Factor Analysis of Information Risk
Encyclopedia
Factor analysis of information risk (FAIR for short) is a taxonomy of the factors
that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of loss events. It is not, per se, a “cookbook” that describes how to perform an enterprise (or individual) risk assessment.
A number of methodologies deal with risk management
in an IT environment or IT risk
, related to information security management system
s and standards like ISO/IEC 27000-series
.
The unanswered challenge, however, is that without a solid understanding of what risk is, what the factors are that drive risk, and without a standard nomenclature, we can’t be consistent or truly effective in using any method. FAIR seeks to provide this foundation, as well as a framework for performing risk analyses. Much of the FAIR framework can be used to strengthen, rather than replace, existing risk analysis processes like those mentioned above.
FAIR is not another methodology to deal with risk management, but it complements existing methodologies.
aims to evangelize the use of FAIR within the context of these risk assessment or management frameworks. In doing so, The Open Group becomes not just a group offering yet another risk assessment framework, but a standards body which solves
the difficult problem of developing consistent, defensible statements concerning risk.
ISACA in its Risk IT
Framework, that extends COBIT
, cites FAIR and its concepts.
The "Build Security In" initiative of Homeland Security Department of USA, cites FAIR.
The contents of this white paper, and the FAIR framework are released under the Creative Commons Attribution-Noncommercial-Share Alike 2.5.
In order to reasonably discuss the factors
that drive risk, the document first define what risk is. Risk and Risk Analysis discusses risk concepts and some of the realities surrounding risk analysis and
probabilities. This provides a common foundation for understanding and applying FAIR.
Risk Landscape Components briefly describes the four primary components that make up any risk scenario. These
components have characteristics (factors) that, in combination with one another, drive risk.
Risk Factoring begins to decompose information risk into its fundamental parts. The resulting taxonomy describes how
the factors
combine to drive risk, and establishes a foundation for the rest of the FAIR framework.
The Controls section briefly introduces the three dimensions of a controls landscape.
Measuring Risk briefly discusses measurement concepts and challenges, and then provides a high-level discussion of
risk factor measurements.
This probabilistic approach is applied to every factor that is analysed.
The risk is the probability of a loss tied to an asset.
FAIR defines six kind of loss:
FAIR defines value/liability as:
agents can be grouped by Threat Communities, subsets of the overall threat agent population that share key characteristics. It’s important to define precisely threat communities in order to effectively evaluate impact (loss magnitude).
Threat
agents can act differently on an asset:
This actions can affect differently various asset: the impact is different along with the characteristics of the asset and its usage. Some assets have high criticality and low sensitivity: deny access has a much higher impact than disclosure on them. Vice versa high sensitivity data can have low productivity impact while not available, but huge embarrassment and legal impact if disclosed: former patient health data availability do not affect an healthcare organization productivity but can cost millions dollars if disclosed.
A single event can involve different assets: a [laptop theft] has an impact on the availability of the laptop itself but can lead to the potential disclosure of the information stored on it.
The point is that it’s the combination of the asset and
type of action against the asset that determines the fundamental nature and degree of loss.
Important aspects to be considered are the agent motive and the affected asset characteristics.
Risk factor (computing)
In Information security, Risk factor is a collectively name for circumstances affecting the likelihood or the impact of a security risk.- FAIR :...
that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of loss events. It is not, per se, a “cookbook” that describes how to perform an enterprise (or individual) risk assessment.
A number of methodologies deal with risk management
Risk management
Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...
in an IT environment or IT risk
IT risk
Information technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
, related to information security management system
Information security management system
An information security management system is a set of policies concerned with information security management or IT related risks. The idioms arose primarily out of ISO 27001....
s and standards like ISO/IEC 27000-series
ISO/IEC 27000-series
The ISO/IEC 27000-series comprises information security standards published jointly by the International Organization for Standardization and the International Electrotechnical Commission .The series provides best practice recommendations on information security management, risks and controls...
