Ask a dozen information security professionals to define risk and you’re certain to get several different answers. Pick up any information security book and you’re likely to find that the author has used the terms risk, threat, and vulnerability interchangeably (they aren’t the same thing). The simple fact is that our profession hasn’t adopted a standard lexicon or taxonomy. The implications are not favorable, and many within the information security profession face the ramifications every day €“ for example:

• Marginalization in the organizations we serve
• Difficulty in convincing organizational leadership to take recommendations seriously
• Inefficient use of resources

As I see it, these issues practically scream €œabsence of credibility,€ yet our most common response has been to complain, €œthey (the executives) just don’t get it.€ My recent observations suggest otherwise. Over the past several years it’s become apparent to me that, far more often than not, executives DO get it. These are sharp people who live and breathe risk management as a significant and fundamental component of their jobs. It seems, instead, that the misalignment boils down to basic differences in definition and perspective. The executives are thinking €œrisk€, and we’re thinking €œsecurity€ €“ two subtly, but critically different things, which will become apparent as we progress through this document.

The good news is that some within our profession have recognized the need to focus on risk, and have developed analysis processes and tools that take us in that direction. FRAP and OCTAVE®, are a couple of the better-known examples. The unanswered challenge, however, is that without a solid understanding of what risk is, what the factors are that drive risk, and without a standard nomenclature, we can’t be consistent or truly effective in using any method. FAIR seeks to provide this foundation, as well as a framework for performing risk analyses. It’s important to note that much of the FAIR framework can be used to strengthen, rather than replace, existing risk analysis processes like those mentioned above.

Be forewarned that some of the explanations and approaches within the FAIR framework will challenge long held beliefs and practices within our profession. I know this because at various times during my research I’ve been forced to confront and reconcile differences between what I’ve believed and practiced for years, and answers that were resulting from research. Bottom line €“ FAIR represents a paradigm shift, and paradigm shifts are never easy.

Risk and risk analysis are large and complex subjects. Consequently, in writing this document I’ve had to balance the need to provide enough information so that risk concepts and the FAIR framework are clear and useful, and yet keep the length manageable. The result is what can best be described as an introduction and primer. For example, I’ve limited the scope to only include the human malicious threat landscape, leaving out threat events associated with error, failure, or acts of God. Some of the deeper, more complex elements of the framework also have been left out, and other elements have been brushed over lightly. Please accept my apologies in advance for the inevitable questions this introduction will leave unanswered. More thorough documentation is being developed. On the other hand, unanswered questions can be a good thing if they lead to dialog, debate, and additional research€¦

What’s Covered…

The Bald Tire Scenario section will illustrate, through metaphor, some of the fundamental challenges facing the information security profession. It also briefly introduces some of the concepts that are fundamental to overcoming our challenges.
Before we can reasonably discuss the factors that drive risk, we first have to come to a common understanding of what risk is. Risk and Risk Analysis discusses risk concepts and some of the realities surrounding risk analysis and probabilities. This provides a common foundation for understanding and applying FAIR.

Risk Landscape Components briefly describes the four primary components that make up any risk scenario. These components have characteristics (factors) that, in combination with one another, drive risk.

Risk Factoring begins to decompose information risk into its fundamental parts. The resulting taxonomy describes how the risk factors combine to drive risk, and establishes a foundation for the rest of the FAIR framework. Note that we’ll stay relatively high-level in our factoring to keep this from becoming a book.

The Controls section briefly introduces the three dimensions of a controls landscape.

Measuring Risk briefly discusses measurement concepts and challenges, and then provides a high-level discussion of risk factor measurements.

next: The Bald Tire Scenario