FAIR

Factor Analysis of Information Risk

 Open FAIR Body of Knowledge
• Framework and taxonomy for understanding, analysing and measuring information risk
• The Open Group Risk Taxonomy Standard (O-RT)
• The Open Group Risk Analysis Standard (O-RA)
• Definition of Risk
• The probable frequency and probable magnitude of future loss
Risk Management
Risk Taxonomy
O-RT
O-RT
O-RT
NIST Cyber Security Framework
O-RT and NIST CSF
O-RT

Secondary Loss Even Frequency

 Loss Magnitude
• Primary Loss refers to losses incurred from the loss event itself, the results of the threat actor successfully
impacting the asset. This also includes activities that the primary stakeholder (that’s you!) chooses to do in
the wake of the loss event, such as investigating the incident or replacing a damaged server.
• Secondary Loss refers to losses incurred from the reactions of outside parties to the loss event; we call
those outside parties “secondary stakeholders,” the losses they cause “secondary losses,” and the percentage
of primary loss events that will involve any secondary losses “secondary loss event frequency.” 
• Most commonly, secondary stakeholders are clearly separated from the organization (primary stakeholder)
itself. Examples may include:
• Employees – Relevant if the loss event involves their personal information/well-being/property (i.e. required to
notify affected employees of HR database breach, potential employee settlements)
• Customers – Relevant if the loss event involves their personal information/ability to access products or services (i.e.
required to notify affected customers in sales PII database breach, potential loss to future revenue as a result of
reputation damage, etc.)
• Regulators – Relevant if the loss event infringes upon relevant regulations (i.e. GDPR requirements, insufficient
controls to prevent loss event identified during investigation, etc.)
• Media – Relevant if media coverage is involved in the reaction to the event occurring. Specifically, any losses/money
spent associated with responding to interviews, press conferences, etc.
FAIR Tool
 Scenario: Product Overview
• Capabilities and anticipated benefits:
• Processing Access Requests
• Reduces productivity loss for new employee access
• Removing Unneeded Access
• Reduces vulnerability
• Detecting Anomalous Behaviour
• Provides Incident detection and response
 Stage 1: Identify the Loss Scenario
• Scenario 1: Employee access to corporate resources
• Scenario 2: Contractor access to corporate resources

• Insider threat where a person:

• Uses their authorized access
• Removes information from the organization
• Exports files containing unstructured date (words and images)
• To a location outside the organization

• The two scenarios are analysed together

 Stage 1: Identify the Loss Scenario
• Identify asset at risk
• Unstructured data (e.g. contents of Windows files shares)
• Trade secrets/competitive advantage
• Identify threat community
• Employees of the organization
• Organization contract employees
• Trusted insiders
• Risk scenario title: Theft of intellectual property by insiders
 Stage 2: Evaluate Loss Event Frequency (LEF)
• Estimate Threat Event Frequency (TEF)
• Daily access to files by 10,000 insiders
• 0 to 2 general insider threat events detected per year
• Unstructured data events cannot be detected
• Calibrated estimate for current TEF
• Maximum 15, minimum 5 and most likely 10
• Proposed solution does not impact TEF
 Stage 2: Evaluate Loss Event Frequency (LEF)
• Estimate vulnerability
• Calibrated estimate for current vulnerability
• Maximum 80%: senior employees, many files
• Minimum 5%: junior employees
• Most likely 40%: average employee
• Employee collect accesses during their career. They tend to never be deleted. If we remove
unnecessary accesses:
• Calibrated estimate for proposed vulnerability
• Maximum 40%: senior employees, many files
• Minimum 5%: junior employees
• Most likely 15%: average employee
 Stage 2: Evaluate Loss Event Frequency (LEF)

• 100 simulations
• Average events per year change
from 4.4 to 1.3
• E[x]=4.4 now E[x]=1.3
• Events percentile
• Pr(x≤8)=0.9 now Pr(x≤3)=0.9
• Extreme number of events
probability
• Pr(x≥2)=0.72 now Pr(x≥2)=0.17
 Stage 3: Evaluate Loss Magnitude (LM)
• Estimate Primary Loss Magnitude
• No current response cost since no detection
• Calibrated estimate for proposed response
• New detection and alerting capability
• Insider’s identity is known
• Recorded in thousands
• Costs: investigation
• Maximum: $1,500
• Minimum: $500
• Most likely: $1,000
 Stage 3: Evaluate Loss Magnitude (LM)
• Estimate Secondary Loss
• Current loss
• Calibrated estimate for secondary LEF (SLEF)
• Function of LEF
• Probability of lost market value
• They estimate this prob in 0% Min, 25% ML, and 50% Max
• Calibrated estimate for secondary LM
• Probable loss of future revenue
• Recorded in thousands
• 100 Min, 600 ML, and 900 Max
• No change of proposed solution
 Stage 4: Derive and Articulate Risk

• Determine de average loss reduction

• Determine different percentiles of loss to
establish different scenarios
• Determine the probability of extreme loss
using the tail (Exceeds) of the distribution