LEF) VL H

"I am Locutus of Borg. Resistance is futile." ~ Locutus, Star Trek: First Contact

Estimate Resistance Strength (RS)

Only protects against bottom 2% of an avg. threat population Very Low (VL) Only protects against bottom 16% of an avg. threat population Low (L) Protects against the average threat agent Moderate (M) Protects against all but the top 16% of an avg. threat population High (H) Protects against all but the top 2% of an avg. threat population Very High (VH) Description Rating

Bruno the Attack Chihuahua

Estimate Resistance Strength (RS)

Only protects against bottom 2% of an avg. threat population Very Low (VL) Only protects against bottom 16% of an avg. threat population Low (L) Protects against the average threat agent Moderate (M) Protects against all but the top 16% of an avg. threat population High (H) Protects against all but the top 2% of an avg. threat population Very High (VH) Description Rating

Threat Event Frequency (TEF) Threat Capability (TCap) Resistance Strength (RS) Vulnerability (Vuln) Loss Event Frequency (LEF) VL H VL

Deriving Vulnerability (V)

Tcap Resistance Strength VH H M L VL VL VL VL L M VL VL VL L M H L VL L M H VH M L M H VH VH H M H VH VH VH VH Vulnerability

Threat Event Frequency (TEF) Threat Capability (TCap) Resistance Strength (RS) Vulnerability (Vuln) Loss Event Frequency (LEF) VL H VL VH

Deriving Loss Event Frequency (LEF)

TEF Vulnerability (V) VH H M L VL VL VL VL VL VL VL L L L VL VL L M M M L VL M H H H M L H VH VH VH H M VH Loss Event Frequency

Threat Event Frequency (TEF) Threat Capability (TCap) Resistance Strength (RS) Vulnerability (Vuln) Loss Event Frequency (LEF) VL H VL VH VL

Evaluate Probable Loss Magnitude (PLM)

Estimate worst-case loss

Estimate probable loss

Stage 3

Probable Loss Magnitude

Don’t forget! We have two components to PLM, Primary and Secondary

1) Identify the most likely threat community action(s) 2) Evaluate the probable loss magnitude for each loss form 3) Sum the magnitudes Estimating Probable Loss Magnitude (PLM)

Evaluating Loss Magnitude Deny Access Modification Disclosure Misuse Access Reputation Comp. Adv. Fines/ Judgment Replacement Response Productivity Threat Actions Loss Forms

Probable Loss Magnitude Scale

$999 $0 Very Low (VL) $9,999 $1,000 Low (L) $99,999 $10,000 Moderate (M) $999,999 $100,000 Significant (Sg) $9,999,999 $1,000,000 High (H) ∞ $10,000,000 Severe (SV) Range High End Range Low End Magnitude

Evaluate Worst Case Loss Magnitude -- -- -- H M L Deny Access Modification Disclosure Misuse Access Reputation Comp. Adv. Fines/ Judgment Replacement Response Productivity Threat Actions Loss Forms

Evaluate Probable Loss Magnitude -- -- -- Sg L VL Deny Access Modification Disclosure Misuse Access Reputation Comp. Adv. Fines/ Judgment Replacement Response Productivity Threat Actions Loss Forms

Loss Event Frequency VL

Probable Loss Magnitude Sg

Worst-case Loss Magnitude H

4. Derive and Articulate Risk

PLM LEF Derive Risk Very High High Moderate Low Very Low M M M L L Very Low M M M L L Low H H M M L Moderate C H H M M Sig. C C H H M High C C C H H Severe Risk

Threat Event Frequency (TEF) Threat Capability (TCap) Resistance Strength (RS) Vulnerability (Vuln) Loss Event Frequency (LEF) Probable Loss Magnitude Worst-case Loss Magnitude Risk VL H VL VH VL Sg H M Articulate Risk

FAIR Wiki: http://fairwiki.riskmanagementinsight.com

FAIR Blog: http://riskanalys.is

Open Group: http://www.opengroup.org/projects/security/fair/

Resources

We talked about the problem.

We identified a solution – FAIR.

We talked about the risk landscape.

We talked about the taxonomy.

We talked about measuring risk.

We talked about how to communicate risk.

What did we talk about?

Kevin Riggins, CISSP, CCNA Senior Information Security Analyst Security Review and Consulting Team Lead Principal Financial Group [email_address] InfoSec Ramblings http://www.infosecramblings.com [email_address] Twitter: @kriggins Questions?