measuring and communication risk the fair way kevin riggins
Post on 16-Jan-2015
1.210 Views
Preview:
DESCRIPTION
TRANSCRIPT
Measuring and Communicating Riskthe
FAIR Way
What’s the problem?
How do we solve it?
What’s FAIR?
How’s it work?
What did we talk about?
Agenda
What’s the problem?
“There are risks and costs to a program of action. But they are far less than the long-range risks and costs of comfortable inaction.” ~ John F. Kennedy
How much?
Could be a little bit of risk
Gerbil(It is NOT a rat!)
Or, a whole lot of risk!
Elephant(also NOT a rat)
Got to measure it!
The risk is ….
Low
Moderate
High
How do we solve it?
Rock, Paper, Scissors, Lizard, Spock
Factor Analysis
of
Information Risk
(FAIR)
What’s FAIR?
Components
Risk LandscapeAssetsThreatsOrganizationExternal Environment
Assets
Threats
The Organization
External Environment
probable frequency
probable magnitude
of future loss
Risk =
Defining Risk
Probability
Possible, but not probable!!
Risk
LossFrequency
Loss Magnitude
Taxonomy
Risk
Action
Threat EventFrequency
Contact
LossFrequency
Risk
Action
Threat EventFrequency
Resistance Strength
Contact
Vulnerability
Threat Capability
LossFrequency
Risk
Action
Threat EventFrequency
Resistance Strength
Contact
Vulnerability
Threat Capability
LossFrequency
Probable LossEvent Frequency
Loss
Forms of Loss
ProductivityResponseReplacementFines and JudgmentsCompetitive EdgeReputation
Risk
Primary Loss
Effect Duration
Loss Magnitude
Action
Threat EventFrequency
Resistance Strength
Contact
Vulnerability
Threat Capability
LossFrequency
Probable LossEvent Frequency
Risk
Primary Loss
Secondary Loss
Loss magnitude
Effect Duration
Loss Magnitude
Loss Frequency
Action
Threat EventFrequency
Resistance Strength
Contact
Vulnerability
Threat Capability
LossFrequency
Probable LossEvent Frequency
Risk
Primary Loss Secondary Loss
Loss magnitude
Effect Duration
Loss Magnitude
Loss Frequency
Probable LossMagnitude
Action
Threat EventFrequency
Resistance Strength
Contact
Vulnerability
Threat Capability
LossFrequency
Probable LossEvent Frequency
Risk
Action
Threat EventFrequency
Resistance Strength
Contact
Vulnerability
Threat Capability
Primary Loss Secondary Loss
Loss magnitude
Effect Duration
LossFrequency
Loss Magnitude
Loss Frequency
Probable LossEvent Frequency
Probable LossMagnitude
Taxonomy
How’s it work?
1. Identify Scenario Components
2. Evaluate Loss Event Frequency
3. Evaluate Probable Loss Magnitude (PLM)
4. Derive and Articulate Risk
Four Stages
Identify Scenario Components
Stage 1
AssetsThreats
Assets are insideMy House(not really)
Threat == Burglar(Yeah, it’s a pirate,work with me!)
1. Estimate the probable Threat Event Frequency (TEF)
2. Estimate the Threat Capability (TCap)
3. Estimate Control strength (CS)
4. Derive Vulnerability (Vuln)
5. Derive Loss Event Frequency (LEF)
Evaluating Loss Event Frequency
Stage 2
Estimate Threat Event Frequency
Rating Description
Very High (VH) >100 time per year
High (H) Between 10 and 100 times per year
Medium (M) Between 1 and 10 times per year
Low (L) Between .1 and 1 times per year
Very Low (VL) <.1 times per year
VLThreat Event Frequency (TEF)
Threat Capability (TCap)
Control strength (CS)
Vulnerability (Vuln)
Loss Event Frequency (LEF)
Estimate Threat Capability (Tcap)Rating Description
Very High (VH) Top 2% when compared against the overall threat population
High (H) Top 16% when compared against the overall threat population
Medium (M) Average skill and resources (between bottom 16% and top 16%)
Low (L) Bottom 16% when compared against the overall threat population
Very Low (VL) Bottom 2% when compared against the overall threat population
Threat Event Frequency (TEF)
Threat Capability (TCap)
Resistance Strength (RS)
Vulnerability (Vuln)
Loss Event Frequency (LEF)
VL
H
"I am Locutus of Borg. Resistance is futile." ~ Locutus, Star Trek: First Contact
