Two of the most important elements of a successful risk management practice are measuring and communicating risk. A repeatable, consistent framework for measuring risk is vital. We also need a way to communicate the results of those assessments to business partners in a manner relevant to them. From the Factor Analysis of Information Risk whitepaper “FAIR provides a framework for understanding, analyzing, and measuring information risk. The outcomes are more cost-effective information risk management, greater credibility for the information security profession, and a foundation from which to develop a scientific approach to information risk management.” This presentation will show how FAIR provides a common taxonomy for assessing risk, how it allows us to measure risk in a manner that is repeatable and supportable and finally how we can communicate that risk effectively.

1. Measuring and Communicating Risk the FAIR Way

5. How much?

6. Could be a little bit of risk Gerbil (It is NOT a rat!)

7. Or, a whole lot of risk! Elephant (also NOT a rat)

8. Got to measure it!

9. The risk is ….

14. Rock, Paper, Scissors, Lizard, Spock

17. Components

18. Risk Landscape Assets Threats Organization External Environment

19. Assets

20. Threats

21. The Organization

22. External Environment

25. Possible, but not probable!!

26. Risk Loss Frequency Loss Magnitude Taxonomy

27. Risk Action Threat Event Frequency Contact Loss Frequency

28. Risk Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Loss Frequency

29. Risk Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Loss Frequency Probable Loss Event Frequency

32. Risk Primary Loss Effect Duration Loss Magnitude Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Loss Frequency Probable Loss Event Frequency

33. Risk Primary Loss Secondary Loss Loss magnitude Effect Duration Loss Magnitude Loss Frequency Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Loss Frequency Probable Loss Event Frequency

34. Risk Primary Loss Secondary Loss Loss magnitude Effect Duration Loss Magnitude Loss Frequency Probable Loss Magnitude Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Loss Frequency Probable Loss Event Frequency

35. Risk Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Primary Loss Secondary Loss Loss magnitude Effect Duration Loss Frequency Loss Magnitude Loss Frequency Probable Loss Event Frequency Probable Loss Magnitude Taxonomy

39. Assets are inside My House (not really)

40. Threat == Burglar (Yeah, it’s a pirate, work with me!)

43. VL Threat Event Frequency (TEF) Threat Capability (TCap) Control strength (CS) Vulnerability (Vuln) Loss Event Frequency (LEF)

45. Threat Event Frequency (TEF) Threat Capability (TCap) Resistance Strength (RS) Vulnerability (Vuln) Loss Event Frequency (LEF) VL H

46. "I am Locutus of Borg. Resistance is futile." ~ Locutus, Star Trek: First Contact

48. Bruno the Attack Chihuahua

50. Threat Event Frequency (TEF) Threat Capability (TCap) Resistance Strength (RS) Vulnerability (Vuln) Loss Event Frequency (LEF) VL H VL

52. Threat Event Frequency (TEF) Threat Capability (TCap) Resistance Strength (RS) Vulnerability (Vuln) Loss Event Frequency (LEF) VL H VL VH

54. Threat Event Frequency (TEF) Threat Capability (TCap) Resistance Strength (RS) Vulnerability (Vuln) Loss Event Frequency (LEF) VL H VL VH VL

57. 1) Identify the most likely threat community action(s) 2) Evaluate the probable loss magnitude for each loss form 3) Sum the magnitudes Estimating Probable Loss Magnitude (PLM)

58. Evaluating Loss Magnitude Deny Access Modification Disclosure Misuse Access Reputation Comp. Adv. Fines/ Judgment Replacement Response Productivity Threat Actions Loss Forms

60. Evaluate Worst Case Loss Magnitude -- -- -- H M L Deny Access Modification Disclosure Misuse Access Reputation Comp. Adv. Fines/ Judgment Replacement Response Productivity Threat Actions Loss Forms

61. Evaluate Probable Loss Magnitude -- -- -- Sg L VL Deny Access Modification Disclosure Misuse Access Reputation Comp. Adv. Fines/ Judgment Replacement Response Productivity Threat Actions Loss Forms

64. PLM LEF Derive Risk Very High High Moderate Low Very Low M M M L L Very Low M M M L L Low H H M M L Moderate C H H M M Sig. C C H H M High C C C H H Severe Risk

65. Threat Event Frequency (TEF) Threat Capability (TCap) Resistance Strength (RS) Vulnerability (Vuln) Loss Event Frequency (LEF) Probable Loss Magnitude Worst-case Loss Magnitude Risk VL H VL VH VL Sg H M Articulate Risk

68. Kevin Riggins, CISSP, CCNA Senior Information Security Analyst Security Review and Consulting Team Lead Principal Financial Group [email_address] InfoSec Ramblings http://www.infosecramblings.com [email_address] Twitter: @kriggins Questions?