Measuring and Communicating Riskthe

FAIR Way

What’s the problem?

How do we solve it?

What’s FAIR?

How’s it work?

What did we talk about?

Agenda

What’s the problem?

“There are risks and costs to a program of action. But they are far less than the long-range risks and costs of comfortable inaction.” ~ John F. Kennedy

How much?

Could be a little bit of risk

Gerbil(It is NOT a rat!)

Or, a whole lot of risk!

Elephant(also NOT a rat)

Got to measure it!

The risk is ….

Low

Moderate

High

How do we solve it?

Rock, Paper, Scissors, Lizard, Spock

Factor Analysis

of

Information Risk

(FAIR)

What’s FAIR?

Components

Risk LandscapeAssetsThreatsOrganizationExternal Environment

Assets

Threats

The Organization

External Environment

probable frequency

probable magnitude

of future loss

Risk =

Defining Risk

Probability

Possible, but not probable!!

Risk

LossFrequency

Loss Magnitude

Taxonomy

Risk

Action

Threat EventFrequency

Contact

LossFrequency

Risk

Action

Threat EventFrequency

Resistance Strength

Contact

Vulnerability

Threat Capability

LossFrequency

Risk

Action

Threat EventFrequency

Resistance Strength

Contact

Vulnerability

Threat Capability

LossFrequency

Probable LossEvent Frequency

Loss

Forms of Loss

ProductivityResponseReplacementFines and JudgmentsCompetitive EdgeReputation

Risk

Primary Loss

Effect Duration

Loss Magnitude

Action

Threat EventFrequency

Resistance Strength

Contact

Vulnerability

Threat Capability

LossFrequency

Probable LossEvent Frequency

Risk

Primary Loss

Secondary Loss

Loss magnitude

Effect Duration

Loss Magnitude

Loss Frequency

Action

Threat EventFrequency

Resistance Strength

Contact

Vulnerability

Threat Capability

LossFrequency

Probable LossEvent Frequency

Risk

Primary Loss Secondary Loss

Loss magnitude

Effect Duration

Loss Magnitude

Loss Frequency

Probable LossMagnitude

Action

Threat EventFrequency

Resistance Strength

Contact

Vulnerability

Threat Capability

LossFrequency

Probable LossEvent Frequency

Risk

Action

Threat EventFrequency

Resistance Strength

Contact

Vulnerability

Threat Capability

Primary Loss Secondary Loss

Loss magnitude

Effect Duration

LossFrequency

Loss Magnitude

Loss Frequency

Probable LossEvent Frequency

Probable LossMagnitude

Taxonomy

How’s it work?

1. Identify Scenario Components

2. Evaluate Loss Event Frequency

3. Evaluate Probable Loss Magnitude (PLM)

4. Derive and Articulate Risk

Four Stages

Identify Scenario Components

Stage 1

AssetsThreats

Assets are insideMy House(not really)

Threat == Burglar(Yeah, it’s a pirate,work with me!)

1. Estimate the probable Threat Event Frequency (TEF)

2. Estimate the Threat Capability (TCap)

3. Estimate Control strength (CS)

4. Derive Vulnerability (Vuln)

5. Derive Loss Event Frequency (LEF)

Evaluating Loss Event Frequency

Stage 2

Estimate Threat Event Frequency

Rating Description

Very High (VH) >100 time per year

High (H) Between 10 and 100 times per year

Medium (M) Between 1 and 10 times per year

Low (L) Between .1 and 1 times per year

Very Low (VL) <.1 times per year

VLThreat Event Frequency (TEF)

Threat Capability (TCap)

Control strength (CS)

Vulnerability (Vuln)

Loss Event Frequency (LEF)

Estimate Threat Capability (Tcap)Rating Description

Very High (VH) Top 2% when compared against the overall threat population

High (H) Top 16% when compared against the overall threat population

Medium (M) Average skill and resources (between bottom 16% and top 16%)

Low (L) Bottom 16% when compared against the overall threat population

Very Low (VL) Bottom 2% when compared against the overall threat population

Threat Event Frequency (TEF)

Threat Capability (TCap)

Resistance Strength (RS)

Vulnerability (Vuln)

Loss Event Frequency (LEF)

VL

H

"I am Locutus of Borg. Resistance is futile." ~ Locutus, Star Trek: First Contact

