Session Title | Walk-through on a Cyber security Risk Scenario E2E using FAIR Methodology

During the session we will answer the most requested question in relation to cyber security risk, and what’s matter organization Board of Directors and senior’s managers?

Will start by an introduction of the FAIR Methodology and Main Concepts, then will walk through on a Cyber security Risk Scenario E2E using FAIR Methodology.

The Factor Analysis of Information Risk (FAIR) framework was developed by Jack Jones. FAIR is a risk management framework championed by the open group that enables organizations to analyze, measure, and understand risk. The FAIR model evaluates factors that contribute to IT risk and how they impact each other while breaking down risk by identifying and defining the risk model. FAIR is most often used to establish probabilities for the frequency and magnitude of data loss.
The framework is complementary to information security programs as well as existing risk analysis processes and helps to strengthen an overall analysis. FAIR functions best when an organization understands what risk is. Once risk is understood, FAIR discusses operational risk concepts for better analysis and probability of the risk related to cybersecurity.

A risk management program is critical to an organization’s information security strategy. The FAIR model has been shown to augment and strengthen existing risk management initiatives, especially ones that focus on analytics. Like most models, FAIR is far from perfect. Some find the reliance on estimates and lack of metrics difficult to justify.

The Main Concepts of FAIR
The old saying goes “You can’t manage what you can’t measure”. FAIR promotes the concept that risk is uncertain and organizations should instead focus on how probable it is that an event will occur before moving to decision making. Probability is the key when it comes to FAIR and the analysis is deeply based on understanding the factors and the probability of asset loss. In order to measure risk via risk scenarios, there are several steps that need to happen.
• Definition: Define the risks.
• Measurement: Measure the risks.
• Comparison: Compare the risks to past, present, and future risks.
• Informed Decision: Make informed decisions about risks.
• More Effective Management: Management of risks is more effective because of the previous steps.

FAIR Basic Risk Assessment Methodology:
Stage 1: Identify scenario components: Identify the asset at risk, and identify the threat community under consideration.
Stage 2: Evaluate Loss Event Frequency (LEF): Estimate the probable Threat Event Frequency (TEF), Estimate the Threat Capability (TCAP), Estimate Control Strength (CS), Derive Vulnerability (Vuln), and Derive Loss Event Frequency (LEF)
Stage 3: Evaluate Probable Loss Magnitude (PLM): Estimate worst-case loss, and Estimate Probable Loss Magnitude (PLM)
Stage 4: Derive and articulate risk: Derive and articulate risk

By the end, will deep dive in one of the Scenarios by following the 4 stages that will be ended by showing the results..