measuring and communication risk the fair way kevin riggins
DESCRIPTION
Two of the most important elements of a successful risk management practice are measuring and communicating risk. A repeatable, consistent framework for measuring risk is vital. We also need a way to communicate the results of those assessments to business partners in a manner relevant to them. From the Factor Analysis of Information Risk whitepaper “FAIR provides a framework for understanding, analyzing, and measuring information risk. The outcomes are more cost-effective information risk management, greater credibility for the information security profession, and a foundation from which to develop a scientific approach to information risk management.” This presentation will show how FAIR provides a common taxonomy for assessing risk, how it allows us to measure risk in a manner that is repeatable and supportable and finally how we can communicate that risk effectively.TRANSCRIPT
![Page 1: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/1.jpg)
Measuring and Communicating Riskthe
FAIR Way
![Page 2: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/2.jpg)
What’s the problem?
How do we solve it?
What’s FAIR?
How’s it work?
What did we talk about?
Agenda
![Page 3: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/3.jpg)
What’s the problem?
![Page 4: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/4.jpg)
“There are risks and costs to a program of action. But they are far less than the long-range risks and costs of comfortable inaction.” ~ John F. Kennedy
![Page 5: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/5.jpg)
How much?
![Page 6: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/6.jpg)
Could be a little bit of risk
Gerbil(It is NOT a rat!)
![Page 7: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/7.jpg)
Or, a whole lot of risk!
Elephant(also NOT a rat)
![Page 8: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/8.jpg)
Got to measure it!
![Page 9: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/9.jpg)
The risk is ….
![Page 10: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/10.jpg)
Low
![Page 11: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/11.jpg)
Moderate
![Page 12: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/12.jpg)
High
![Page 13: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/13.jpg)
How do we solve it?
![Page 14: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/14.jpg)
Rock, Paper, Scissors, Lizard, Spock
![Page 15: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/15.jpg)
Factor Analysis
of
Information Risk
(FAIR)
![Page 16: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/16.jpg)
What’s FAIR?
![Page 17: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/17.jpg)
Components
![Page 18: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/18.jpg)
Risk LandscapeAssetsThreatsOrganizationExternal Environment
![Page 19: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/19.jpg)
Assets
![Page 20: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/20.jpg)
Threats
![Page 21: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/21.jpg)
The Organization
![Page 22: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/22.jpg)
External Environment
![Page 23: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/23.jpg)
probable frequency
probable magnitude
of future loss
Risk =
Defining Risk
![Page 24: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/24.jpg)
Probability
![Page 25: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/25.jpg)
Possible, but not probable!!
![Page 26: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/26.jpg)
Risk
LossFrequency
Loss Magnitude
Taxonomy
![Page 27: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/27.jpg)
Risk
Action
Threat EventFrequency
Contact
LossFrequency
![Page 28: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/28.jpg)
Risk
Action
Threat EventFrequency
Resistance Strength
Contact
Vulnerability
Threat Capability
LossFrequency
![Page 29: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/29.jpg)
Risk
Action
Threat EventFrequency
Resistance Strength
Contact
Vulnerability
Threat Capability
LossFrequency
Probable LossEvent Frequency
![Page 30: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/30.jpg)
Loss
![Page 31: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/31.jpg)
Forms of Loss
ProductivityResponseReplacementFines and JudgmentsCompetitive EdgeReputation
![Page 32: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/32.jpg)
Risk
Primary Loss
Effect Duration
Loss Magnitude
Action
Threat EventFrequency
Resistance Strength
Contact
Vulnerability
Threat Capability
LossFrequency
Probable LossEvent Frequency
![Page 33: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/33.jpg)
Risk
Primary Loss
Secondary Loss
Loss magnitude
Effect Duration
Loss Magnitude
Loss Frequency
Action
Threat EventFrequency
Resistance Strength
Contact
Vulnerability
Threat Capability
LossFrequency
Probable LossEvent Frequency
![Page 34: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/34.jpg)
Risk
Primary Loss Secondary Loss
Loss magnitude
Effect Duration
Loss Magnitude
Loss Frequency
Probable LossMagnitude
Action
Threat EventFrequency
Resistance Strength
Contact
Vulnerability
Threat Capability
LossFrequency
Probable LossEvent Frequency
![Page 35: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/35.jpg)
Risk
Action
Threat EventFrequency
Resistance Strength
Contact
Vulnerability
Threat Capability
Primary Loss Secondary Loss
Loss magnitude
Effect Duration
LossFrequency
Loss Magnitude
Loss Frequency
Probable LossEvent Frequency
Probable LossMagnitude
Taxonomy
![Page 36: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/36.jpg)
How’s it work?
