SafetyDetectives recently had the opportunity to interview Luke Bader, the Director of Membership and Programs at the FAIR Institute. With a background in business and politics, Luke has been instrumental in the growth of the Institute, which now boasts over 15,000 members globally. He joined the FAIR Institute with a vision to enhance cyber risk management practices. Today, he shares insights on the FAIR Institute’s mission and the unique benefits of the FAIR™ framework in quantifying and managing information risk. Here are some highlights from our conversation.
Can you share a bit about your background and what led you to join the FAIR Institute?
My name is Luke Bader, Director of Membership and Programs at the FAIR Institute. I have been with the Institute for 7 years. I hold a Masters of Science in Business and a Bachelors in Politics.
When I joined the Institute, we had only 1,400 members. Today we have over 15,000 from 120 countries, 20 local chapters, an active research and workgroup department, an annual member conference (FAIRCON), and a robust educational program with training courses on a number of topics. The impetus to join this organization for me was the opportunity to help grow and develop a new industry to help risk teams better manage cyber risks at their organizations.
What is the primary mission and vision behind the FAIR Institute?
The FAIR Institute is a research-driven not-for-profit organization dedicated to advancing the discipline of cyber and operational risk management through education, standards and collaboration.
The Institute is made up of over 15,000 members worldwide comprised of forward-thinking risk officers, cybersecurity leaders and business executives that operates with a central mission:
- “Establish and promote risk management best practices that empower security and risk professionals to collaborate with their business partners on achieving the right balance between protecting the organization and running the business.”
Factor Analysis of Information Risk (FAIR™) is the framework and the driver behind our mission.
Can you explain the core principles of the FAIR framework and how it differs from other risk management approaches?
Factor Analysis of Information Risk (FAIR™) is the only international standard quantitative model for information security and operational risk.
- FAIR™ provides a model for understanding, analyzing and quantifying cyber risk and operational risk in financial terms.
- It is unlike risk assessment frameworks that focus their output on qualitative color charts or numerical weighted scales.
- It builds a foundation for developing a robust approach to information risk management.
With FAIR™, you can:
- Speak in one language concerning your risk
- Take a portfolio view to organizational risk
- Challenge and defend risk decisions using an advanced risk model
- Understand how time and money will impact your security profile
FAIR’s risk model components are specifically designed to support risk quantification:
- A standard taxonomy and ontology for information and operational risk
- A framework for establishing data collection criteria
- Measurement scales for risk factors
- A modeling construct for analyzing complex risk scenarios
FAIR is an analytical risk model, whereas most information security risk methodologies in use today are Capability Maturity Models (CMM) or checklists. Analytic models attempt to describe how a problem-space works by identifying the key elements that make up the environment and the relationships between those elements — e.g., Newton’s laws of the physical world described how things like gravity work. If the models are relatively accurate (no models are perfect), then analyses performed using the models should consistently align with our experience and observations. With those elements identified, measurements can be made that enable risk quantification and performance of what-if analyses, neither of which can be performed with checklist or CMM analyses.
FAIR provides the means to answer questions like:
- Checklist methodologies (e.g., PCI, ISO, BITS, etc.) provide inventories of practices that an organization can use to evaluate and benchmark itself against. This can be useful for identifying gaps in controls and/or for comparison against other organizations. Checklists are not useful for determining how much risk exists or for understanding the effects of changes in the risk landscape (e.g., how much more or less risk will exist if…).
- CMM methodologies (e.g., SSE-CMM) provide an ordinal scale for rating the maturity of processes. This can be useful for evaluating the quality of processes, for setting goals, and for evaluating progress against those goals. CMM is not useful for quantifying risk or measuring the practical effect of changes in maturity.
- How much risk does “X” represent?
- How much risk do we have?
- How much more/less risk will we have if …?
- What are my most cost-effective options for managing risk
Note that all three methodology types can be useful for most organizations, and should be complementary.
How does your approach to risk management support organizations in making better business decisions?