Estimate Resistance Strength (RS)Rating Description
Very High (VH) Protects against all but the top 2% of an avg. threat population
High (H) Protects against all but the top 16% of an avg. threat population
Moderate (M) Protects against the average threat agent
Low (L) Only protects against bottom 16% of an avg. threat population
Very Low (VL) Only protects against bottom 2% of an avg. threat population
Bruno the Attack Chihuahua
Rating Description
Very High (VH) Protects against all but the top 2% of an avg. threat population
High (H) Protects against all but the top 16% of an avg. threat population
Moderate (M) Protects against the average threat agent
Low (L) Only protects against bottom 16% of an avg. threat population
Very Low (VL) Only protects against bottom 2% of an avg. threat population
Estimate Resistance Strength (RS)
Threat Event Frequency (TEF)
Threat Capability (TCap)
Resistance Strength (RS)
Vulnerability (Vuln)
Loss Event Frequency (LEF)
VL
H
VL
Deriving Vulnerability (V)Vulnerability
VH VH VH VH H M
H VH VH H M L
M VH H M L VL
L H M L VL VL
VL M L VL VL VL
VL L M H VH
Tcap
Resistance Strength
Threat Event Frequency (TEF)
Threat Capability (TCap)
Resistance Strength (RS)
Vulnerability (Vuln)
Loss Event Frequency (LEF)
VL
H
VL
VH
Deriving Loss Event Frequency (LEF)
Loss Event Frequency
VH M H VH VH VH
H L M H H H
M VL L M M M
L VL VL L L L
VL VL VL VL VL VL
VL L M H VH
TEF
Vulnerability (V)
Threat Event Frequency (TEF)
Threat Capability (TCap)
Resistance Strength (RS)
Vulnerability (Vuln)
Loss Event Frequency (LEF)
VL
H
VL
VH
VL
Evaluate Probable Loss Magnitude (PLM)
1. Estimate worst-case loss
2. Estimate probable loss
Stage 3
Probable Loss Magnitude
Don’t forget!We have two components to PLM,
Primary and Secondary
1) Identify the most likely threat community action(s)2) Evaluate the probable loss magnitude for each loss form3) Sum the magnitudes
Estimating Probable Loss Magnitude (PLM)
Loss Forms
Threat Actions
Productivity Response Replacement Fines/
Judgment
Comp. Adv.
Reputation
Access
Misuse
Disclosure
Modification
Deny Access
Evaluating Loss Magnitude
Probable Loss Magnitude Scale
Magnitude Range Low End Range High End
Severe (SV) $10,000,000 ∞High (H) $1,000,000 $9,999,999
Significant (Sg) $100,000 $999,999
Moderate (M) $10,000 $99,999
Low (L) $1,000 $9,999
Very Low (VL) $0 $999
Loss Forms
Threat Actions Productivity Response Replacement Fines/
Judgment
Comp. Adv.
Reputation
Access
Misuse
Disclosure
Modification
Deny Access L M H -- -- --
Evaluate Worst Case Loss Magnitude
Loss Forms
Threat Actions
Productivity Response
Replacement
Fines/
Judgment
Comp. Adv.
Reputation
Access
Misuse
Disclosure
Modification
Deny Access
VL L Sg -- -- --
Evaluate Probable Loss Magnitude
Loss Event Frequency VL
Probable Loss Magnitude Sg
Worst-case Loss Magnitude H
4. Derive and Articulate Risk
Risk
Severe H H C C C
High M H H C C
Sig. M M H H C
Moderate L M M H H
Low L L M M M
Very Low L L M M M
Very Low Low Moderate High Very High
PLM
LEF
Derive Risk
Threat Event Frequency (TEF)
Threat Capability (TCap)
Resistance Strength (RS)
Vulnerability (Vuln)
Loss Event Frequency (LEF)
Probable Loss Magnitude
Worst-case Loss Magnitude
Risk
VL
H
VL
VH
VL
Sg
H
M
Articulate Risk
FAIR Wiki: http://fairwiki.riskmanagementinsight.comFAIR Blog: http://riskanalys.isOpen Group: http://www.opengroup.org/projects/security/fair/
Resources
We talked about the problem.
We identified a solution – FAIR.
We talked about the risk landscape.
We talked about the taxonomy.
We talked about measuring risk.
We talked about how to communicate risk.
What did we talk about?
Kevin Riggins, CISSP, CCNASenior Information Security Analyst
Security Review and Consulting Team LeadPrincipal Financial Group
Riggins.Kevin@principal.com
InfoSec Ramblingshttp://www.infosecramblings.com
kriggins@infosecramblings.com
Twitter: @kriggins
Questions?
top related