Estimate Resistance Strength (RS)Rating Description

Very High (VH) Protects against all but the top 2% of an avg. threat population

High (H) Protects against all but the top 16% of an avg. threat population

Moderate (M) Protects against the average threat agent

Low (L) Only protects against bottom 16% of an avg. threat population

Very Low (VL) Only protects against bottom 2% of an avg. threat population

Bruno the Attack Chihuahua

Rating Description

Very High (VH) Protects against all but the top 2% of an avg. threat population

High (H) Protects against all but the top 16% of an avg. threat population

Moderate (M) Protects against the average threat agent

Low (L) Only protects against bottom 16% of an avg. threat population

Very Low (VL) Only protects against bottom 2% of an avg. threat population

Estimate Resistance Strength (RS)

Threat Event Frequency (TEF)

Threat Capability (TCap)

Resistance Strength (RS)

Vulnerability (Vuln)

Loss Event Frequency (LEF)

VL

H

VL

Deriving Vulnerability (V)Vulnerability

VH VH VH VH H M

H VH VH H M L

M VH H M L VL

L H M L VL VL

VL M L VL VL VL

VL L M H VH

Tcap

Resistance Strength

Threat Event Frequency (TEF)

Threat Capability (TCap)

Resistance Strength (RS)

Vulnerability (Vuln)

Loss Event Frequency (LEF)

VL

H

VL

VH

Deriving Loss Event Frequency (LEF)

Loss Event Frequency

VH M H VH VH VH

H L M H H H

M VL L M M M

L VL VL L L L

VL VL VL VL VL VL

VL L M H VH

TEF

Vulnerability (V)

Threat Event Frequency (TEF)

Threat Capability (TCap)

Resistance Strength (RS)

Vulnerability (Vuln)

Loss Event Frequency (LEF)

VL

H

VL

VH

VL

Evaluate Probable Loss Magnitude (PLM)

1. Estimate worst-case loss

2. Estimate probable loss

Stage 3

Probable Loss Magnitude

Don’t forget!We have two components to PLM,

Primary and Secondary

1) Identify the most likely threat community action(s)2) Evaluate the probable loss magnitude for each loss form3) Sum the magnitudes

Estimating Probable Loss Magnitude (PLM)

Loss Forms

Threat Actions

Productivity Response Replacement Fines/

Judgment

Comp. Adv.

Reputation

Access

Misuse

Disclosure

Modification

Deny Access

Evaluating Loss Magnitude

Probable Loss Magnitude Scale

Magnitude Range Low End Range High End

Severe (SV) $10,000,000 ∞High (H) $1,000,000 $9,999,999

Significant (Sg) $100,000 $999,999

Moderate (M) $10,000 $99,999

Low (L) $1,000 $9,999

Very Low (VL) $0 $999

Loss Forms

Threat Actions Productivity Response Replacement Fines/

Judgment

Comp. Adv.

Reputation

Access

Misuse

Disclosure

Modification

Deny Access L M H -- -- --

Evaluate Worst Case Loss Magnitude

Loss Forms

Threat Actions

Productivity Response

Replacement

Fines/

Judgment

Comp. Adv.

Reputation

Access

Misuse

Disclosure

Modification

Deny Access

VL L Sg -- -- --

Evaluate Probable Loss Magnitude

Loss Event Frequency VL

Probable Loss Magnitude Sg

Worst-case Loss Magnitude H

4. Derive and Articulate Risk

Risk

Severe H H C C C

High M H H C C

Sig. M M H H C

Moderate L M M H H

Low L L M M M

Very Low L L M M M

Very Low Low Moderate High Very High

PLM

LEF

Derive Risk

Threat Event Frequency (TEF)

Threat Capability (TCap)

Resistance Strength (RS)

Vulnerability (Vuln)

Loss Event Frequency (LEF)

Probable Loss Magnitude

Worst-case Loss Magnitude

Risk

VL

H

VL

VH

VL

Sg

H

M

Articulate Risk

FAIR Wiki: http://fairwiki.riskmanagementinsight.comFAIR Blog: http://riskanalys.isOpen Group: http://www.opengroup.org/projects/security/fair/

Resources

We talked about the problem.

We identified a solution – FAIR.

We talked about the risk landscape.

We talked about the taxonomy.

We talked about measuring risk.

We talked about how to communicate risk.

What did we talk about?

Kevin Riggins, CISSP, CCNASenior Information Security Analyst

Security Review and Consulting Team LeadPrincipal Financial Group

Riggins.Kevin@principal.com

InfoSec Ramblingshttp://www.infosecramblings.com

kriggins@infosecramblings.com

Twitter: @kriggins

Questions?