2. Products
Sales
Financials
Background Information
Building a comprehensive business function automation
software that performs many functions (decision making in
approaching new initiatives, goal setting and tracking, financial
accounting, a payment system, and much more).
The software is largely the joint brainchild of the Chief
Technology Officer (CTO) and a highly visionary Marketing
Manager who left the company a year ago
5
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
Background Information – What We Do
Financed 100% by investors who are extremely anxious to make
a profit.
Investors have invested more than US $35 million since
inception and have not received any returns.
The organization expected a small profit in the last two
quarters. However, the weak economy led to the cancellation of
several large orders. As a result, the organization was in the red
each quarter by approximately US $250,000.
6
Background Information – Financials
What we do
3. Org. Structure
Operational
Industry
Products
Sales
Financials
Code Galore is a privately held company with a budget of US
$15 million per year. Sales last year totaled US $13.5 million
(as mentioned earlier, the company came within US $250,000 of
being profitable each of the last two quarters).
The investors hold the preponderance of the company’s stock;
share options are given to employees in the form of stock
options that can be purchased for US $1 per share if the
company ever goes public.
Code Galore spends about five percent of its annual budget on
marketing. Its marketing efforts focus on portraying other
financial function automation applications as ‘point solutions’
in contrast to Code Galore’s product.
7
Background Information – Financials
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
8
Background Information – Org. Structure
Figure 1—Code Galore Organisational Chart
CEO
CSO
4. VP, Finance
VP, Business
CTO
VP, Human Resources
Security
Administrator
Sales Mgr
Accounting
Dir.
Sr. Financial
Analyst
Infrastructure
Mgr.
Sys. Dev. Mgr.
HR Manager
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
The board of directors:
5. Consists of seasoned professionals with many years of
experience in the software industry
Is scattered all over the world and seldom meets, except by
teleconference
Is uneasy with Code Galore being stretched so thin financially,
and a few members have tendered their resignations within the
last few months
9
Background Information – Org. Structure
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
The CEO:
Is the former chief financial officer (CFO) of Code Galore that
replaced the original CEO who resigned to pursue another
opportunity two years ago
Has a good deal of business knowledge, a moderate amount of
experience as a C-level officer, but no prior experience as a
CEO
As a former CFO, tends to focus more on cost cutting than on
creating a vision for developing more business and getting
better at what Code Galore does best
Background Information – Org. Structure
10
What we do
Org. Structure
Operational
Industry
Products
6. Sales
Financials
Engineers perform code installations. The time to get the
product completely installed and customized to the customer’s
environment can exceed one month with costs higher than US
$60,000 to the customer.
Labour and purchase costs are too high for small and medium-
sized businesses. So far, only large companies in the US and
Canada have bought the product.
C-level officers and board members know that they have
developed a highly functional, unique product for which there is
really no competition. They believe that, in time, more
companies will become interested in this product, but the
proverbial time bomb is ticking. Investors have stretched
themselves to invest US $35 million in the company, and are
unwilling to invest much more.
11
Background Information – Operational
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
Business function automation software is a profitable area for
many software vendors because it automates tasks that
previously had to be performed manually or that software did
not adequately support.
The business function automation software arena has many
7. products developed by many vendors. However, Code Galore is
a unique niche player that does not really compete (at least on
an individual basis) with other business automation software
companies.
Background Information – Industry
12
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
The product is comprehensive—at least four other software
products would have to be purchased and implemented to cover
the range of functions that Code Galore’s product covers.
Additionally, the product integrates information and statistics
throughout all functions—each function is aware of what is
occurring in the other functions and can adjust what it does
accordingly, leading to better decision aiding.
Background Information – Products
13
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
Sales have been slower than expected, mainly due to a
combination of the economic recession and the high price and
complexity of the product.
8. The price is not just due to the cost of software development; it
also is due to the configuration labour required to get the
product running suitably for its customers.
Background Information – Sales
14
What we do
Org. Structure
Operational
Industry
Products
Sales
Financials
Acquisition
Code Galore is in many ways fighting for its life, and the fact
that, four months ago, the board of directors made the decision
to acquire a small software start-up company, Skyhaven
Software, has not helped the cash situation.
