IT risk assessment frameworks: real-world experience
Formal risk assessment methodologies try to take guesswork out of evaluating IT risks. Here is real-world feedback on four such frameworks: OCTAVE, FAIR, NIST RMF, and TARA.
By Bob Violino
Championed by Jack Jones, the former CISO of Nationwide Mutual Insurance, FAIR (Factor Analysis of Information Risk) is a framework for understanding, analyzing and measuring information risk. According to Jones, information security practices to date have generally been inadequate in helping organizations effectively manage information risk.
There's a heavy reliance on practitioner intuition and experience, industry lore and best practices, Jones notes. While these are valuable, they don't consistently allow management to make effective, well-informed decisions.
FAIR is designed to address security practice weaknesses. The framework aims to allow organizations to speak the same language about risk; apply risk assessment to any object or asset; view organizational risk in total; defend or challenge risk determination using advanced analysis; and understand how time and money will affect the organization's security profile.
Components of the framework include a taxonomy for information risk, standardized nomenclature for information-risk terms, a framework for establishing data-collection criteria, measurement scales for risk factors, a computational engine for calculating risk and a model for analyzing complex risk scenarios.
Nationwide's Information Risk Management (IRM) team uses FAIR to perform risk assessments. "The FAIR methodology has enabled our IRM professionals to perform risk assessments in a consistent manner," says Chris Hayes, a Nationwide consultant for risk modeling and optimization.
Another plus is the common language used. The FAIR vernacular allows the IRM team and people from IT and the business lines to talk about risk in a consistent manner, Hayes says. "Ultimately, we want to be talking about exposure that any given finding poses to our company," he says. "The more business-focused that conversation is—especially when we are talking in terms of monetary exposure—the more meaningful the discussion becomes, which should facilitate more effective decision making."
Paul, who uses FAIR in his consulting practice as part of risk assessments for clients, says one of the advantages of the framework is that it doesn't use ordinal scales, such as one-to-10 rankings, and therefore "isn't subject to the limitations that go with ordinal scales," Paul says. "For example, 'high, medium and low' is an example of an ordinal scale, as is 'red, yellow and green' and 'one, two and three.' We wouldn't begin to imagine that we can add or multiply two medium values, nor would we add or multiply yellow plus green. Yet we see many risk calculations in our industry that do exactly that when they use addition and/or multiplication with numeric ordinal scales."
FAIR uses dollar estimates for losses and probability values for threats and vulnerabilities. Combined with a range of values and levels of confidence, it allows for true mathematical modeling of loss exposures, Paul says.Also see Security and Business: Financial Basics
Another plus is that FAIR has more detailed definitions of threats, vulnerabilities and risks, Paul says. "Most of the methodologies have definitions, but stop at that level," Paul says. FAIR has a taxonomy that breaks down the terms on a more granular level.
"The taxonomy enables us to describe more easily and credibly how we arrived at our conclusions," Paul says. "This is useful in demonstrating rigor and mitigating the prevailing impression that our profession doesn't understand risk or is basing recommendations on [FUD]."
As for downsides, FAIR can be difficult to use and it's not as well documented as OCTAVE, Paul says. "It's not as easy to get started; you can download a lot of information about OCTAVE," he says. "It's all very thoroughly put together and easy for you to get up and running. FAIR lacks that."
Hayes cites as a shortcoming of FAIR the lack of access to current information about the methodology and examples of how the methodology is applied. "Creative searching will generate some results, but the methodology itself still feels underground," he says.
Next page: NIST's RMF