Factor analysis of information risk (FAIR for short) is a taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of loss events. It is not, per se, a “cookbook” that describes how to perform an enterprise (or individual) risk assessment.
A number of methodologies deal with risk management in an IT environment or IT risk, related to information security management systems and standards like ISO/IEC 27000-series.
The unanswered challenge, however, is that without a solid understanding of what risk is, what the factors are that drive risk, and without a standard nomenclature, we can’t be consistent or truly effective in using any method. FAIR seeks to provide this foundation, as well as a framework for performing risk analyses. Much of the FAIR framework can be used to strengthen, rather than replace, existing risk analysis processes like those mentioned above.
FAIR is not another methodology to deal with risk management, but it complements existing methodologies.
FAIR underlines that risk is an uncertain event and one should not focus on what is possible, but on how probable is a given event. This probabilistic approach is applied to every factor that is analysed. The risk is the probability of a loss tied to an asset.
An asset’s loss potential stems from the value it represents and/or the liability it introduces to an organization. For example, customer information provides value through its role in generating revenue for a commercial organization. That same information also can introduce liability to the organization if a legal duty exists to protect it, or if customers have an expectation that the information about them will be appropriately protected.
FAIR defines six kind of loss:
Productivity – a reduction of the organization to effectively produce goods or services in order to generate value
Response – the resources spent while acting following an adverse event
Replacement – the expense to substitute/repair an affected asset
Fines and judgements (F/J) – the cost of the overall legal procedure deriving from the adverse event
Competitive advantage (CA)- missed opportunities due to the security incident
Reputation – missed opportunities or sales due to the diminishing corporate image following the event
FAIR defines value/liability as:
Criticality – the impact on the organization productivity
Cost – the bare cost of the asset, the cost of replacing a compromised asset
Sensitivity – the cost associated to the disclosure of the information, further divided into:
Embarrassment – the disclosure states the inappropriate behaviour of the management of the company
Competitive advantage – the loss of competitive advantage tied to the disclosure
Legal/regulatory – the cost associated with the possible law violations
General – other losses tied to the sensitivity of data
Threat agents can be grouped by Threat Communities, subsets of the overall threat agent population that share key characteristics. It’s important to define precisely threat communities in order to effectively evaluate impact (loss magnitude).
Threat agents can act differently on an asset
Access – read the data without proper authorization
Misuse – use the asset without authorization and or differently form the intended usage
Disclose – the agent let other people to access the data
Modify – change the asset (data or configuration modification)
Deny access – the threat agent do not let the legitimate intended users to access the asset
This actions can affect differently various asset: the impact is different along with the characteristics of the asset and its usage. Some assets have high criticality and low sensitivity: deny access has a much higher impact than disclosure on them. Vice versa high sensitivity data can have low productivity impact while not available, but huge embarrassment and legal impact if disclosed: former patient health data availability do not affect an healthcare organization productivity but can cost millions dollars if disclosed. A single event can involve different assets: a [laptop theft] has an impact on the availability of the laptop itself but can lead to the potential disclosure of the information stored on it.
The point is that it’s the combination of the asset and type of action against the asset that determines the fundamental nature and degree of loss.
Important aspects to be considered are the agent motive and the affected asset characteristics.