Measuring And Communication Risk The Fair Way Kevin Riggins

1,078 views

Published on

Two of the most important elements of a successful risk management practice are measuring and communicating risk. A repeatable, consistent framework for measuring risk is vital. We also need a way to communicate the results of those assessments to business partners in a manner relevant to them.
From the Factor Analysis of Information Risk whitepaper “FAIR provides a framework for understanding, analyzing, and measuring information risk. The outcomes are more cost-effective information risk management, greater credibility for the information security profession, and a foundation from which to develop a scientific approach to information risk management.”
This presentation will show how FAIR provides a common taxonomy for assessing risk, how it allows us to measure risk in a manner that is repeatable and supportable and finally how we can communicate that risk effectively.

Published in: Technology, Economy & Finance

Measuring And Communication Risk The Fair Way Kevin Riggins

  1. 1. Measuring and Communicating Risk the FAIR Way
  2. 2. <ul><li>What’s the problem? </li></ul><ul><li>How do we solve it? </li></ul><ul><li>What’s FAIR? </li></ul><ul><li>How’s it work? </li></ul><ul><li>What did we talk about? </li></ul>Agenda
  3. 3. <ul><li>What’s the problem? </li></ul>
  4. 4. <ul><li>“ There are risks and costs to a program of action. But they are far less than the long-range risks and costs of comfortable inaction.” </li></ul><ul><li>~ John F. Kennedy </li></ul>
  5. 5. How much?
  6. 6. Could be a little bit of risk Gerbil (It is NOT a rat!)
  7. 7. Or, a whole lot of risk! Elephant (also NOT a rat)
  8. 8. Got to measure it!
  9. 9. The risk is ….
  10. 10. <ul><li>Low </li></ul>
  11. 11. <ul><li>Moderate </li></ul>
  12. 12. <ul><li>High </li></ul>
  13. 13. <ul><li>How do we solve it? </li></ul>
  14. 14. Rock, Paper, Scissors, Lizard, Spock
  15. 15. <ul><li>Factor Analysis </li></ul><ul><li>of </li></ul><ul><li>Information Risk </li></ul><ul><li>(FAIR) </li></ul>
  16. 16. <ul><li>What’s FAIR? </li></ul>
  17. 17. Components
  18. 18. Risk Landscape Assets Threats Organization External Environment
  19. 19. Assets
  20. 20. Threats
  21. 21. The Organization
  22. 22. External Environment
  23. 23. <ul><li>Risk = </li></ul>probable frequency probable magnitude of future loss Defining Risk
  24. 24. <ul><li>Probability </li></ul>
  25. 25. Possible, but not probable!!
  26. 26. Risk Loss Frequency Loss Magnitude Taxonomy
  27. 27. Risk Action Threat Event Frequency Contact Loss Frequency
  28. 28. Risk Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Loss Frequency
  29. 29. Risk Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Loss Frequency Probable Loss Event Frequency
  30. 30. <ul><li>Loss </li></ul>
  31. 31. <ul><li>Forms of Loss </li></ul><ul><li>Productivity </li></ul><ul><li>Response </li></ul><ul><li>Replacement </li></ul><ul><li>Fines and Judgments </li></ul><ul><li>Competitive Edge </li></ul><ul><li>Reputation </li></ul>
  32. 32. Risk Primary Loss Effect Duration Loss Magnitude Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Loss Frequency Probable Loss Event Frequency
  33. 33. Risk Primary Loss Secondary Loss Loss magnitude Effect Duration Loss Magnitude Loss Frequency Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Loss Frequency Probable Loss Event Frequency
  34. 34. Risk Primary Loss Secondary Loss Loss magnitude Effect Duration Loss Magnitude Loss Frequency Probable Loss Magnitude Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Loss Frequency Probable Loss Event Frequency
  35. 35. Risk Action Threat Event Frequency Resistance Strength Contact Vulnerability Threat Capability Primary Loss Secondary Loss Loss magnitude Effect Duration Loss Frequency Loss Magnitude Loss Frequency Probable Loss Event Frequency Probable Loss Magnitude Taxonomy
  36. 36. <ul><li>How’s it work? </li></ul>
  37. 37. <ul><li>Identify Scenario Components </li></ul><ul><li>Evaluate Loss Event Frequency </li></ul><ul><li>Evaluate Probable Loss Magnitude (PLM) </li></ul><ul><li>Derive and Articulate Risk </li></ul>Four Stages
  38. 38. <ul><li>Identify Scenario Components </li></ul>Stage 1 Assets Threats
  39. 39. Assets are inside My House (not really)
  40. 40. Threat == Burglar (Yeah, it’s a pirate, work with me!)
  41. 41. <ul><li>Estimate the probable Threat Event Frequency (TEF) </li></ul><ul><li>Estimate the Threat Capability (TCap) </li></ul><ul><li>Estimate Control strength (CS) </li></ul><ul><li>Derive Vulnerability (Vuln) </li></ul><ul><li>Derive Loss Event Frequency (LEF) </li></ul>Evaluating Loss Event Frequency Stage 2
  42. 42. <ul><li>Estimate Threat Event Frequency </li></ul><.1 times per year Very Low (VL) Between .1 and 1 times per year Low (L) Between 1 and 10 times per year Medium (M) Between 10 and 100 times per year High (H) >100 time per year Very High (VH) Description Rating
  43. 43. VL Threat Event Frequency (TEF) Threat Capability (TCap) Control strength (CS) Vulnerability (Vuln) Loss Event Frequency (LEF)