Skyhaven consists of approximately 15 people, mostly
programmers who work at the company’s small office in
Phoenix, Arizona, USA. Originally, the only connection
between your network and Skyhaven’s was an archaic public
switched telephone network (PSTN).
Setting up a WAN
Two months ago, your company’s IT director was tasked with
setting up a dedicated wide area network (WAN) connection to
allow the former Skyhaven staff to remotely access Code
Galore’s internal network and vice versa.
You requested that this implementation be delayed until the
security implications of having this new access route into your
network were better understood, but the CEO denied your
request on the grounds that it would delay a critical business
initiative, namely getting Skyhaven’s code integrated into Code
Galore’s.
9. 15
The Problems
Information Security
More recently, you have discovered that the connection does not
require a password for access and that, once a connection to the
internal network is established from outside the network, it is
possible to connect to every server within the network,
including the server that holds Code Galore’s source code and
software library and the server that houses employee payroll,
benefits and medical insurance information.
Fortunately, access control lists (ACLs) limit the ability of
anyone to access these sensitive files, but a recent vulnerability
scan showed that both servers have vulnerabilities that could
allow an attacker to gain unauthorised remote privileged access.
You have told the IT director that these vulnerabilities need to
be patched, but because of the concern that patching them may
cause them to crash or behave unreliably and because Code
Galore must soon become profitable or else, you have granted
the IT director a delay of one month in patching the servers.
16
The Problems – Overview
Bots
What now really worries you is that, earlier today, monitoring
by one of the security engineers who does some work for you
has shown that several hosts in Skyhaven’s network were found
to have bots installed in them.
10. Source Code
Furthermore, one of the Skyhaven programmers has told you
that Skyhaven source code (which is to be integrated into Code
Galore’s source code as soon as the Skyhaven programmers are
through with the release on which they are currently working) is
on just about every Skyhaven machine, regardless of whether it
is a workstation or server.
17
The Problems – Overview
Code Galore vs. Skyhaven Employee knowledge
Code Galore employees are, in general, above average in their
knowledge and awareness of information security, due in large
part to an effective security awareness programme that you set
up two months after you started working at Code Galore and
have managed ever since.
You offer monthly brown bag lunch events in a large conference
room, display posters reminding employees not to engage in
actions such as opening attachments that they are not expecting,
and send a short monthly newsletter informing employees of the
direction in which the company is going in terms of security and
how they can help.
Very few incidents due to bad user security practices occurred
until Skyhaven Software was acquired. Skyhaven’s employees
appear to have almost no knowledge of information security.
You also have discovered that the Skyhaven employee who
informally provides technical assistance does not make backups
and has done little in terms of security configuration and patch
management.
18
The Problems – Overview
11. 19
Your Role
Hired two years ago as the only Chief Security Officer (CSO)
this company has ever had.
Report directly to the Chief Executive Officer (CEO).
Attend the weekly senior management meeting in which goals
are set, progress reports are given and issues to be resolved are
discussed.
The Information Security Department consists of just you; two
members of the security engineering team from software are
available eight hours each week.
10 years of experience as an information security manager, five
of which as a CSO, but you have no previous experience in the
software arena.
Four years of experience as a junior IT auditor.
Undergraduate degree in managing information systems and
have earned many continuing professional education credits in
information security, management and audit areas.
Five years ago, you earned your CISM certification.
The focus here is not on a business unit, but rather on Code
Galore as a whole, particularly on security risk that could
cripple the business.
Due primarily to cost-cutting measures the CEO has put in
place, your annual budget has been substantially less than you
requested each year.
Frankly, you have been lucky that no serious incident has
occurred so far. You know that in many ways your company has
been tempting fate.
You do the best you can with what you have, but levels of
12. unmitigated risk in some critical areas are fairly high.
Your Role and the Business Units
20
Mr. Wingate’s focus on cost cutting is a major reason that you
have not been able to obtain more resources for security risk
mitigation measures.
