IT risk assessment frameworks: real-world experience
Formal risk assessment methodologies try to take guesswork out of evaluating IT risks. Here is real-world feedback on four such frameworks: OCTAVE, FAIR, NIST RMF, and TARA.
By Bob Violino
FAIR
Championed by Jack Jones, the former CISO of Nationwide Mutual Insurance, FAIR (Factor Analysis of Information Risk) is a framework for understanding, analyzing and measuring information risk. According to Jones, information security practices to date have generally been inadequate in helping organizations effectively manage information risk.
There's a heavy reliance on practitioner intuition and experience, industry lore and best practices, Jones notes. While these are valuable, they don't consistently allow management to make effective, well-informed decisions.
FAIR is designed to address security practice weaknesses. The framework aims to allow organizations to speak the same language about risk; apply risk assessment to any object or asset; view organizational risk in total; defend or challenge risk determination using advanced analysis; and understand how time and money will affect the organization's security profile.
Components of the framework include a taxonomy for information risk, standardized nomenclature for information-risk terms, a framework for establishing data-collection criteria, measurement scales for risk factors, a computational engine for calculating risk and a model for analyzing complex risk scenarios.
Nationwide's Information Risk Management (IRM) team uses FAIR to perform risk assessments. "The FAIR methodology has enabled our IRM professionals to perform risk assessments in a consistent manner," says Chris Hayes, a Nationwide consultant for risk modeling and optimization.
Another plus is the common language used. The FAIR vernacular allows the IRM team and people from IT and the business lines to talk about risk in a consistent manner, Hayes says. "Ultimately, we want to be talking about exposure that any given finding poses to our company," he says. "The more business-focused that conversation is—especially when we are talking in terms of monetary exposure—the more meaningful the discussion becomes, which should facilitate more effective decision making."
Paul, who uses FAIR in his consulting practice as part of risk assessments for clients, says one of the advantages of the framework is that it doesn't use ordinal scales, such as one-to-10 rankings, and therefore "isn't subject to the limitations that go with ordinal scales," Paul says. "For example, 'high, medium and low' is an example of an ordinal scale, as is 'red, yellow and green' and 'one, two and three.' We wouldn't begin to imagine that we can add or multiply two medium values, nor would we add or multiply yellow plus green. Yet we see many risk calculations in our industry that do exactly that when they use addition and/or multiplication with numeric ordinal scales."
FAIR uses dollar estimates for losses and probability values for threats and vulnerabilities. Combined with a range of values and levels of confidence, it allows for true mathematical modeling of loss exposures, Paul says.
Also see Security and Business: Financial BasicsAnother plus is that FAIR has more detailed definitions of threats, vulnerabilities and risks, Paul says. "Most of the methodologies have definitions, but stop at that level," Paul says. FAIR has a taxonomy that breaks down the terms on a more granular level.
"The taxonomy enables us to describe more easily and credibly how we arrived at our conclusions," Paul says. "This is useful in demonstrating rigor and mitigating the prevailing impression that our profession doesn't understand risk or is basing recommendations on [FUD]."
As for downsides, FAIR can be difficult to use and it's not as well documented as OCTAVE, Paul says. "It's not as easy to get started; you can download a lot of information about OCTAVE," he says. "It's all very thoroughly put together and easy for you to get up and running. FAIR lacks that."
Hayes cites as a shortcoming of FAIR the lack of access to current information about the methodology and examples of how the methodology is applied. "Creative searching will generate some results, but the methodology itself still feels underground," he says.
Next page: NIST's RMF
The challenge of true data protection spans databases, internal and external networks, physical and offsite storage, business partners and more. These resources offer expert perspective from the basics through specific key elements of data protection strategies.
Network security basics
Protection, detection, and reaction—those are the three underlying principles your security program must embody
Computer incident detection, response, forensics
Richard Bejtlich shows how to measure and improve the maturity of your incident response
A few good IT security metrics
Stop counting blocked malware attachments and measure things that can contribute to meaningful change
5 key cloud security trends
Cloud security is evolving rapidly—stay on top of it
Database security: At rest, not at risk
IT risk assessment frameworks
How to do end-to-end encryption
Also find sample data protection policies in CSO's tools, templates and policies library
- Enterprise File Sharing: All You Need to Know
- Forrester Research and EMC on Continuous Availability
- Big Ideas; Big Tech-Continuous Availability for VMware
- Reduce Costs, Maximize Performance and Ensure High Availability of your Business Critical Applications
- Software Asset Management - Program Considerations to Help Reduce Risk and Lower Costs
- Content Analytics Explained
- Attacks from China: A survival guide
Chinese cyberattack activity is back in the news this morning, with new details emerging on new attacks. Here's a collection of stories to help infosec pros better understand the threat. - #FFSec: Infosec pros who bring value to Twitter
- B-Sides Boston is Saturday
More Salted Hash with Bill Brenner
