Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

Successfully reported this slideshow.

Like this presentation? Why not share!

1,499 views

Published on

Factor Analysis of Information Risk

by

Patrick Florer, Principal Consultant

April 28,

No Downloads

Total views

1,499

On SlideShare

0

From Embeds

0

Number of Embeds

92

Shares

0

Downloads

60

Comments

0

Likes

2

No embeds

No notes for slide

- 1. Introduction to FAIR Factor Analysis of Information Risk by Patrick Florer, Principal Consultant April 28, 2010 © 2010 Aliado Accesso LLC
- 2. Let’s talk about risk © 2010 Aliado Accesso LLC
- 3. Factor Analysis of Information Risk (FAIR) Definition of Risk risk (rĭsk) [French risque, from Italian risco, rischio.] 1. The possibility of suffering harm or loss; danger. 2. A factor, thing, element, or course involving uncertain danger; a hazard. 3. The danger or probability of loss to an insurer. 4. The amount that an insurance company stands to lose. 5. The variability of returns from an investment. 6. The chance of nonpayment of a debt. 7. One considered with respect to the possibility of loss: a poor risk. from The American Heritage® Dictionary of the English Language, Fourth Edition. Copyright © 2006, 2000 by Houghton Mifflin Company © 2010 Aliado Accesso LLC
- 4. Factor Analysis of Information Risk (FAIR) Definition of Risk risk: Risk is the possibility of suffering harm or loss. It is the potential for realizing unwanted negative consequences of an event. It refers to a situation where a person could do something undesirable or a natural occurrence could cause an undesirable outcome, resulting in a negative impact or consequence. from An Introduction to the OCTAVESM Method by Christopher Alberts and Audrey Dorofee, Software Engineering Institute, Carnegie Mellon University; last updated January 30, 2001 © 2010 Aliado Accesso LLC
- 5. Factor Analysis of Information Risk (FAIR) Definition of Risk risk: The probable frequency and probable magnitude of future loss. from the Factor Analysis of Information Risk (FAIR), ©2008 Risk Management Insight, LLC © 2010 Aliado Accesso LLC
- 6. Factor Analysis of Information Risk (FAIR) IT – Related Risk The net mission impact considering: 1. The probability that a particular threat-source will exercise accidentally trigger or intentionally exploit) a particular information system vulnerability 2. The resulting impact if this should occur. IT-related risks arise from legal liability or mission loss due to: 1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information 2. Unintentional errors and omissions 3. IT disruptions due to natural or man-made disasters 4. Failure to exercise due care and diligence in the implementation and operation of the IT system. from NIST Special Publication 800-30 © 2010 Aliado Accesso LLC
- 7. And now, let’s talk briefly about a few other concepts that will be important in helping you to understand FAIR © 2010 Aliado Accesso LLC
- 8. Factor Analysis of Information Risk (FAIR) Possibility vs. Probability What’s the difference? Possibility – “capable of happening, existing, or being true without contradicting proven facts, laws, or circumstances known to be true” Probability – “The likelihood that a given event will occur” And, in statistics - “A number expressing the likelihood that a specific event will occur, expressed as the ratio of the number of actual occurrences to the number of possible occurrences” (All quotes from the American Heritage Dictionary of the English Language, Fourth Edition) © 2010 Aliado Accesso LLC
- 9. Factor Analysis of Information Risk (FAIR) Possibility vs. Probability Possibility – a set of outcomes, sometimes binary – yes or no – something that could happen. Understanding the possibilities does not necessarily require data, just a knowledge of possible outcomes Probability – a mathematical calculation with a result where 0 <= P(x) <= 1 Probability is sometimes expressed as a percentage (0 – 100%) , or as an odds ratio (3 out of 4) Probability calculations require data – either actual/historical or estimates © 2010 Aliado Accesso LLC
- 10. Factor Analysis of Information Risk (FAIR) Possibility vs. Probability Using a coin as an example … The possibilities are … The probabilities are … Knowing the possibilities does not, in any way, allow you to predict whether the coin will come up heads on the next toss, or on any toss. Knowing the probabilities does not allow you to do this, either, but it does allow you to predict the number of heads that will come up if you toss the coins a large number of times. © 2010 Aliado Accesso LLC