He is calm and fairly personable, but only a fair communicator,
something that results in your having to devote extra effort in
trying to learn his expectations of your company’s information
security risk mitigation effort and keeping him advised of risk
vectors and major developments and successes of this effort.
21
Your Role and the CEO, Ernest Wingate
Code Galore’s IT director is Carmela Duarte. She has put a
system of change control into effect for all IT activities
involving hardware and software.
This system is almost perfect for Code Galore—it is neither
draconian nor too lax and very few employees have any
complaints against it.
You have an excellent working relationship with her, and
although she is under considerable pressure from her boss, the
CTO, and the rest of C-level management to take shortcuts, she
usually tries to do what is right from a security control
perspective.
20. ‣ The loss magnitude scale described in this section is adjusted
for a specific organizational size and risk
capacity. Labels used in the scale (e.g., “Severe”, “Low”, etc.)
may need to be adjusted when analyzing
organizations of different sizes
‣ This process is a simplified, introductory version that may not
be appropriate for some analyses
Basic FAIR analysis is comprised of ten steps in four stages:
Stage 1 – Identify scenario components
1. Identify the asset at risk
2. Identify the threat community under consideration
Stage 2 – Evaluate Loss Event Frequency (LEF)
3. Estimate the probable Threat Event Frequency (TEF)
4. Estimate the Threat Capability (TCap)
5. Estimate Control strength (CS)
6. Derive Vulnerability (Vuln)
7. Derive Loss Event Frequency (LEF)
Stage 3 – Evaluate Probable Loss Magnitude (PLM)
8. Estimate worst-case loss
9. Estimate probable loss
21. Stage 4 – Derive and articulate Risk
10. Derive and articulate Risk
Risk
Loss Event
Frequency
Probable Loss
Magnitude
Threat Event
Frequency
Vulnerability
Contact Action
Control
Strength
Threat
Capability
Primary Loss
Factors
Secondary
Loss Factors
Asset Loss
Factors
Threat Loss
Factors
22. Organizational
Loss Factors
External Loss
Factors
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
Stage 1 – Identify Scenario Components
Step 1 – Identify the Asset(s) at risk
In order to estimate the control and value characteristics within
a risk analysis, the analyst must first identify the asset
(object) under evaluation. If a multilevel analysis is being
performed, the analyst will need to identify and evaluate the
primary asset (object) at risk and all meta-objects that exist
between the primary asset and the threat community. This
guide is intended for use in simple, single level risk analysis,
and does not describe the additional steps required for a
multilevel analysis.
Asset(s) at risk:
_____________________________________________________
_
Step 2 – Identify the Threat Community
23. In order to estimate Threat Event Frequency (TEF) and Threat
Capability (TCap), a specific threat community must first be
identified. At minimum, when evaluating the risk associated
with malicious acts, the analyst has to decide whether the
threat community is human or malware, and internal or external.
In most circumstances, it’s appropriate to define the
threat community more specifically – e.g., network engineers,
cleaning crew, etc., and characterize the expected nature
of the community. This document does not include guidance in
how to perform broad-spectrum (i.e., multi-threat
community) analyses.
Threat community:
_____________________________________________________
_
Characterization
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
Stage 2 – Evaluate Loss Event Frequency
Step 3 – Threat Event Frequency (TEF)
The probable frequency, within a given timeframe, that a threat
agent will act against an asset
24. Contributing factors: Contact Frequency, Probability of Action
on
Very High (VH) > 100 times per year
High (H) Between 10 and 100 times per year
Moderate (M) Between 1 and 10 times per year
Low (L) Between .1 and 1 times per year
Very Low (VL) < .1 times per year (less than once every ten
years)
Rationale
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
Step 4 – Threat Capability (Tcap)
The probable level of force that a threat agent is capable of
applying against an asset
Contributing factors: Skill, Resources
Rating
Very High (VH) Top 2% when compared against the overall
threat population
25. High (H) Top 16% when compared against the overall threat
population
Moderate (M) Average skill and resources (between bottom 16%
and top 16%)
Low (L) Bottom 16% when compared against the overall threat
population
Very Low (VL) Bottom 2% when compared against the overall
threat population
Rationale
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
Step 5 – Control strength (CS)
The expected effectiveness of controls, over a given timeframe,
as measured against a baseline
level of force
Contributing factors: Strength, Assurance
Very High (VH) Protects against all but the top 2% of an avg.
