Today, in most organizations, information assets are fundamental, and the company therefore heavily invests in protecting these assets. However, currently, management's decisions on the scope of resources to be invested in protecting information assets are based on partial information provided in a "foreign language"- the language of information technology professionals. This might result in managers overinvesting to protect certain assets of lesser critical business nature, and lesser investing in the protection for critical assets. A possible solution to this problem lies in the ability to "translate" and match business priorities with appropriate technological challenges.
Information risk management is a relatively new discipline, and often, decision making when managing information risk falls victim to one or two fundamental problems:
- The decisions are not made by the right people, due to lack of clarity as per who is the proper authority needed for managing information risk in the company, their level of responsibility, and what is expected of them. This, in turn, often results in unmet goals and expectations, lack of executive support and/or determination of a faulty set of business priorities.
- Decisions are made based on partial information or understanding of the risk at hand, without viewing the organization as a whole. A factor which is likely to result in making monetary investments in the wrong places, not making enough investments, and to a surplus of expenses without clear ROI.
Information provided from audits and security assessments often focuses heavily on control conditions and does not explicitly take into consideration stakeholders, asset value/liability, or threat conditions. The assessor may consider some informal "gut" inclusion of those factors, but unless inclusion is explicit, risk ratings tend to inflate -- sometimes significantly. This risk inflation and the tendency to protect assets rather than stakeholder interests contribute significantly to overall cost-ineffectiveness and to deficient risk management.
Information risks are only a part of the overall risks that management and the board of directors have to manage (market, credit, operations and legal risks, etc.). In complex business situations and with limited resources, there is great importance to create appropriate balance in deploying resources to sync and manage the entire risk portfolio. This situation is also termed 'competition of risks' and the way to solve it is by creating a set of priorities based on common denominators (preferably monetary).
In essence, most CISOs are technology oriented, and are not fundamentally part of a company's executive management. Normally, they are not privy to the overall risk portfolio, and many times lack the understanding of risk tolerance, the liability, and the overall business goals of the organization. On the other hand, few executives have a profound technical understanding of threats and technology controls. As a result, entrusting the CISO with the information risk management necessitates a thorough understanding of the business elements. Entrusting this responsibility with the business executives (as is mostly done today) necessitates that the tech professionals provide the business executives with information that is complete, clear, unbiased, and useful about the threats, their possible implications and the available controls. That would ensure decision making is risk informed, and not as a result of fear or current trends. Both cases require a common language and a clear understanding of roles and responsibilities.
As stated above, the missing link is often a common language which allows for translation of the information risk to monetary terms understood by all of the stakeholders. Looking for a solution to this problem, without reinventing the wheel, I researched various methodologies and one methodology stood out from all of the rest.
Factor Analysis of Information Risk (FAIR) - is an easy to understand, effective, methodology and toolset for risk analysis, risk management, root cause analysis and decision making. FAIR enables the organization to significantly improve its information risk management process by allowing risk reporting in a cost-effective manner (as customary with business risks) , budget optimization, and a foundation from which to develop a scientific approach to quantitative information risk management (i.e. monetary).
FAIR sits on a solid foundation in statistics and actuarial science. Based upon the proven analytic utility of the normal (Gaussian) distribution, the practical value of Bayesian decision making techniques, and the power and sophistication of Monte Carlo simulation, FAIR provides estimates that are documentable, reproducible, realistic, defensible, and, most importantly, in a language that both business executives, risk managers, and CISOs understand.
FAIR's quantitative capabilities enable a real understanding of "how much" in regards to ,how much risk does X represent, how much less risk will we have if we do ABC, how much more (or less) effective is risk solution A than risk solution B?
Since FAIR provides quantitative (monetary) results, it is also useful for the following requirements:
- A base for creating a priorities work plan and budget based on monetary values.
- Proves Due Care to the stakeholders.
- As a product which provides a clearer picture of liability and insurance needs, which can be used in negotiations with insurers.
Often, information security is perceived as a technological problem with technological ramifications. The truth is, the technical problems are not the real issue, but rather the level of risk. By using a quantitative risk assessment and management framework, organizations will have timely and dependable data to inform the tough decisions they have to make in order to gain and maintain competitive and strategic advantage.
I think it is great that this methodology has been ground in statistical science (in fact I'm a fan). I have two questions:
ReplyDelete- Does FAIR collect data over time from multiple companies to provide longitudinal analysis such as a pattern study or to reassess FAIR methods for improvements?
- Has FAIR been compared to other methods empirically to show that it actually provides "better" results than other methods?
I ask the questions because of a few papers that were recently published by security researchers that call into question the validity of current methods. One paper empirically analyzed 200+ companies Security Policies to see if the policies and the management of them had a significant impact on breaches - the answer was no for the population of the study. Another reviewed existing methods of security risk analysis "Quantified Security is a Weak Hypothesis" which called into question all the methods and frameworks currently in use.
My own research of the existing "standards" is that they generally don't provide the kind of scientific foundation that FAIR is based on instead relying on "best practice" and there are little to no empirical data - only one-of case studies.
/wayne
Wayne,
ReplyDeleteThanks for commenting
I'll try and answer your questions based on my limited knowledge as a FAIR "Fan" but not it’s "Owner".
Q. Does FAIR collect data over time?
A.I don't think it does but it’s a good idea.
Q. Has FAIR been compared?
A .I'm not if it was formally compared, but non formally I've used FAIR and other metho' on the same scenarios, and FAIR produced more "realistic" results.
Thanks,
Yoram