Before we can begin to analyze any risk scenario, we have to understand the components that make up the landscape. The FAIR framework contains four primary components – threats, assets, the organization itself, and the external environment. Everything within a scenario falls into one of these categories, and each has attributes, or factors, that contribute positively or negatively to risk.

In this section, we’ll spend most of our time covering the threat component because even simple FAIR analyses rely on the analyst to have a solid understanding of threat concepts.

Threats

As I mentioned in the Bald Tire section, threats are anything (e.g., object, substance, human, etc.) that are capable of acting against an asset in a manner that can result in harm. A tornado is a threat, as is a flood, as is a hacker. The key consideration is that threats apply the force (water, wind, exploit code, etc.) against an asset that can cause a loss event to occur.

As we progress through this document, we’ll see that threat factors play a major role in our loss probabilities. The challenge is that we can’t know who the next attacker will be any more than we can know whether the next toss of the coin will turn up heads. However, because we understand the fundamental characteristics of the coin and the toss, we can reasonably predict that out of the next 500 tosses, about (but probably not precisely) 50% will turn up heads. In the same way, we can define and characterize the threat landscape, and then establish reasoned probabilities regarding the frequency and nature of attacks.

Threat Agents

Individuals within a threat population

Practically anyone and anything can, under the right circumstances, be a threat agent – the well-intentioned, but inept, computer operator who trashes a daily batch job by typing the wrong command, the regulator performing an audit, or the squirrel that chews through a data cable.

Threat Communities

Subsets of the overall threat agent population that share key characteristics

The notion of threat communities is a powerful tool for understanding who and what we’re up against as we try to manage risk. For example, consider the following threat community profile:

Motive: ideology
Primary intent: damage/destroy
Sponsorship: unofficial
Preferred general target characteristics: entities or people who clearly represent a conflicting ideology
Preferred specific target characteristics: high profile, high visibility
Preferred targets: human, infrastructure (buildings, communications, power, etc.)
Capability: varies by attack vector (technological: moderate)
Personal risk tolerance: high
Concern for collateral damage: low

A threat agent having these characteristics might be said to fall into the Terrorist threat community.

The probability that your organization would be subject to an attack from the terrorist threat community would depend in large part on the characteristics of your organization relative to the motives, intents, and capabilities of the terrorists. Is your organization closely affiliated with ideology that conflicts with known, active terrorist groups? Does your organization represent a high profile, high impact target? Is your organization a soft target? How does your organization compare with other potential targets? If your organization were to come under attack, what components of your organization would be likely targets? For example, how likely is it that terrorists would target your information or systems?

The following threat communities are examples of the human malicious threat landscape many organizations face:

• Internal
• Employees
• Contractors (and vendors)
• Partners
• External
• Cyber-criminals (professional hackers)
• Spies
• Non-professional hackers
• Activists
• Nation-state intelligence services (e.g., counterparts to the CIA, etc.)
• Malware (virus/worm/etc.) authors

Note that you can subdivide the threat population further, or differently, as suits your needs. For example, in many risk analyses it makes perfect sense to subdivide employees into those who have elevated access privileges and greater technical expertise (e.g., system and network administrators), and those who don’t have elevated privileges or high levels of expertise (e.g., the general employee populace). When you subdivide communities or identify new communities, it’s important to be clear on what differentiates the new communities from existing ones.

It’s also important to recognize that threat community membership isn’t mutually exclusive. In other words, a threat agent can be a member of more than one threat community – e.g., a non-professional hacker might also be an employee or contractor. Similarly, the characteristics of individual threat agents may not always align perfectly with any single threat community. In other words, the characteristics of an individual threat agent may not align with every characteristic of the terrorist community. You might, for example, have a “terrorist” with a low tolerance for personal risk. Remember, the point isn’t to develop a perfect characterization of the threat landscape, as that’s not possible. The point is to develop a reasoned and more thorough understanding of the threat landscape. This allows us to better estimate probabilities and identify more effective risk management solutions.

Threat Characteristics

We can identify any number and variety of threat agent characteristics with which to profile threat communities. Under most circumstances there are relatively few truly significant characteristics. Including too many characteristics in our analysis makes the model much more difficult to use, with relatively little improvement in results. This is an example of where risk modeling typically will trade precision for increased practicality.

There are four primary components of our risk taxonomy that we want to identify threat agent characteristics for – those characteristics that affect:

• The frequency with which threat agents come into contact with our organizations or assets
• The probability that threat agents will act against our organizations or assets
• The probability of threat agent actions being successful in overcoming protective controls
• The probable nature (type and severity) of impact to our assets

It’s important for us to understand the factors that drive these differentiating characteristics in order to effectively assess the probability of being subject to attack and, if subjected to attack, the likely nature, objective, and outcome of the attack. We’ll examine these factors a bit more as we go along.

Assets

Within the information risk landscape, we can define Asset as any data, device, or other component of the environment that supports information-related activities, and which can be affected in a manner that results in loss. Assets have characteristics related to value, liability, and controls strength that represent risk factors.

In order for an asset to introduce any potential for loss, it has to have one or more characteristics that represent value or liability. For example, an organization’s productivity has to depend on an asset before harm to that asset can result in productivity loss. Likewise, regardless of the sensitivity of an asset, an organization has to have a legal duty to protect the asset in order for the asset to represent a potential legal liability.

For this introduction to FAIR, we’ll limit our asset value and liability considerations to:

• Criticality – that characteristic of an asset that has to do with the impact to an organization’s productivity. For example, the impact a corrupted database would have on the organization’s ability to generate revenue
• Cost – the costs associated with replacing an asset that has been stolen or destroyed. Examples include the cost of replacing a stolen laptop or rebuilding a bombed-out building
• Sensitivity – the impact resulting from confidential information being disclosed or improperly used

The Organization

Risk exists within the context of an organization or entity. In other words, harm to assets affects one or more of the organization’s value propositions (more on this later). It is the organization that loses resources or the ability to operate. Characteristics of the organization also can serve to attract the attention of certain threat communities, which may increase the frequency of events.

The External Environment

The environment in which an organization operates plays a significant role in risk. Various external characteristics, such as the regulatory landscape, competition within the industry, etc., all help to drive the probability of loss.

We’ll cover organizational and external environment factors in greater detail in the Factoring and Measurement sections.

Next Section:  Risk Factoring