threat population
High (H) Protects against all but the top 16% of an avg. threat
population
26. Moderate (M) Protects against the average threat agent
Low (L) Only protects against bottom 16% of an avg. threat
population
Very Low (VL) Only protects against bottom 2% of an avg.
threat population
Rationale
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
Step 6 – Vulnerability (Vuln)
The probability that an asset will be unable to resist the actions
of a threat agent
Tcap (from step 4):
CS (from step 5):
Vulnerability
VH VH VH VH H M
H VH VH H M L
Tcap M VH H M L VL
L H M L VL VL
27. VL M L VL VL VL
VL L M H VH
Control Strength
Vuln (from matrix above):
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
Step 7 – Loss Event Frequency (LEF)
The probable frequency, within a given timeframe, that a threat
agent will inflict harm upon an
asset
TEF (from step 3):
Vuln (from step 6):
Loss Event Frequency
VH M H VH VH VH
H L M H H H
TEF M VL L M M M
L VL VL L L L
28. VL VL VL VL VL VL
VL L M H VH
Vulnerability
LEF (from matrix above):
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
Stage 3 – Evaluate Probable Loss Magnitude
Step 8 – Estimate worst-case loss
Estimate worst-case magnitude using the following three steps:
‣ Determine the threat action that would most likely result in a
worst-case outcome
‣ Estimate the magnitude for each loss form associated with that
threat action
‣ “Sum” the loss form magnitudes
Loss Forms
Threat Actions Productivity Response Replacement
Fine/Judgments Comp. Adv. Reputation
Access
Misuse
Disclosure
29. Modification
Deny Access
Magnitude Range Low End Range High End
Severe (SV) $10,000,000 --
High (H) $1,000,000 $9,999,999
Significant (Sg) $100,000 $999,999
Moderate (M) $10,000 $99,999
Low (L) $1,000 $9,999
Very Low (VL) $0 $999
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
Step 9 – Estimate probable loss
Estimate probable loss magnitude using the following three
steps:
‣ Identify the most likely threat community action(s)
‣ Evaluate the probable loss magnitude for each loss form
‣ “Sum” the magnitudes
Loss Forms
30. Threat Actions Productivity Response Replacement
Fine/Judgments Comp. Adv. Reputation
Access
Misuse
Disclosure
Modification
Deny Access
Magnitude Range Low End Range High End
Severe (SV) $10,000,000 --
High (H) $1,000,000 $9,999,999
Significant (Sg) $100,000 $999,999
Moderate (M) $10,000 $99,999
Low (L) $1,000 $9,999
Very Low (VL) $0 $999
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
Stage 4 – Derive and Articulate Risk
Step 10 – Derive and Articulate Risk
31. The probable frequency and probable magnitude of future loss
Well-articulated risk analyses provide decision-makers with at
least two key pieces of information:
‣ The estimated loss event frequency (LEF), and
‣ The estimated probable loss magnitude (PLM)
This information can be conveyed through text, charts, or both.
In most circumstances, it’s advisable to also provide the
estimated high-end loss potential so that the decision-maker is
aware of what the worst-case scenario might look like.
Depending upon the scenario, additional specific information
may be warranted if, for example:
‣ Significant due diligence exposure exists
‣ Significant reputation, legal, or regulatory considerations exist
Risk
Severe H H C C C
High M H H C C
PLM Significant M M H H C
Moderate L M M H H
Low L L M M M
Very Low L L M M M
VL L M H VH
32. LEF
LEF (from step 7):
PLM (from step 9):
WCLM (from step 8):
Key Risk Level
C Critical
H High
M Medium
L Low
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC