When possibility is all you have.
Recently I was placed in the position of having to do a quiet risk assessment of my own. After the fact, going through the FAIR loss event frequency branch of the framework, I found that I had mentally filled in the following:
Contact = constant
Action = who knows?
Control strength = this is the knob I had to tweak in my decision: how much control strength to apply. The settings were 0, 50, and 100.
Threat capability = 100 percent, if I didn’t change the control strength.
It occurred to me that “Action” may be equivalent to “motivation.“ If they had the capability, and could do it at any time because they had constant contact (or access, which isn’t the same as actually making contact), what was the probability of them doing it? How motivated would they be?
I had absolutely no way of figuring this out without killing Schroedinger’s cat, so to speak. I knew the level of motivation was non-zero, but that was all I had to go on. I also knew that the act of my setting the Control Strength higher than zero would possibly affect the motivation level, for this event and for other possible events.
So based on my estimation of Probable Loss Magnitude, I put that together with the possibility of Action, and cranked the Control Strength to 50. 50 made the Probable Loss Magnitude close to zero, based on our recovery capabilities, but it might also have raised the probability of Action. (If it’s a loss and you can recover in a trivial amount of time, is it really a loss? Or is it just having a stick poked in your eye?)
My dreaded event did happen, and we recovered just fine. But my eye’s a little sore.
Hi Shrdlu!
Contact and Action is probably the most difficult (and most important part) of FAIR. When you say contact is “constant”, are you seeing automated malware, or just talking about seemingly constant “contact” like a port scan? Or am I reading that this is concerning an Internal Threat Community with Privileges?
You’re absolutely correct in correlating motivation to probability of action - PoA consists of perceived value of success, risk of failure (the attackers can use FAIR, too!) and probable ability to succeed on the part of an attacker. It’s very important to consider these in an Internal Threat Community. If you think about all the Security Through Theatre stuff (like the TSA) what they’re really trying to do is lower the “motivation” or probability of action by messing with the attackers “action” factors.
I should mention that I rarely go into that depth of detail in an analysis (and usually just think in terms of a raw TEF estimate). Can I expect an insider to go bad once every 2, 3, 5, 10 years? What is the past history (if any) for folks being fired for illicit access? I let those priors drive a an accurate number for TEF rather than getting “hung up on” determining a precise probability of action.
Regarding Control Strength, I would highly encourage you to get more granular in your population distribution - 0/50/100 is just a little better than binary (we have controls and they’re the best, or we have no controls). Most organizations that have some degree of Information Security operate in a 50-99 percentile range - unless they just really have no controls for that specific scenario.
Finally, your ability to respond quickly is a huge piece of control strength. Controls may be preventative, detective, or responsive (or some combination thereof). If you think about your control strength being a 1-99 rating based on your ability to do some combination of all three then some interesting things pop out at us:
1.) If preventative efforts are 100% effective, then we don’t care about detection and response
2.) If detection and response are 100% effective, then we don’t care about preventative.
Specific controls, as you show us, can and will also have an effect on loss magnitude. Esp. concerning Fines/Judgments (compliance). If we have the necessary boxes checked, we’re less likely to get a “full” fine from someone. As an example, what if TJX had been fully PCI compliant, blessed by the most reputable audit firm available? How would their losses due to incident look then?