![Page 37: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/37.jpg)
1. Identify Scenario Components
2. Evaluate Loss Event Frequency
3. Evaluate Probable Loss Magnitude (PLM)
4. Derive and Articulate Risk
Four Stages
![Page 38: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/38.jpg)
Identify Scenario Components
Stage 1
AssetsThreats
![Page 39: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/39.jpg)
Assets are insideMy House(not really)
![Page 40: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/40.jpg)
Threat == Burglar(Yeah, it’s a pirate,work with me!)
![Page 41: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/41.jpg)
1. Estimate the probable Threat Event Frequency (TEF)
2. Estimate the Threat Capability (TCap)
3. Estimate Control strength (CS)
4. Derive Vulnerability (Vuln)
5. Derive Loss Event Frequency (LEF)
Evaluating Loss Event Frequency
Stage 2
![Page 42: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/42.jpg)
Estimate Threat Event Frequency
Rating Description
Very High (VH) >100 time per year
High (H) Between 10 and 100 times per year
Medium (M) Between 1 and 10 times per year
Low (L) Between .1 and 1 times per year
Very Low (VL) <.1 times per year
![Page 43: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/43.jpg)
VLThreat Event Frequency (TEF)
Threat Capability (TCap)
Control strength (CS)
Vulnerability (Vuln)
Loss Event Frequency (LEF)
![Page 44: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/44.jpg)
Estimate Threat Capability (Tcap)Rating Description
Very High (VH) Top 2% when compared against the overall threat population
High (H) Top 16% when compared against the overall threat population
Medium (M) Average skill and resources (between bottom 16% and top 16%)
Low (L) Bottom 16% when compared against the overall threat population
Very Low (VL) Bottom 2% when compared against the overall threat population
![Page 45: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/45.jpg)
Threat Event Frequency (TEF)
Threat Capability (TCap)
Resistance Strength (RS)
Vulnerability (Vuln)
Loss Event Frequency (LEF)
VL
H
![Page 46: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/46.jpg)
"I am Locutus of Borg. Resistance is futile." ~ Locutus, Star Trek: First Contact
![Page 47: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/47.jpg)
Estimate Resistance Strength (RS)Rating Description
Very High (VH) Protects against all but the top 2% of an avg. threat population
High (H) Protects against all but the top 16% of an avg. threat population
Moderate (M) Protects against the average threat agent
Low (L) Only protects against bottom 16% of an avg. threat population
Very Low (VL) Only protects against bottom 2% of an avg. threat population
![Page 48: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/48.jpg)
Bruno the Attack Chihuahua
![Page 49: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/49.jpg)
Rating Description
Very High (VH) Protects against all but the top 2% of an avg. threat population
High (H) Protects against all but the top 16% of an avg. threat population
Moderate (M) Protects against the average threat agent
Low (L) Only protects against bottom 16% of an avg. threat population
Very Low (VL) Only protects against bottom 2% of an avg. threat population
Estimate Resistance Strength (RS)
![Page 50: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/50.jpg)
Threat Event Frequency (TEF)
Threat Capability (TCap)
Resistance Strength (RS)
Vulnerability (Vuln)
Loss Event Frequency (LEF)
VL
H
VL
![Page 51: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/51.jpg)
Deriving Vulnerability (V)Vulnerability
VH VH VH VH H M
H VH VH H M L
M VH H M L VL
L H M L VL VL
VL M L VL VL VL
VL L M H VH
Tcap
Resistance Strength
![Page 52: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/52.jpg)
Threat Event Frequency (TEF)
Threat Capability (TCap)
Resistance Strength (RS)