- 11. Factor Analysis of Information Risk (FAIR) Precision vs. Accuracy What’s the difference? Precision – “the ability of a measurement to be consistently reproduced” Accuracy – “the ability of a measurement to match the actual value of the quantity being measured” (All quotes from the American Heritage Dictionary of the English Language, Fourth Edition) © 2010 Aliado Accesso LLC
- 12. Factor Analysis of Information Risk (FAIR) Precision vs. Accuracy Why does this matter? Precise Accuracy – This would be great, but it is often not achievable. Precision – For example, my watch may run 10 minutes slow with great precision. If you ask me the time, I may tell you the wrong time. Accuracy – My watch runs slow at times and fast at times. If you ask me the time, I will likely say – it’s about 10:00 o’clock – imprecise, perhaps, but good enough for the circumstances. © 2010 Aliado Accesso LLC
- 13. Factor Analysis of Information Risk (FAIR) Qualitative vs. Quantitative Methods What’s the difference? Qualitative – low, medium, high, or red, yellow, green, or 1 – 5, etc. Good for some types of quick assessments and quick prioritizations. But - Variability in assessment is a problem, both between different assessors and with the same assessor over time. Qualitative assessments cannot be manipulated arithmetically. Qualitative scales are problematic near the boundaries. Most of the time, when making a qualitative assessment, the assessor has a number in mind anyway – why not just use the number? © 2010 Aliado Accesso LLC
- 14. Factor Analysis of Information Risk (FAIR) Qualitative vs. Quantitative Methods What’s the difference? Quantitative – Uses cardinal numbers – everyone understands numbers 3 means 3 and $100k means $100k. You can add, subtract, or do whatever you wish with numbers – you don’t have to guess! But – Quantitative approaches require data, either actual/historical, or estimated. This may or may not be as big a problem as you might think! © 2010 Aliado Accesso LLC
- 15. Factor Analysis of Information Risk (FAIR) Measurement What’s the purpose of taking a measurement? To reduce uncertainty . Sometimes the “perfect” answer is unattainable. But, in many cases, it doesn’t matter. A reduction in uncertainty is what is required. How much do we need to reduce uncertainty? Only as much as required by the decision at hand. And if we cannot reduce uncertainty to that level, then what? We can either collect more measurements, or work with what we have. © 2010 Aliado Accesso LLC
- 16. Factor Analysis of Information Risk (FAIR) Variability and Uncertainty What’s the difference? “Variability is the effect of chance and is a function of the system. It is not reproducible through either study or further measurement, but may be reduced by changing the physical system” 1 “Uncertainty is the assessor’s lack of knowledge (level of ignorance) about the parameters that characterize the physical system being modeled. It is sometimes reducible through further measurement or study, or by consulting more experts” 1 1 David Vose, Risk Analysis, A Quantitative Guide, 3rd edition, 2008, pp. 47-48 © 2010 Aliado Accesso LLC
- 17. So, now that we have addressed all of that – What is FAIR? © 2010 Aliado Accesso LLC
- 18. Factor Analysis of Information Risk (FAIR) Defensible Risk Analysis Framework of interconnected models that describe how key elements of the information risk landscape work. Models that analyze the underlying dynamics of the information risk landscape. Developed in 2001 and under continual evolution, FAIR was created by a CISO who was trying to find answers to : • How much risk do we have? • How much less/more risk will we have if ...? • What are our most significant issues? © 2010 Aliado Accesso LLC
- 19. Factor Analysis of Information Risk (FAIR) Defensible Risk Analysis Future development underway in 2009-2011 by Aliado Accesso: Decision Analytics based upon the Value of Additional Information Opportunity Risk applications Risk Analysis SaaS delivered by the Aliado Accesso web portal (under development) Risk Analysis Training via CBT and Instructor-led courses © 2010 Aliado Accesso LLC
- 20. Factor Analysis of Information Risk (FAIR) How is FAIR Different Emphasis on Risk Logical and Rational Framework Quantitative Flexible Rigorous Repeatable © 2010 Aliado Accesso LLC