The FAIR™ quantitative risk analysis model defines the necessary building blocks for implementing effective cyber risk management programs. Being able to quantify cyber risk is at the core of any such program; after all, “You cannot manage what you don’t measure.”
Your organization already manages risk. The question is whether it is doing it implicitly or explicitly. A risk management program needs to be explicit to be effective. In an implicit approach to cyber risk management, an organization might have aligned its cybersecurity policies with a framework like NIST CSF, and it might have a NIST CSF-based enterprise risk assessment performed annually. The cybersecurity staff probably prioritizes and works hard to address the findings from that assessment. Where the organization ends up risk-wise however, is a by-product of these efforts. There is little control of the outcome from a residual loss exposure perspective as it isn’t clearly defined within such frameworks, and the measurements are only loosely associated with risk. In order to be explicit, there would need to be a specific and quantified risk target that is actively being managed against.
The foundation required to achieve and maintain effective risk management consists of five elements:
-
- Cost-effective risk management: a program that meets the definition of risk management listed above.
- Well-informed decisions: every decision involves a choice, and in order for those to be well-informed…
- Effective comparisons: a decision-maker has to be able to compare the options before him/her, which requires…
- Meaningful measurements: quantitative financial measurements that all stakeholders can understand, which requires…
- Accurate models: accurate models of risk and of explicit risk management that can scale in real-life.
The FAIR™ quantitative risk analysis model was conceived as a way to provide meaningful measurements so that it could satisfy management’s desire to make effective comparisons and well-informed decisions. FAIR™ has become the only international standard Value at Risk (VaR) model for cybersecurity and operational risk.
FAIR™ tells us that an effective risk management system is comprised of the following elements:
- Risk: a function of the threats, assets, controls and impact factors (e.g., laws, etc.) that drive loss exposure.
- Risk Management: composed of decisions and execution. Those decisions are related to the risk governance that the organization decides to implement. What an organization actually gets in terms of risk is a function of execution within the context of those decisions.
- Feedback Loop: feedback about the conditions of asset-level controls, metrics related to threat intelligence and losses, metrics regarding conditions that affect execution (e.g., awareness, capabilities) and root-cause analysis data.
What are the emerging trends in information risk management that organizations should be aware of?
The Standards Working Groups and Industry Risk Research Boards are actively pursuing research in new areas of extension of the FAIR model, data sources and formats, mapping to complementary models and frameworks. Examples of research projects include modeling of loss data, measurement of materiality, measure of controls effectiveness and mapping to risk, threats-to-risk mapping, assessing and managing third-party risk, and insurance underwriting.
What common misconceptions do organizations have about information risk management?
That risk quantification “cannot be done.” That is not true, and here is why…
FAIR™ can be extremely useful for performing qualitative analysis that generates simple outputs. In fact the introductory white paper describes one way it can be used in that fashion. Also, it’s simple to convert a quantitative value into a qualitative rating. For example, an organization can define parameters that match specific quantitative ranges to qualitative values — e.g., “Annualized exposure of between $100,000 and $1,000,000 risk will be considered “High Risk” (or Red on a color scale).” The advantage is that the analysis and the numbers underlying the qualitative values can be referenced to explain how the rating was arrived at.
The FAIR™ quantitative risk analysis model defines risk management as “the combination of personnel, policies, processes and technologies that enable an organization to cost-effectively achieve and maintain an acceptable level of loss exposure.” A closer look at this definition reveals key take-aways:
- Cost Effectively: The responsibility of mature risk professionals is not simply to help their organizations to manage risk, but to manage it cost-effectively. Organizations compete on many levels, and if an organization is able to manage risk more cost-effectively than its competition, then it wins on that level.
- Achieving and Maintaining: Achieving an objective suggests that an objective exists. Maintaining a risk (loss exposure) objective over time requires the ability to quantify and compare.
- An Acceptable Level of Loss Exposure: Adopting a risk assessment framework, predefined checklists and a set of common practices is a form of implicit risk management and will not enable you to achieve a defined acceptable level of risk. Explicitly managing risk requires that one or more quantitative risk-based objectives exist.