.
The unanswered challenge, however, is that without a solid understanding of what risk is, what the factors are that drive risk, and without a standard nomenclature, we can’t be consistent or truly effective in using any method. FAIR seeks to provide this foundation, as well as a framework for performing risk analyses. Much of the FAIR framework can be used to strengthen, rather than replace, existing risk analysis processes like those mentioned above.
FAIR is not another methodology to deal with risk management, but it complements existing methodologies.
- FAIR is not in direct competition with the other risk assessment frameworks, but actually is complementary to many of them.
Adoption
As a standards body, The Open GroupThe Open Group
The Open Group is a vendor and technology-neutral industry consortium, currently with over three hundred member organizations. It was formed in 1996 when X/Open merged with the Open Software Foundation...
aims to evangelize the use of FAIR within the context of these risk assessment or management frameworks. In doing so, The Open Group becomes not just a group offering yet another risk assessment framework, but a standards body which solves
the difficult problem of developing consistent, defensible statements concerning risk.
ISACA in its Risk IT
Risk IT
Risk IT provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.Risk IT was published in 2009 by ISACA...
Framework, that extends COBIT
COBIT
COBIT is a framework created by ISACA for information technology management and IT Governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.-Overview:...
, cites FAIR and its concepts.
The "Build Security In" initiative of Homeland Security Department of USA, cites FAIR.
Documentation
FAIR main document is "An Introduction to Factor Analysis of Information Risk (FAIR)", Risk Management Insight LLC, November 2006;The contents of this white paper, and the FAIR framework are released under the Creative Commons Attribution-Noncommercial-Share Alike 2.5.
In order to reasonably discuss the factors
Risk factor (computing)
In Information security, Risk factor is a collectively name for circumstances affecting the likelihood or the impact of a security risk.- FAIR :...
that drive risk, the document first define what risk is. Risk and Risk Analysis discusses risk concepts and some of the realities surrounding risk analysis and
probabilities. This provides a common foundation for understanding and applying FAIR.
Risk Landscape Components briefly describes the four primary components that make up any risk scenario. These
components have characteristics (factors) that, in combination with one another, drive risk.
Risk Factoring begins to decompose information risk into its fundamental parts. The resulting taxonomy describes how
the factors
Risk factor (computing)
In Information security, Risk factor is a collectively name for circumstances affecting the likelihood or the impact of a security risk.- FAIR :...
combine to drive risk, and establishes a foundation for the rest of the FAIR framework.
The Controls section briefly introduces the three dimensions of a controls landscape.
Measuring Risk briefly discusses measurement concepts and challenges, and then provides a high-level discussion of
risk factor measurements.
Main concepts
FAIR underlines that risk is an uncertain event and one should not focus on what is possible, but on how probable is a given event.This probabilistic approach is applied to every factor that is analysed.
The risk is the probability of a loss tied to an asset.
Asset
An asset’s loss potential stems from the value it represents and/or the liability it introduces to an organization. For example, customer information provides value through its role in generating revenue for a commercial organization. That same information also can introduce liability to the organization if a legal duty exists to protect it, or if customers have an expectation that the information about them will be appropriately protected.FAIR defines six kind of loss:
- Productivity – a reduction of the organization to effectively produce goods or services in order to generate value
- Response – the resources spent while acting following an adverse event
- Replacement – the expense to substitute/repair an affected asset
- Fines and judgements (F/J) – the cost of the overall legal procedure deriving from the adverse event
- Competitive advantage (CA)- missed opportunities due to the security incident
- Reputation – missed opportunities or sales due to the diminishing corporate image following the event
FAIR defines value/liability as:
- Criticality – the impact on the organization productivity
- Cost – the bare cost of the asset, the cost of replacing a compromised asset
- Sensitivity – the cost associated to the disclosure of the information, further divided into:
- Embarrassment – the disclosure states the inappropriate behaviour of the management of the company
- Competitive advantage – the loss of competitive advantage tied to the disclosure
- Legal/regulatory – the cost associated with the possible law violations
- General – other losses tied to the sensitivity of data
Threat
ThreatThreat (computer)
In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
agents can be grouped by Threat Communities, subsets of the overall threat agent population that share key characteristics. It’s important to define precisely threat communities in order to effectively evaluate impact (loss magnitude).