- 21. Factor Analysis of Information Risk (FAIR) FAIR is being used to… Prioritize risk issues for metric development and analysis Identify and compare risk mitigation cost-benefit propositions Design sophisticated what-if analyses Business case development for security and risk management initiatives Strategic development of a risk and security program while augmenting current risk frameworks Opportunity Risk analysis Breaking down communication barriers between business units and IT security enabling well-informed business decisions © 2010 Aliado Accesso LLC
- 22. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
- 23. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
- 24. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
- 25. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
- 26. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
- 27. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
- 28. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
- 29. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
- 30. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
- 31. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
- 32. Factor Analysis of Information Risk (FAIR) The Relationship between Primary and Secondary Loss: Scenario – a laptop is lost or stolen 1) Encryption, no sensitive data – small primary loss, no secondary loss 2) Encryption, sensitive data – small primary loss, no secondary loss 3) No encryption, no sensitive data – small primary loss, no secondary loss 4) No encryption, sensitive data – small primary loss, large secondary loss © 2010 Aliado Accesso LLC
- 33. Factor Analysis of Information Risk (FAIR) Aliado Accesso Confidential and Proprietary © 2010 Aliado Accesso LLC Copyright (c) 2010 Aliado Accesso, LLC
- 34. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
- 35. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
- 36. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
- 37. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
- 38. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
- 39. Factor Analysis of Information Risk (FAIR) About Aliado Mission: Develop risk analysis software and methodologies to deliver education, consulting, and certifications to the enterprise for an accurate and defensible risk management program. Founded by security professionals who have designed and executed enterprise security programs. Markets: Retail, Financial Services, Aerospace, Manufacturing, Government, and Education. Strategic Position: To be the partnering source for the ongoing development of your company’s risk management program and the education of the people who execute the plan. © 2010 Aliado Accesso LLC
- 40. Factor Analysis of Information Risk (FAIR) What Aliado does … Aliado’s risk management software gives organizations the key to translate risk loss exposure into real dollar values so that decision makers can strategically manage their IT Security budget and resources year after year. Our consultants can either implement a program from scratch or validate your current program. FAIR is a software and methodology for your on-going risk management program. No more: • High/Medium/Low Categories • Checking Boxes for Frameworks • Implementing the Latest Security Software • Selling by FUD © 2010 Aliado Accesso LLC
- 41. Factor Analysis of Information Risk (FAIR) FAIR Decision Analysis Packages Payment Card Industry (PCI) Privacy Application Security Data Loss Prevention (DLP/ILP) Cloud Computing Root Cause Analysis Decision Analysis © 2010 Aliado Accesso LLC
- 42. Factor Analysis of Information Risk (FAIR) FAIR Decision Analysis Offering FAIR Decision Analysis Offering - $995 For the month of May, we are offering a special promotion on our FAIRLite risk analysis offering. This assessment includes the following: Consult with you to perform a FAIRLite quantitative analysis of a single scenario. Provide a written summary and verbal explanation of the results. Within 6 months, provide a re-analysis of the same scenario with updated information for $295. For more information or to sign up, please contact sales@aliadocorp.com. © 2010 Aliado Accesso LLC
- 43. Factor Analysis of Information Risk (FAIR) Contact Us Jody Keyser jkeyser@aliadocorp.com www.aliadocorp.com 1-888-373-0680 © 2010 Aliado Accesso LLC

No public clipboards found for this slide

×
### Save the most important slides with Clipping

Clipping is a handy way to collect and organize the most important slides from a presentation. You can keep your great finds in clipboards organized around topics.

Be the first to comment