Present your risk assessments to your board of directors in the language they understand - financial loss. "FAIR" or "Factor Analysis of Information Risk" is the quantitative risk analysis methodology that works with common frameworks while adding context for truly effective risk management.

1. Introduction to FAIR Risk Methodology
Presented by: Donna Gallaher, CISSP, C|CISO, CIPP/E, CIPM, FIP, Open FAIR

2. § Problems with Current Cyber
Risk Management
§ FAIR Institute
§ FAIR Risk Taxonomy /
Definitions
§ Inputs & Outputs
§ Summary
§ Resources
2
Agenda

3. About Donna Gallaher
3
§ President & CEO of New Oceans Enterprises, LLC
– an Atlanta based Cyber, IT and Data Privacy
Advisory Professional Services Company
§ Board of Advisors FAIR Institute and President of
Atlanta FAIR Chapter / Quantitative Risk Analysis
§ Holds CISSP, C|CISO, CIPP/E , CIPM, Open FAIR,
ITIL Certifications and designated as a Fellow of
Information Privacy (FIP)
§ Bachelor of Science in Electrical Engineering from
Auburn University
§ Over 10 years in IT Service Delivery as a
Managed Services Provider with Wipro and
SunGard
§ Served in Multiple Executive IT and Security
Leadership roles with ABB Software, First
Advantage and InComm Financial Services
§ Contributor to National Technology Security
Coalition (NTSC) blog as the voice of the CISO in
government legislative initiatives

4. CISO – CRO
“Eχουμε πάνω από
δέκα χιλιάδες
τρωτά σημεία ,
είναι συμβατό
με το ογδόντα
τοις εκατό”
CFO
“How much risk do we have?
Are we spending too little or
too much on mitigation?”
CIO
“Are we spending our
cybersecurity budget on
the right things? What is
the ROI?”
AUDIT
“Did you fix those
high priority
findings?”
BOARD/CEO
“We don’t want to be the next
news headline cybercrime
victims. Are we doing enough
to minimize risk?”

5. • Common approach is to take an industry framework such as
NIST 800-53, ISO 27000, PCI DSS, go through the checklists
and find all the control gaps.
• Strategy is to implement a set of “best practices” to achieve an
assumed “An Acceptable Level” of risk
• Checklist approach provides good discovery of the controls in
place, but does not apply risks in context.
• Companies struggle with most Information Security Risk Analysis
because the output is not presented in an objective form, and
the goals are not clearly defined.
• Critical, High, Medium, Low Risks (subjective)
• Manage Risk to “An Acceptable Level” (subjective)
This Strategy Uses “Implicit Risk”
5
Current Cyber Risk Management

6. 6
Examples

7. 7
Examples

8. Bald Tire Example
How much risk is there with a bald tire?
What assumptions do you make?
Are those assumptions valid, or would
more context change your answer?
8

9. Bald Tire Example
Risk depends on more than just the condition of the tire
9

10. What is FAIR?
• “FAIR” is an acronym for “Factor Analysis of Information Risk” and is intended
to quantify Risk (aka Loss Events) so that organizations can make better
decisions.
• FAIR uses an “Explicit Risk” Strategy which defines a specific financial target
to manage to, and dives into the context of the loss event to get a better
picture of risk.
• Does NOT replace your existing framework(s)… Works alongside them to
quantify risks.
• Can be applied to other types of risk (non-cyber/IT) so that the organization
can make decisions based on objective estimates.
10

11. ciso.eccouncil.org 11
Who is adopting FAIR Risk Analysis Methodology?
FAIR Institute
Members
Include:
Accenture
ADP
Aetna
AIG
Airbus
Alliance Data
Allstate
Ally Financial Inc.
Altria Client Services
Amazon
American Express
American Airlines
Ameriprise Financial Inc.
Amica Mutual Insurance
Anthem, Inc.
Aon
Arrow Electronics
Arthur J. Gallagher & Co.
Ascena Retail Group
Assurant
AT&T
AutoNation, Inc.
Baker Tilly
Bank of America
Bank of Canada
Bank of England
Barclays
Baystate Health
BB&T Bank
Best Buy
Biogen
Bloomberg L.P.
BlueCross BlueShield
BNY Mellon
BT
Boeing
Booz Allen Hamilton
Brooks Brothers
Brown Brothers Harriman & Co.
Campbell's Soup Co.
Capital One
Carnegie Mellon University
Caterpillar
CBS
CEB
CenturyLink
CFGI
Charles Schwab
Chevron
Children's Health
Chubb
Cigna
Cisco Systems
Citigroup
Citizens Bank
Comcast
Commonwealth of
Pennsylvania
Credit Karma
Cummins Inc.
CVS Health
Dell Technologies
Deloitte & Touche
Delta Dental
Deutsche Bank
Dick's Sporting Goods
Discover
Dolby
DuPont
DXC Technology
E*TRADE
eBay
Edward Jones
Emerson Electric
Ericsson
Ernst & Young
Evolver, Inc.
Express Scripts
ExxonMobil
Fannie Mae
Federal Reserve Bank
FedEx
Fidelity Investments
First Data Corporation
First Republic Bank
Ford Motor Company
Freddie Mac
FS-ISAC
Gap Inc.
Gartner
GE
GEICO
General Mills
General Motors
Goldman Sachs
Government of Cananda
Grant Thornton
Hanesbrand, Inc.
Henry Schein, Inc.
Hewlett Packard Enterprise
Highmark Health
Hilton Worldwide
Home Depot
Honeywell
Humana
Huntington National Bank
IAG
IBM
IMF
ING Group
John Hancock Financial
JPMorgan Chase
Kaiser Permanente
Kellogg Company
KeyBank
KPMG
L-3 Communications
Leidos
Lexmark International, Inc.
Liberty Mutual Insurance
Lockheed Martin
M&T Bank
Marriott International
Marsh & McLennan Companies
MassMutual
MasterCard
McAfee, Inc.
McKesson Co.
McKinsey & Company
MetLife
Microsoft
Mitre
MoneyGram International Inc.
Motorola Solutions
NASA
Nationwide Insurance
Navy Federal Credit Union
Nestlé
Netgear
Nike
NOAA
Nokia
Northrop Grumman
Novartis
Pacific Northwest National
Laboratory
Panasonic
PayPal
Philips
PNC Bank
PwC
Prudential Financial
Raytheon
RSA
SAIC
Santander Bank
SC Johnson
Siemens
Sony
Sprint
Starbucks
Starwood Hotels & Resorts
State Farm Insurance
Suncor Energy
Target
TD Ameritrade
Tesco
TJX Companies, Inc.
The Hartford
The Hershey Company
The Walt Disney Company
TBM Council
Thomson Reuters
TIAA
Toyota
Travelers Insurance
TÜV Rheinland OpenSky
Tyson Foods
UBS
UPS
U.S. Air Force
U.S. Army
U.S. Bank
U.S. Coast Guard
U.S. Department of the
Treasury
U.S. Postal Service
USAA
Uber
Under Armour
Union Bank
Vanguard
Verifone
Verizon
Visa
Walmart
Wells Fargo
Willis Towers Watson
Xerox
7-Eleven
• 2018: 30% of fortune 1000; 2020 projection 75% of fortune 1000*
*Source: FAIR Institute

12. ciso.eccouncil.org 12
Alongside
• Shared Assessments
• ISACA
Industry Recognition Securities and
Exchange
Commission
Feb 2018
“Statement and
Guidance on
Public Company
Cybersecurity
Disclosures”
Textbook Case
for FAIR
Methodology!

13. Factor Analysis
13
70
10
2
5
7

14. Risk Modeling Requirements
“Asset” – thing that has value or liability associated with it
Ex: Account Numbers, Social Security Numbers, Source Code, Customer Profiles, Databases,
Buildings, Equipment
“Threat” – who is trying to compromise the asset. Unlike Implicit Risk
Methods, a Threat is defined as a person or group of people characterized
by a profile. In FAIR Terminology, also known as a “Threat Community” or
“TCom”
Ex: Nation State Hackers, Average Cyber Criminal, Privileged User, Non-Privileged General User
14

15. “Risk” - is comprised of Loss Event Frequency or “LEF” (how many
times) does the loss event occur over a period AND Loss Magnitude
or “LM” (what is the dollar amount is associated with each loss event)
Risk = Loss Event
with Asset AND
Threat Defined
Loss Event
Frequency
“LEF”
Loss Magnitude
“LM”
15
#/𝜏
$
Taxonomy / Definitions

16. Which Are Threats?
Advanced Persistent Threat
Hacktivist
Cloud
Social Engineering
VOIP
Organized Crime
State Sponsored Attack
Social Networking
Mobile Devices
DDoS
Item Threat – Yes or No Why?
No Thing
No Form of Attack
No Thing
Yes Person(s)
No Threat Event
No Thing
No Thing
No Form of Attack
Yes Person(s)
No Form of Attack
16

17. “LEF” is comprised of Threat Event Frequency “TEF” (how many
times) does the threat event occur over a period AND Vulnerability
“Vuln” (how likely is the threat to succeed given the controls in place
and the skill of the attacker)
Risk = Loss Event
Loss Event
Frequency
“LEF”
Threat Event
Frequency
“TEF”
Vulnerability
“Vuln”
Loss Magnitude
“LM”
17
Taxonomy / Definitions

18. Similarly “LM” is factored into Primary and Secondary Losses
Risk = Loss
Event
Loss Event
Frequency
“LEF”
Threat Event
Frequency
“TEF”
Vulnerability
“Vuln”
Loss Magnitude
“LM”
Primary
Secondary
18
Taxonomy / Definitions

19. ciso.eccouncil.org 19
Discussion
What is the
“Vulnerability”
associated with a
Privileged Insider
succeeding in an attack?
100 %
i.e. LEF = TEF
Every threat event is
a loss event

20. Risk =
Loss Event
Loss Event
Frequency
“LEF” (#/𝜏)
Threat Event
Frequency
“TEF” (#/𝜏)
Contact
Frequency (#/𝜏)
Probability of
Action (%)
Vulnerability
“Vuln” (%)
Threat Capability
(%)
Resistance
Strength
/Difficulty (%)
Loss Magnitude
“LM” ($)
Primary Risk /
Loss ($)
Secondary Risk /
Loss ($)
Secondary Loss
Event Frequency
“SLEF” (%)
Secondary Loss
Magnitude “SLM”
($)
Less
Frequently
Used
20
Full Factor Tree

21. Cleaning Crew Finds Password Written on Sticky Note and Successfully
Steals Employee Info from HRIS Database of 15,000 employees
21
Risk Capacity and Risk Tolerance Definition (Magnitude)
Magnitude Abbrev Low End Range High End Range
Define: Very High VH $ 10,000,000.00 > $10M
Define: High H $ 1,000,000.00 $ 9,999,999.00
Define: Moderate M $ 100,000.00 $ 999,999.00
Define: Low L $ 10,000.00 $ 99,999.00
Define: Very Low VL $ 0.00 $ 9,999.00
Using Ponemon 2018 Cost of Data Breach $148 avg per record X 15000 = $2,220,000 = “High”
Low-Tech Example

22. Rating Abbreviation Description
Very High VH > 100 times per year
High H Between 10 and 100 times per year
Moderate M Between 1 and 10 times per year
Low L Between .1 and 1 times per year
Very Low VL < .1 times per year (less than once every 10 years)
22
Rating Abbreviation Description
Very High VH Top 2% when compared to overall threat population
High H Top 16% when compared to overall threat population
Moderate M Average skill and resources (between bottom 16% and top 16%)
Low L Bottom 16% when compared to overall threat population
Very Low VL Bottom 2% when compared to overall threat population
Define Frequency & Capability Levels

23. Table Calculation Example
VL L M H VH
VH VH VH VH H M
H VH VH H M L
M VH H M L VL
L H M L VL VL
VL M L VL VL VL
Vulnerability (Vuln)
Threat
Capability
(TCAP)
Resistance Strength (RS)
23

24. 24
Loss Event
Frequency
“LEF” (#/𝜏)
Threat Event
Frequency
“TEF” (#/𝜏)
Contact Frequency
(#/𝜏)
Probability of
Action (%)
Vulnerability
“Vuln” (%)
Threat Capability
(%)
Resistance
Strength
/Difficulty (%)
Discussion:
• What assumptions are we making?
• How can Risk / LEF be lowered in this scenario?
Initial Tree (Loss Event Frequency)

25. Revised Tree (Loss Event Frequency)
after Removing Sticky, adding MFA
25
Loss Event
Frequency
“LEF” (#/𝜏)
Threat Event
Frequency
“TEF” (#/𝜏)
Contact
Frequency (#/𝜏)
Probability of
Action (%)
Vulnerability
“Vuln” (%)
Threat Capability
(%)
Resistance
Strength
/Difficulty (%)

26. Without Using FAIR Using FAIR
“We’ve identified that loss of 15,000
employee records would cost the
company between $2M-$5M.
We estimate we could cut our
vulnerability and frequency to this loss
event by 50-60% if we enforced our
clean desk policy with spot checks and
added Multi-Factor Authentication for
approximately $50,000.”
26
Compare the Difference (Low Tech)

27. Define the
Assets, and
their Value
•Set target
for Loss
Exposure
Identify the
Threat
Community and
their Profiles /
Capabilities
•Quantify in
Ranges
Examine the
Controls in Place
and Estimate
Ranges
•Focus on
most likely /
highest risk
scenarios
Run
Analysis
•Monte Carlo
Analysis
27
High Level Risk Analysis Strategy

28. • Primary Loss Magnitude • Secondary Loss Magnitude
28
Sample Inputs (Same Table)

29. qSubject Matter Experts
qPonemon Research
qVerizon Research
qForrester Research
qAccounting Firms Research
qLaw Firm Research
qVendor Studies and Research
qISACS
qProof of Concept Reviews
qPrevious Events
qLogs
qTickets
qLaw Enforcement
qGovernment Regulators
qGovernment Studies
qUser Groups
qEach other
ciso.eccouncil.org 29
Where Do I Get the Numbers?

30. There are a number of ways to present the data but outputs will be
expressed as ranges showing the relative amount of annualized risk
with each scenario, and then management can decide best course of
action (Accept, Reduce, Avoid, Transfer)
Note: Both Free and Licensed Tools
Are Available to Run the Monte Carlo
Analysis; Output Reporting Varies
30
Outputs

31. ciso.eccouncil.org 31
Outputs
“HOW MUCH RISK DO WE HAVE?” “WHAT ARE OUR TOP RISKS?”
“HAVE WE REDUCED RISK?”
A B C D E F G H I J K M N O P Q
“HOW IS OUR RISK TRENDING VS. APPETITE?”
“WHAT IS THE COST/BENEFIT OF THIS PROJECT?”
IT Security
Investment
Current
Risk
Reduced
Risk
$80M
$9M
$2M
“WHAT TYPE OF LOSS CAN WE EXPECT?”
Financial
Impact
$71M
RISK REDUCTION
VS.
$2M
INVESTMENT

32. What Percentile do you use for the target? Where along the Curve?
$14M is outside Most Likely (ML) but Inside 90th percentile…
0%
1%
2%
3%
4%
5%
6%
7%
8%
9%
10%
11%
12%
13%
14%
15%
16%
$0 $2 $4 $6 $8 $10 $12 $14 $16 $18 $20
10th 90thAvgmin maxML
32
Risk Distribution – Where is your Risk Appetite?

33. Open FAIR Foundation Training Options
ciso.eccouncil.org 33
Self-study materials / Body of
Knowledge at
The Open Group Website
§ Read the Book: Measuring
and Managing Information
Risk, Jack Freund & Jack
Jones, 2015
www.opengroup.org

34. Online RiskLens Academy Training
ciso.eccouncil.org 34
www.risklens.com
• Use Referral Code =
ATLANTA
Includes:
• 16 CPEs
• Study guide
• Exam voucher

35. https://www.fairinstitute.org/fair-u
35
Free Online RiskLens Scenario Calculator

36. h
Loss Event Frequency/yr.
Calculated Below
Current 3 5 8 ←
Proposed 3 5 6 ←
Drill Down
Threat Event Frequency/yr. Vulnerability
Calculated Below Calculated Below
Cur. 0 10 20 ← Cur. 40% 50% 60% ←
Prop. 0 6 12 ← Prop. ←
Drill Down Drill Down
Contact Probability Threat Resistance
Frequency/yr. of Action Capability Strength
Cur. Pro. Cur. Pro. Cur. Pro. Cur. Pro.
Min 50 50 Min 10% 10% Min 10% 10% Min 0% 40%
ML 240 240 ML 20% 20% ML 50% 50% ML 20% 45%
Max 365 365 Max 75% 75% Max 60% 60% Max 50% 50%
↑ ↑ ↑ ↑ ↑ ↑ ↑ ↑
About
Loss Event
Frequency
Loss
Magnitude
Risk
User's Guide
h
Loss Magnitude
Calculated Below
Current 8 10 20 ←
Proposed
Drill Down
Primary Loss Magnitude Secondary Loss Magnitude
Current Min ML Max Min ML Max
Productivity 5 18 20 ← SLEF Current 0% 30% 60% ←
Replacement 6 8 10 ← Proposed ←
Response ←
Reputation ← Current Min ML Max
Competitive Adv. ← Productivity ←
Judgments ← Replacement ←
Response 3 9 15 ←
Proposed Min ML Max Reputation 4 10 16 ←
Productivity 3 12 15 ← Competitive Adv. 5 11 17 ←
Replacement ← Judgments ←
Response ←
Reputation ← Proposed Min ML Max
Competitive Adv. ← Productivity ←
Judgments ← Replacement ←
Response ←
Reputation ←
Competitive Adv. ←
Judgments ←
Loss Event
Frequency
Loss
Magnitude
Risk
About
User's Guide
Copyright © 2018 The Open Group®. All Rights Reserved.
Open FAIR™ is a trademark of The Open Group.
SIPmath™ is a trademark of ProbabilityManagement.org.
36
Free Excel Workbook Calculator

37. § FAIR is becoming the Industry Standard for Quantitative Risk
Analysis by focusing on LOSS EVENTS
§ Works with your Existing Framework
§ Requires a clear definition of the Asset and Threat to that specific
Asset
§ Assumes Risks are comprised of component parts (factors) such
as how frequently a given scenario will occur over a period of time
and how likely a Threat Community will succeed in generating a
loss event
§ Result is a range of probabilities with an associated financial
exposure
37
Summary:

38. Call to action…
• Join the FAIR Institute Online!
• https://www.fairinstitute.org
• FREE for Risk Practitioners
38

39. References:
• Textbook: Measuring and Managing
Information Risk, Jack Freund & Jack Jones,
2015
• FAIR Institute – www.fairinstitute.org
• Open Group (Standards and Certification Body)
– www.opengroup.org
• RiskLens (Technical Advisor to FAIR Institute) –
www.risklens.com/resources
39© 2019 New Oceans Enterprises, LLC – All Rights Reserved

40. Thank you!
Donna Gallaher, CISSP, C|CISO, CIPP/E, CIPM, FIP
President & CEO
New Oceans Enterprises, LLC
https://www.newoceansenterprises.com/
Email: donna@newoceansenterprises.com
Cell: 678-520-3838
40© 2019 New Oceans Enterprises, LLC – All Rights Reserved