  44. 44. <ul><li>Estimate Threat Capability (Tcap) </li></ul>Bottom 2% when compared against the overall threat population Very Low (VL) Bottom 16% when compared against the overall threat population Low (L) Average skill and resources (between bottom 16% and top 16%) Medium (M) Top 16% when compared against the overall threat population High (H) Top 2% when compared against the overall threat population Very High (VH) Description Rating
  45. 45. Threat Event Frequency (TEF) Threat Capability (TCap) Resistance Strength (RS) Vulnerability (Vuln) Loss Event Frequency (LEF) VL H
  46. 46. &quot;I am Locutus of Borg. Resistance is futile.&quot; ~ Locutus, Star Trek: First Contact
  47. 47. <ul><li>Estimate Resistance Strength (RS) </li></ul>Only protects against bottom 2% of an avg. threat population Very Low (VL) Only protects against bottom 16% of an avg. threat population Low (L) Protects against the average threat agent Moderate (M) Protects against all but the top 16% of an avg. threat population High (H) Protects against all but the top 2% of an avg. threat population Very High (VH) Description Rating
  48. 48. Bruno the Attack Chihuahua
  49. 49. <ul><li>Estimate Resistance Strength (RS) </li></ul>Only protects against bottom 2% of an avg. threat population Very Low (VL) Only protects against bottom 16% of an avg. threat population Low (L) Protects against the average threat agent Moderate (M) Protects against all but the top 16% of an avg. threat population High (H) Protects against all but the top 2% of an avg. threat population Very High (VH) Description Rating
  50. 50. Threat Event Frequency (TEF) Threat Capability (TCap) Resistance Strength (RS) Vulnerability (Vuln) Loss Event Frequency (LEF) VL H VL
  51. 51. <ul><li>Deriving Vulnerability (V) </li></ul>Tcap Resistance Strength VH H M L VL VL VL VL L M VL VL VL L M H L VL L M H VH M L M H VH VH H M H VH VH VH VH Vulnerability
  52. 52. Threat Event Frequency (TEF) Threat Capability (TCap) Resistance Strength (RS) Vulnerability (Vuln) Loss Event Frequency (LEF) VL H VL VH
  53. 53. <ul><li>Deriving Loss Event Frequency (LEF) </li></ul>TEF Vulnerability (V) VH H M L VL VL VL VL VL VL VL L L L VL VL L M M M L VL M H H H M L H VH VH VH H M VH Loss Event Frequency
  54. 54. Threat Event Frequency (TEF) Threat Capability (TCap) Resistance Strength (RS) Vulnerability (Vuln) Loss Event Frequency (LEF) VL H VL VH VL
  55. 55. <ul><li>Evaluate Probable Loss Magnitude (PLM) </li></ul><ul><li>Estimate worst-case loss </li></ul><ul><li>Estimate probable loss </li></ul>Stage 3
  56. 56. <ul><li>Probable Loss Magnitude </li></ul>Don’t forget! We have two components to PLM, Primary and Secondary
  57. 57. 1) Identify the most likely threat community action(s) 2) Evaluate the probable loss magnitude for each loss form 3) Sum the magnitudes Estimating Probable Loss Magnitude (PLM)
  58. 58. Evaluating Loss Magnitude Deny Access Modification Disclosure Misuse Access Reputation Comp. Adv. Fines/ Judgment Replacement Response Productivity Threat Actions Loss Forms
  59. 59. <ul><li>Probable Loss Magnitude Scale </li></ul>$999 $0 Very Low (VL) $9,999 $1,000 Low (L) $99,999 $10,000 Moderate (M) $999,999 $100,000 Significant (Sg) $9,999,999 $1,000,000 High (H) ∞ $10,000,000 Severe (SV) Range High End Range Low End Magnitude
  60. 60. Evaluate Worst Case Loss Magnitude -- -- -- H M L Deny Access Modification Disclosure Misuse Access Reputation Comp. Adv. Fines/ Judgment Replacement Response Productivity Threat Actions Loss Forms
  61. 61. Evaluate Probable Loss Magnitude -- -- -- Sg L VL Deny Access Modification Disclosure Misuse Access Reputation Comp. Adv. Fines/ Judgment Replacement Response Productivity Threat Actions Loss Forms
  62. 62. <ul><li>Loss Event Frequency VL </li></ul><ul><li>Probable Loss Magnitude Sg </li></ul><ul><li>Worst-case Loss Magnitude H </li></ul>
  63. 63. <ul><li>4. Derive and Articulate Risk </li></ul>
  64. 64. PLM LEF Derive Risk Very High High Moderate Low Very Low M M M L L Very Low M M M L L Low H H M M L Moderate C H H M M Sig. C C H H M High C C C H H Severe Risk
  65. 65. Threat Event Frequency (TEF) Threat Capability (TCap) Resistance Strength (RS) Vulnerability (Vuln) Loss Event Frequency (LEF) Probable Loss Magnitude Worst-case Loss Magnitude Risk VL H VL VH VL Sg H M Articulate Risk
  66. 66. <ul><li>FAIR Wiki: http://fairwiki.riskmanagementinsight.com </li></ul><ul><li>FAIR Blog: http://riskanalys.is </li></ul><ul><li>Open Group: http://www.opengroup.org/projects/security/fair/ </li></ul>Resources
  67. 67. <ul><li>We talked about the problem. </li></ul><ul><li>We identified a solution – FAIR. </li></ul><ul><li>We talked about the risk landscape. </li></ul><ul><li>We talked about the taxonomy. </li></ul><ul><li>We talked about measuring risk. </li></ul><ul><li>We talked about how to communicate risk. </li></ul>What did we talk about?
  68. 68. Kevin Riggins, CISSP, CCNA Senior Information Security Analyst Security Review and Consulting Team Lead Principal Financial Group [email_address] InfoSec Ramblings http://www.infosecramblings.com [email_address] Twitter: @kriggins Questions?

×