Your SlideShare is downloading. ×
Measuring And Communication Risk The Fair Way   Kevin Riggins
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Measuring And Communication Risk The Fair Way Kevin Riggins

653
views

Published on

Two of the most important elements of a successful risk management practice are measuring and communicating risk. A repeatable, consistent framework for measuring risk is vital. We also need a way to …

Two of the most important elements of a successful risk management practice are measuring and communicating risk. A repeatable, consistent framework for measuring risk is vital. We also need a way to communicate the results of those assessments to business partners in a manner relevant to them.
From the Factor Analysis of Information Risk whitepaper “FAIR provides a framework for understanding, analyzing, and measuring information risk. The outcomes are more cost-effective information risk management, greater credibility for the information security profession, and a foundation from which to develop a scientific approach to information risk management.”
This presentation will show how FAIR provides a common taxonomy for assessing risk, how it allows us to measure risk in a manner that is repeatable and supportable and finally how we can communicate that risk effectively.

Published in: Technology, Economy & Finance

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
653
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
18
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Transcript

    • 1. Measuring and Communicating Risk the FAIR Way
    • 2.
      • What’s the problem?
      • How do we solve it?
      • What’s FAIR?
      • How’s it work?
      • What did we talk about?
      Agenda
    • 3.
      • What’s the problem?
    • 4.
      • “ There are risks and costs to a program of action. But they are far less than the long-range risks and costs of comfortable inaction.”
      • ~ John F. Kennedy
    • 5. How much?
    • 6. Could be a little bit of risk Gerbil (It is NOT a rat!)
    • 7. Or, a whole lot of risk! Elephant (also NOT a rat)
    • 8. Got to measure it!
    • 9. The risk is ….
    • 10.
      • Low
    • 11.
      • Moderate
    • 12.
      • High
    • 13.
      • How do we solve it?
    • 14. Rock, Paper, Scissors, Lizard, Spock
    • 15.
      • Factor Analysis
      • of
      • Information Risk
      • (FAIR)
    • 16.
      • What’s FAIR?
    • 17. Components
    • 18. Risk Landscape Assets Threats Organization External Environment
    • 19. Assets
    • 20. Threats
    • 21. The Organization
    • 22. External Environment
    • 23.
      • Risk =
      probable frequency probable magnitude of future loss Defining Risk
    • 24.
      • Probability
    • 25. Possible, but not probable!!
    • 26. Risk Loss Frequency Loss Magnitude Taxonomy
    • 27. Risk Action Threat Event Frequency Contact Loss Frequency
    • 28. Risk Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Loss Frequency
    • 29. Risk Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Loss Frequency Probable Loss Event Frequency
    • 30.
      • Loss
    • 31.
      • Forms of Loss
      • Productivity
      • Response
      • Replacement
      • Fines and Judgments
      • Competitive Edge
      • Reputation
    • 32. Risk Primary Loss Effect Duration Loss Magnitude Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Loss Frequency Probable Loss Event Frequency
    • 33. Risk Primary Loss Secondary Loss Loss magnitude Effect Duration Loss Magnitude Loss Frequency Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Loss Frequency Probable Loss Event Frequency
    • 34. Risk Primary Loss Secondary Loss Loss magnitude Effect Duration Loss Magnitude Loss Frequency Probable Loss Magnitude Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Loss Frequency Probable Loss Event Frequency
    • 35. Risk Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Primary Loss Secondary Loss Loss magnitude Effect Duration Loss Frequency Loss Magnitude Loss Frequency Probable Loss Event Frequency Probable Loss Magnitude Taxonomy
    • 36.
      • How’s it work?
    • 37.
      • Identify Scenario Components
      • Evaluate Loss Event Frequency
      • Evaluate Probable Loss Magnitude (PLM)
      • Derive and Articulate Risk
      Four Stages
    • 38.
      • Identify Scenario Components
      Stage 1 Assets Threats
    • 39. Assets are inside My House (not really)
    • 40. Threat == Burglar (Yeah, it’s a pirate, work with me!)
    • 41.
      • Estimate the probable Threat Event Frequency (TEF)
      • Estimate the Threat Capability (TCap)
      • Estimate Control strength (CS)
      • Derive Vulnerability (Vuln)
      • Derive Loss Event Frequency (LEF)
      Evaluating Loss Event Frequency Stage 2
    • 42.
      • Estimate Threat Event Frequency
      <.1 times per year Very Low (VL) Between .1 and 1 times per year Low (L) Between 1 and 10 times per year Medium (M) Between 10 and 100 times per year High (H) >100 time per year Very High (VH) Description Rating