Threat
Threat (computer)
In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
agents can act differently on an asset:
- Access – read the data without proper authorization
- Misuse – use the asset without authorization and or differently form the intended usage
- Disclose – the agent let other people to access the data
- Modify – change the asset (data or configuration modification)
- Deny access – the threat agent do not let the legitimate intended users to access the asset
This actions can affect differently various asset: the impact is different along with the characteristics of the asset and its usage. Some assets have high criticality and low sensitivity: deny access has a much higher impact than disclosure on them. Vice versa high sensitivity data can have low productivity impact while not available, but huge embarrassment and legal impact if disclosed: former patient health data availability do not affect an healthcare organization productivity but can cost millions dollars if disclosed.
A single event can involve different assets: a [laptop theft] has an impact on the availability of the laptop itself but can lead to the potential disclosure of the information stored on it.
The point is that it’s the combination of the asset and
type of action against the asset that determines the fundamental nature and degree of loss.
Important aspects to be considered are the agent motive and the affected asset characteristics.
See also
- Asset
- Attack (computer)Attack (computer)In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.- IETF :Internet Engineering Task Force defines attack in RFC 2828 as:...
- CountermeasureCountermeasureA countermeasure is a measure or action taken to counter or offset another one. As a general concept it implies precision, and is any technological or tactical solution or system designed to prevent an undesirable outcome in the process...
- Computer securityComputer securityComputer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
- Computer insecurityComputer insecurityComputer insecurity refers to the concept that a computer system is always vulnerable to attack, and that this fact creates a constant battle between those looking to improve security, and those looking to circumvent security.-Security and systems design:...
- Information securityInformation securityInformation security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
- Information security managementInformation Security ManagementInformation security describes activities that relate to the protection of information and information infrastructure assets against the risks of loss, misuse, disclosure or damage...
- ISACA
- ISMS
- ISO/IEC 27001ISO/IEC 27001ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an Information Security Management System standard published in October 2005 by the International Organization for Standardization and the International Electrotechnical Commission...
- IT riskIT riskInformation technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
- ISACA
- RiskRiskRisk is the potential that a chosen action or activity will lead to a loss . The notion implies that a choice having an influence on the outcome exists . Potential losses themselves may also be called "risks"...
- Risk factorRisk factor (computing)In Information security, Risk factor is a collectively name for circumstances affecting the likelihood or the impact of a security risk.- FAIR :...
- Risk ITRisk ITRisk IT provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.Risk IT was published in 2009 by ISACA...
- Risk managementRisk managementRisk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...
- The Open GroupThe Open GroupThe Open Group is a vendor and technology-neutral industry consortium, currently with over three hundred member organizations. It was formed in 1996 when X/Open merged with the Open Software Foundation...
- Threat (computer)Threat (computer)In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
- Security controlSecurity controlsSecurity controls are safeguards or countermeasures to avoid, counteract or minimize security risks.To help review or design security controls, they can be classified by several criteria, for example according to the time that they act, relative to a security incident:*Before the event, preventive...
- Security riskSecurity riskSecurity Risk describes employing the concept of risk to the security risk management paradigm to make a particular determination of security orientated events.According to CNSS Instruction No...
- Security service (telecommunication)Security service (telecommunication)Security service is a service, provided by a layer of communicating open systems, which ensures adequate security of the systems or of data transfers as defined by ITU-T X.800 Recommendation....
- Vulnerability (computing)Vulnerability (computing)In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...