Introduction to Open FAIR
- 1. Quantifying Information Risk An Introduction to Open FAIR “When you can measure what you are speaking about and express it in numbers, you know something about it.” - Lord Kelvin
- 2. Apolonio “Apps” Garcia Founder/CEO HealthGuard John Zuziak CISO Univ of Louisville Hospital @appsgarcia @johnzuziak Disclaimer: We are not lawyers. This is not legal advice. Our opinions are ours; not our employers, or parents, or wives.
- 4. How Boards Feel About Security Reports
- 6. 85% believe that IT and security execs need to improve the way they report
- 7. 54% feel the information is too technical
- 8. 59% say there is a good chance IT and security executives will lose their job
- 11. Quantitative information about cyber risks
- 12. Progress that has been and is being made to address the company’s cyber risk
- 15. Essentially, all models are wrong, but some are useful. - George E. P. Box
- 16. NIST 800-30r1 Source: NIST 800-30r1 – Guide for Conducting Risk Assessments
- 17. Analysis Methods 1.Qualitative 2.Semi-Quantitative 3.Quantitative Source: NIST 800-30r1 – Guide for Conducting Risk Assessments
- 21. Open FAIR
- 22. What is FAIR? Factor Analysis of Information Risk Published by Jack Jones in 2005 Adopted by the Open Group in 2014 ● Risk Taxonomy Standard ● Risk Analysis Standard
- 23. Causes of Bad Analysis ● Bad models ● Bad estimates and measurements ● Poorly defined scope, scenarios ● Poorly defined measurement scales ● Math on ordinal scales ● Cognitive biases
- 24. Loss Magnitude Risk Loss Event Frequency The probable frequency and probable magnitude of loss.
- 25. Loss Event Frequency Loss Magnitude Threat Event Frequency Risk Vulnerability Contact Frequency Probability of Action Threat Capability Resistance Strength
- 26. Loss Event Frequency Loss Magnitude Threat Event Frequency Risk Vulnerability Contact Frequency Probability of Action Threat Capability Resistance Strength
- 27. Loss Event Frequency Loss Magnitude Threat Event Frequency Risk Vulnerability Contact Frequency Probability of Action Threat Capability Resistance Strength
- 28. Loss Event Frequency Loss Magnitude Threat Event Frequency Risk Vulnerability Contact Frequency Probability of Action Threat Capability Resistance Strength
- 29. Loss Event Frequency Loss Magnitude Threat Event Frequency Risk Vulnerability Contact Frequency Probability of Action Threat Capability Resistance Strength
- 30. Loss Event Frequency Loss Magnitude Threat Event Frequency Risk Vulnerability Contact Frequency Probability of Action Threat Capability Resistance Strength
- 31. Loss Event Frequency Loss Magnitude Threat Event Frequency Risk Vulnerability Contact Frequency Probability of Action Threat Capability Resistance Strength
- 32. Loss Event Frequency Loss Magnitude Secondary Loss Factors Risk Primary Loss Factors Organizational Loss Factors External Loss Factors Asset Loss Factors Threat Loss Factors
- 33. Loss Event Frequency Loss Magnitude Secondary Loss Factors Risk Primary Loss Factors Organizational Loss Factors External Loss Factors Asset Loss Factors Threat Loss Factors
- 34. Forms of Loss ● Productivity ● Response ● Replacement ● Fines/Judgement ● Competitive Advantage ● Reputation
- 35. Loss Event Frequency Loss Magnitude Secondary Loss Factors Risk Primary Loss Factors Organizational Loss Factors External Loss Factors Asset Loss Factors Threat Loss Factors
- 36. Case Study Auditors report lack of laptop encryption is a “high risk” issue. Encryption will require a $200-250K investment. CFO wants to know if this is worth the investment.
- 37. Case Study Loss Event Frequency Min (95% CI) Most Likely Max (95% CI) LEF 0 1 5
- 38. Case Study Primary Loss Magnitude Min (95% CI) Most Likely Max (95% CI) Replacement Costs $1,200 $1,750 $2,500 Response Costs $2,500 $10K $75K
- 39. Case Study Secondary Loss Magnitude Min (95% CI) Most Likely Max (95% CI) Response Costs $5K $25K $1M Fines / Judgement $0 $0 $10M
- 40. Case Study
- 41. Case Study
- 42. You are here
- 44. @appsgarcia agarcia@healthguardsecurity.com 513.549.4272 Apolonio “Apps” Garcia John Zuziak Sanitized version of slidedeck will be available at: www.healthguardsecurity.com/blog @johnzuziak john.zuziak@ulh.org 859.240.7582 Follow us: @healthguardsec