Isn't risk analysis the bread and butter of information security?
Because of the great motivation we bring to other technology departments. Engineers love it when security shows up, bugging them with the bugs. System operators salute you from afar. DevOps guys queue up to listen to your stories about this “pentesting” thing.
– And just in case you also feel the love, you may wonder: what is the value of InfoSec?!
Information Security is 30 30 30?
A common understanding is, that InfoSec is “people, process and technology”. If you define the analysis of risks as a process, that is correct.
– How many risk analysis approaches have you ever heard of?
Some compliance folks may come up and say: my ISO 27005 and ISO 31000… but these aren’t risk analysis norms. They are about managing risks that are already classified as low, medium, high or in other forms of granularity.
So you have to Believe that that is correct. Right? These 10% of Believe can be a real problem, because once you see how much InfoSec controls can cost, you will realize that other believe systems are comparatively cheaper.
So in order to avoid InfoSec becoming a believe system, what are we going to do?
FAIR Risk Analysis standard?
This quarter I spent some time on FAIR, the “Factor Analysis of Information Risk” standard.
Contrary to online encyclopedias I define FAIR as a Risk Analysis toolkit, because for risk management there are other standards. Like the aforementioned ISO standards, which get adopted to an increasing degree.
Risk Management means that you apply a Plan Do Check Act process on the classified risks. It does not mean that you analyze the risks in such a way, that it provides quantitative metrics (such as expected loss during the business year) within a probable scenario (such as a DDoS attack).
Do you find that leadership cares about how well you manage the existing risks? Or are they looking for probable scenarios, loss expectations and security control reviews related to over-controlled and under-controlled risks?
It would be a FAIR assumption, that they don’t really care about how well structured the information in the GRC (Governance Risk and Compliance) tool looks. Usually these tools aren’t developed by industry leaders in software ergonomics and user interface design.
From assumption management to risk management
There is always a risk, that your house burns down. However if there are fires every day that could endanger your entire house, maybe you really should look into that before you read the rest of this little post.
What FAIR has to do with burning pans
The Loss Event Frequency defines how often a (small) fire happens. The Loss Magnitude is available once there was a small issue nearby the oven. So once you fried your favorite pan itself, there also is a Threat Event Frequency and a Vulnerability. And you can fix that to some degree / reduce the risk: there are fire-proof pans and modern ovens.
The problem isn’t that there is a risk, or that the risk cannot be managed. The problem is, that usually in InfoSec we a juggling burning things in secret. FAIR is an approach to change that.
Be FAIR to each other
FAIR is relatively new, and the license model is dubious (for members only and so on).
It’s not a skill, that’s well in demand. Either because organizations don’t know FAIR or because they have
better internal ways to analyze risks in a structured way.
What FAIR brings is
- a set of practical tools for Risk Analysis beyond the common Excel spreadsheet or GRC-tool
- interview methods to work cross-functionally
- and analytics approaches (like the Monte Carlo simulation, security metrics programs etc. that help if an organization emphasis data-driven decision making)
… that can build a good basis if you have to work cross-functionally. In InfoSec you will not be the Subject Matter Expert for everything. Too many newcomers try to become this, and they crash and burn.
Risk Analysis is a little like Data Science: there is some politics and some guesswork to it, but at the end of the day it’s actionable. That is something that ISO standards lack, because what’s most actionable about them is “accepting the risk” or not.
FAIR and NIST collaboration (2018) - https://www.nist.gov/system/files/documents/2018/01/30/2018-01-18_-_fair_institute_the_open_group.pdf ↩︎
FAIR – ISO / IEC27005 Cookbook - https://pubs.opengroup.org/onlinepubs/9698999699/toc.pdf ↩︎
Gartner refers to this as Integrated Risk Management, and gives a short teaser on the goals and objectives https://www.gartner.com/en/information-technology/glossary/integrated-risk-management-irm ↩︎