    • 43. VL Threat Event Frequency (TEF) Threat Capability (TCap) Control strength (CS) Vulnerability (Vuln) Loss Event Frequency (LEF)
    • 44.
      • Estimate Threat Capability (Tcap)
      Bottom 2% when compared against the overall threat population Very Low (VL) Bottom 16% when compared against the overall threat population Low (L) Average skill and resources (between bottom 16% and top 16%) Medium (M) Top 16% when compared against the overall threat population High (H) Top 2% when compared against the overall threat population Very High (VH) Description Rating
    • 45. Threat Event Frequency (TEF) Threat Capability (TCap) Resistance Strength (RS) Vulnerability (Vuln) Loss Event Frequency (LEF) VL H
    • 46. &quot;I am Locutus of Borg. Resistance is futile.&quot; ~ Locutus, Star Trek: First Contact
    • 47.
      • Estimate Resistance Strength (RS)
      Only protects against bottom 2% of an avg. threat population Very Low (VL) Only protects against bottom 16% of an avg. threat population Low (L) Protects against the average threat agent Moderate (M) Protects against all but the top 16% of an avg. threat population High (H) Protects against all but the top 2% of an avg. threat population Very High (VH) Description Rating
    • 48. Bruno the Attack Chihuahua
    • 49.
      • Estimate Resistance Strength (RS)
      Only protects against bottom 2% of an avg. threat population Very Low (VL) Only protects against bottom 16% of an avg. threat population Low (L) Protects against the average threat agent Moderate (M) Protects against all but the top 16% of an avg. threat population High (H) Protects against all but the top 2% of an avg. threat population Very High (VH) Description Rating
    • 50. Threat Event Frequency (TEF) Threat Capability (TCap) Resistance Strength (RS) Vulnerability (Vuln) Loss Event Frequency (LEF) VL H VL
    • 51.
      • Deriving Vulnerability (V)
      Tcap Resistance Strength VH H M L VL VL VL VL L M VL VL VL L M H L VL L M H VH M L M H VH VH H M H VH VH VH VH Vulnerability
    • 52. Threat Event Frequency (TEF) Threat Capability (TCap) Resistance Strength (RS) Vulnerability (Vuln) Loss Event Frequency (LEF) VL H VL VH
    • 53.
      • Deriving Loss Event Frequency (LEF)
      TEF Vulnerability (V) VH H M L VL VL VL VL VL VL VL L L L VL VL L M M M L VL M H H H M L H VH VH VH H M VH Loss Event Frequency
    • 54. Threat Event Frequency (TEF) Threat Capability (TCap) Resistance Strength (RS) Vulnerability (Vuln) Loss Event Frequency (LEF) VL H VL VH VL
    • 55.
      • Evaluate Probable Loss Magnitude (PLM)
      • Estimate worst-case loss
      • Estimate probable loss
      Stage 3
    • 56.
      • Probable Loss Magnitude
      Don’t forget! We have two components to PLM, Primary and Secondary
    • 57. 1) Identify the most likely threat community action(s) 2) Evaluate the probable loss magnitude for each loss form 3) Sum the magnitudes Estimating Probable Loss Magnitude (PLM)
    • 58. Evaluating Loss Magnitude Deny Access Modification Disclosure Misuse Access Reputation Comp. Adv. Fines/ Judgment Replacement Response Productivity Threat Actions Loss Forms
    • 59.
      • Probable Loss Magnitude Scale
      $999 $0 Very Low (VL) $9,999 $1,000 Low (L) $99,999 $10,000 Moderate (M) $999,999 $100,000 Significant (Sg) $9,999,999 $1,000,000 High (H) ∞ $10,000,000 Severe (SV) Range High End Range Low End Magnitude
    • 60. Evaluate Worst Case Loss Magnitude -- -- -- H M L Deny Access Modification Disclosure Misuse Access Reputation Comp. Adv. Fines/ Judgment Replacement Response Productivity Threat Actions Loss Forms
    • 61. Evaluate Probable Loss Magnitude -- -- -- Sg L VL Deny Access Modification Disclosure Misuse Access Reputation Comp. Adv. Fines/ Judgment Replacement Response Productivity Threat Actions Loss Forms
    • 62.
      • Loss Event Frequency VL
      • Probable Loss Magnitude Sg
      • Worst-case Loss Magnitude H
    • 63.
      • 4. Derive and Articulate Risk
    • 64. PLM LEF Derive Risk Very High High Moderate Low Very Low M M M L L Very Low M M M L L Low H H M M L Moderate C H H M M Sig. C C H H M High C C C H H Severe Risk
    • 65. Threat Event Frequency (TEF) Threat Capability (TCap) Resistance Strength (RS) Vulnerability (Vuln) Loss Event Frequency (LEF) Probable Loss Magnitude Worst-case Loss Magnitude Risk VL H VL VH VL Sg H M Articulate Risk
    • 66.
      • FAIR Wiki: http://fairwiki.riskmanagementinsight.com
      • FAIR Blog: http://riskanalys.is
      • Open Group: http://www.opengroup.org/projects/security/fair/
      Resources
    • 67.
      • We talked about the problem.
      • We identified a solution – FAIR.
      • We talked about the risk landscape.
      • We talked about the taxonomy.
      • We talked about measuring risk.
      • We talked about how to communicate risk.
      What did we talk about?
    • 68. Kevin Riggins, CISSP, CCNA Senior Information Security Analyst Security Review and Consulting Team Lead Principal Financial Group [email_address] InfoSec Ramblings http://www.infosecramblings.com [email_address] Twitter: @kriggins Questions?