Factor analysis of information risk

Factor analysis of information risk (FAIR) is a taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of loss events. It is not, per se, a "cookbook" that describes how to perform an enterprise (or individual) risk assessment.[1]

A number of methodologies deal with risk management in an IT environment or IT risk, related to information security management systems and standards like ISO/IEC 27000-series.

The unanswered challenge, however, is that without a solid understanding of what risk is, what the factors are that drive risk, and without a standard nomenclature, one cannot be consistent or truly effective in using any method. FAIR seeks to provide this foundation, as well as a framework for performing risk analyses. Much of the FAIR framework can be used to strengthen, rather than replace, existing risk analysis processes like those mentioned above.[1]

FAIR is not another methodology to deal with risk management, but it complements existing methodologies.

FAIR is not in direct competition with the other risk assessment frameworks, but actually is complementary to many of them.[1]

Although the basic taxonomy and methods have been made available for non-commercial use under a creative commons license, FAIR itself is proprietary. Using FAIR to analyze someone else's risk for commercial gain (e.g. through consulting or as part of a software application) requires a license from RMI.[2]

Adoption

As a standards body, The Open Group aims to evangelize the use of FAIR within the context of these risk assessment or management frameworks. In doing so, The Open Group becomes not just a group offering yet another risk assessment framework, but a standards body which solves the difficult problem of developing consistent, defensible statements concerning risk.[1]

ISACA in its Risk IT Framework, that extends COBIT, cites FAIR and its concepts.

The "Build Security In" initiative of Homeland Security Department of USA, cites FAIR.[3]

Documentation

FAIR's main document is "An Introduction to Factor Analysis of Information Risk (FAIR)", Risk Management Insight LLC, November 2006;[4]

The contents of this white paper and the FAIR framework itself are released under the Creative Commons Attribution-Noncommercial-Share Alike 2.5. In order to reasonably discuss the factors that drive risk, the document first defines what risk is. The Risk and Risk Analysis section discusses risk concepts and some of the realities surrounding risk analysis and probabilities. This provides a common foundation for understanding and applying FAIR. The Risk Landscape Components section briefly describes the four primary components that make up any risk scenario. These components have characteristics (factors) that, in combination with one another, drive risk. Risk Factoring begins to decompose information risk into its fundamental parts. The resulting taxonomy describes how the factors combine to drive risk, and establishes a foundation for the rest of the FAIR framework.

The Controls section briefly introduces the three dimensions of a controls landscape. Measuring Risk briefly discusses measurement concepts and challenges, and then provides a high-level discussion of risk factor measurements.

Main concepts

FAIR [4] underlines that risk is an uncertain event and one should not focus on what is possible, but on how probable is a given event. This probabilistic approach is applied to every factor that is analysed. The risk is the probability of a loss tied to an asset.

Asset

An asset’s loss potential stems from the value it represents and/or the liability it introduces to an organization.[4] For example, customer information provides value through its role in generating revenue for a commercial organization. That same information also can introduce liability to the organization if a legal duty exists to protect it, or if customers have an expectation that the information about them will be appropriately protected.

FAIR defines six kind of loss:[4]

  1. Productivity – a reduction of the organization to effectively produce goods or services in order to generate value
  2. Response – the resources spent while acting following an adverse event
  3. Replacement – the expense to substitute/repair an affected asset
  4. Fines and judgements (F/J) – the cost of the overall legal procedure deriving from the adverse event
  5. Competitive advantage (CA)- missed opportunities due to the security incident
  6. Reputation – missed opportunities or sales due to the diminishing corporate image following the event


FAIR defines value/liability as:[4]

  1. Criticality – the effect on the organization productivity
  2. Cost – the bare cost of the asset, the cost of replacing a compromised asset
  3. Sensitivity – the cost associated to the disclosure of the information, further divided into:
    1. Embarrassment – the disclosure states the inappropriate behaviour of the management of the company
    2. Competitive advantage – the loss of competitive advantage tied to the disclosure
    3. Legal/regulatory – the cost associated with the possible law violations
    4. General – other losses tied to the sensitivity of data

Threat

Threat agents can be grouped by Threat Communities, subsets of the overall threat agent population that share key characteristics. It’s important to precisely define threat communities in order to effectively evaluate effect (loss magnitude).

Threat agents can act differently on an asset:[4]

These actions can affect different assets in different ways: the effect varies in relationship with the characteristics of the asset and its usage. Some assets have high criticality but low sensitivity: denial of access has a much higher effect than disclosure on such assets. On the other hand, an asset with highly sensitive data can have a low productivity effect if not available, but huge embarrassment and legal effect if that data is disclosed: for example the availability of former patient health data does not affect a healthcare organization's productivity but can cost millions of dollars if disclosed. [5] A single event can involve different assets: a [laptop theft] affects the availability of the laptop itself but can lead to the potential disclosure of the information stored on it.

The key point is that it is the combination of an asset's characteristics and the type of action against that asset that determines the fundamental nature and degree of loss.

Important aspects to be considered are the agent motive and the affected asset characteristics.

See also

Notes and references

  1. 1 2 3 4 Technical Standard Risk Taxonomy ISBN 1-931624-77-1 Document Number: C081 Published by The Open Group, January 2009.
  2. "Frequently Asked Questions". CXOWARE. October 30, 2013. Archived from the original on 2013-10-30.
  3. https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/deployment/583-BSI.html
  4. 1 2 3 4 5 6 "An Introduction to Factor Analysis of Information Risk (FAIR)", Risk Management Insight LLC, November 2006;
  5. CNN article about a class action settlement for a Veteran Affair stolen laptop

External links

This article is issued from Wikipedia - version of the Friday, May 06, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.