Vulnerability (Vuln)
Loss Event Frequency (LEF)
VL
H
VL
VH
![Page 53: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/53.jpg)
Deriving Loss Event Frequency (LEF)
Loss Event Frequency
VH M H VH VH VH
H L M H H H
M VL L M M M
L VL VL L L L
VL VL VL VL VL VL
VL L M H VH
TEF
Vulnerability (V)
![Page 54: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/54.jpg)
Threat Event Frequency (TEF)
Threat Capability (TCap)
Resistance Strength (RS)
Vulnerability (Vuln)
Loss Event Frequency (LEF)
VL
H
VL
VH
VL
![Page 55: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/55.jpg)
Evaluate Probable Loss Magnitude (PLM)
1. Estimate worst-case loss
2. Estimate probable loss
Stage 3
![Page 56: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/56.jpg)
Probable Loss Magnitude
Don’t forget!We have two components to PLM,
Primary and Secondary
![Page 57: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/57.jpg)
1) Identify the most likely threat community action(s)2) Evaluate the probable loss magnitude for each loss form3) Sum the magnitudes
Estimating Probable Loss Magnitude (PLM)
![Page 58: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/58.jpg)
Loss Forms
Threat Actions
Productivity Response Replacement Fines/
Judgment
Comp. Adv.
Reputation
Access
Misuse
Disclosure
Modification
Deny Access
Evaluating Loss Magnitude
![Page 59: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/59.jpg)
Probable Loss Magnitude Scale
Magnitude Range Low End Range High End
Severe (SV) $10,000,000 ∞High (H) $1,000,000 $9,999,999
Significant (Sg) $100,000 $999,999
Moderate (M) $10,000 $99,999
Low (L) $1,000 $9,999
Very Low (VL) $0 $999
![Page 60: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/60.jpg)
Loss Forms
Threat Actions Productivity Response Replacement Fines/
Judgment
Comp. Adv.
Reputation
Access
Misuse
Disclosure
Modification
Deny Access L M H -- -- --
Evaluate Worst Case Loss Magnitude
![Page 61: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/61.jpg)
Loss Forms
Threat Actions
Productivity Response
Replacement
Fines/
Judgment
Comp. Adv.
Reputation
Access
Misuse
Disclosure
Modification
Deny Access
VL L Sg -- -- --
Evaluate Probable Loss Magnitude
![Page 62: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/62.jpg)
Loss Event Frequency VL
Probable Loss Magnitude Sg
Worst-case Loss Magnitude H
![Page 63: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/63.jpg)
4. Derive and Articulate Risk
![Page 64: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/64.jpg)
Risk
Severe H H C C C
High M H H C C
Sig. M M H H C
Moderate L M M H H
Low L L M M M
Very Low L L M M M
Very Low Low Moderate High Very High
PLM
LEF
Derive Risk
![Page 65: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/65.jpg)
Threat Event Frequency (TEF)
Threat Capability (TCap)
Resistance Strength (RS)
Vulnerability (Vuln)
Loss Event Frequency (LEF)
Probable Loss Magnitude
Worst-case Loss Magnitude
Risk
VL
H
VL
VH
VL
Sg
H
M
Articulate Risk
![Page 66: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/66.jpg)
FAIR Wiki: http://fairwiki.riskmanagementinsight.comFAIR Blog: http://riskanalys.isOpen Group: http://www.opengroup.org/projects/security/fair/
Resources
![Page 67: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/67.jpg)
We talked about the problem.
We identified a solution – FAIR.
We talked about the risk landscape.
We talked about the taxonomy.
We talked about measuring risk.
We talked about how to communicate risk.
What did we talk about?
![Page 68: Measuring And Communication Risk The Fair Way Kevin Riggins](https://reader033.vdocuments.us/reader033/viewer/2022051818/54b886074a7959c9388b456e/html5/thumbnails/68.jpg)
Kevin Riggins, CISSP, CCNASenior Information Security Analyst
Security Review and Consulting Team LeadPrincipal Financial Group
InfoSec Ramblingshttp://www.infosecramblings.com
Twitter: @kriggins
Questions?