FAIR Self Guided Training

By Tony Martin-Vegue – tony.martinvegue@gmail.com| @tdmv | www.tonym-v.com

Please don’t distribute without prior permission

Table of Contents

Objectives

Directions

Required Texts

Optional Texts

Module 1: Fundamental Concepts

Module 2: The Ontology, Part 1 (Deriving Loss Event Frequency)

Module 3: The Ontology, Part 2 (Deriving Loss Magnitude)

Module 4: Scoping an Assessment

Module 5: How to Measure Anything

Module 6: Interpreting and Reporting Results

 

 

Objectives

This is a self-study group with two objectives:

1)   Learn Factor Analysis of Information Risk (FAIR)

2)   Pass the OpenFAIR test and obtain certification

 

Directions

Obtain the required texts and read per the syllabus. Optional Texts and Extra Reading are not required to pass the test, but are relevant to the module and will help you in your understanding of FAIR and quantitative risk analysis.

 

Required Texts

·     Open Group Standard | Risk Taxonomy (C13K)-  Free, registration required

·      Open Group Standard for Risk Analysis (C13G)- Free, registration required

·      “Measuring and Managing Information Risk: A FAIR Approach” by Jack Freund and Jack Jones - $45 on Amazon.com

 

Optional Texts

·     OpenFAIR Flash Cards– Free; will help in passing the OpenFAIR exam

·     OpenFAIR Study Guide (B140)- $29.95 at the OpenGroup website; will help in passing the OpenFAIR exam.

·     “The Failure of Risk Management: Why It’s Broken and How to Fix It” by Douglas Hubbard - $40 on Amazon.com

·     “How to Measure Anything in Cybersecurity Risk” by Douglas Hubbard and Richard Seiersen - $45 on Amazon.com

 

 

Module 1: Fundamental Concepts

Estimated study time: 2-4 hours

Assignments:

·     Read Chapters 1 and 2 of “Measuring and Managing Information Risk: a FAIR Approach,” and

·     Read the Risk Management Stack portion of Measuring and Managing Information Risk: a FAIR Approach”, p279-279

·     Focus on and study the following concepts. These concepts are in the “Measuring and Managing Information Risk” book, but additional sources are listed in order to deepen understanding.

o   What is FAIR?

§  What is FAIR? | Web page from FAIR Institute

§  “FAIR FAQ” | Web page from FAIR Institute

§  Extra Reading:“The Failure of Risk Management: Why It’s Broken and How to Fix It,” Chapter 7, “Worse than Useless: The Most Popular Risk Assessment Method and Why it Doesn’t Work”

o   Definitions of Threat, Vulnerability and Risk

§  “What is Vulnerability?”| FAIR Institute blog post

§  “The Bald Tire Scenario” | FAIR Institute Video

o   Assessment versus Analysis 

§ Open Group Standard for Risk Analysis (C13G), p. 4

§  “Risk Analysis vs. Risk Assessment: What's the Difference?” | FAIR Institute blog post

o   Accuracy versus Precision 

§  Open Group Standard for Risk Analysis (C13G), p. 8-9

§  “What’s the difference between accuracy and precision?”| EdTed video

o   Possibility versus Probability 

§  The 3 Most Confusing Risk Analysis Terms” | FAIR Institute blog post

§  “Possibility versus Probability” | Psychology Today article that has a good description of why people have a difficult time understanding these concepts

§  Extra Reading:“The Failure of Risk Management: Why It’s Broken and How to Fix It,” p. 123-127

o   Subjectivity versus Objectivity 

§  Open Group Standard for Risk Analysis (C13G), p. 9

 

 

Module 2: The Ontology, Part 1 (Deriving Loss Event Frequency)

 

Estimated study time: 3-5 hours

Assignments:

•      Read pages 25-35 from “Measuring and Managing Information Risk: a FAIR Approach”

•      Memorize the LEF portion of the ontology, with all inputs

•      Read pages 11-19 from “Open Group Standard for Risk Analysis (C13G)”

•      Focus on and study the following concepts. These concepts are in the “Measuring and Managing Information Risk” book, but additional sources are listed  for SOME concepts in order to deepen understanding.

 

•      Overview – FAIR Ontology

o  FAIR on a Page| FAIR Institute blog post (focus on the all the LEF side)

o  Open Group Standard | Risk Taxonomy (C13K), p. 17-21

•      Contact Frequency

•      Probability of Action

•      Threat Event Frequency

o  “3 Common Mistakes When Calculating Threat Event Frequency” | RiskLens blog post

•      Threat Capability

•      Resistance Strength

•      Vulnerability

o  “Vulnerability in Risk Analysis, Explained in 2 Minutes” | FAIR Institute video

o  “What is Vulnerability” | FAIR Institute blog post

o  “Threat Capability and Resistance Strength: A Weight on a Rope”| FAIR Institute blog post

•      Loss Event Frequency

o   “Loss Event Frequency Explained in 3 Minutes” | FAIR Institute video

 

 

 

Module 3: The Ontology, Part 2 (Deriving Loss Magnitude)

 

Estimated study time: 3-5 hours

Assignments:

 

·     Read pages 35-41 and 62-73 (Primary and Secondary Stakeholders) from “Measuring and Managing Information Risk: a FAIR Approach”

·     Memorize the LEF portion of the ontology, with all inputs

·     Memorize what the inputs are for all parts of the ontology (hint: it is always a frequency, a percentage or a dollar amount).

·     Extra Reading: Chapter 6 of “How to Measure Anything in Cyber Risk” by Hubbard and Seiersen. (You can ignore the Excel code for FAIR, but this is an excellent tutorial on how to decompose a risk problem into smaller pieces, especially loss forms. Hubbard also presents another view of how to measure reputation risk)

·     Focus on and study the following concepts. These concepts are in the “Measuring and Managing Information Risk” book, but additional sources are listed for SOME concepts in order to deepen understanding.

:

·      Overview – FAIR Ontology

·      FAIR on a Page | FAIR Institute blog post (focus on the all the Loss Magnitude (LM) side)

•      Primary Loss

§  Understand the 6 forms of loss: Productivity, Response, Replacement, Competitive Advantage, Fines and Judgement, Reputation

§  “A Crash Course on Capturing Loss Magnitude with the FAIR Model” | FAIR Institute blog post (this is a great post that breaks down each of the 6, with example)

§  “Ransomware Risk” | FAIR Institute blog post (this is a mini-risk assessment, but elaborates on all loss types with real examples)

§  “There’s No Such Thing as Reputation Risk” | FAIR Institure blog post (confused yet? Me too. Jack’s thinking has evolved on this, and it’s important to note because he makes a very good point.)

•      Secondary Risk

·     “Understanding Secondary Loss” | RiskLens blog post (secondary loss is one of the hardest concepts in FAIR to understand. This presents the ideas in a different way.)

§  Secondary Loss Event Frequency (SLEF)

§  Secondary Loss Magnitude

 

Module 4: Scoping an Assessment

Estimated study time: 6-7 hours

 

We’re halfway through the training, and at this point everyone should have the FAIR ontology memorized, understand the inputs and the outputs and the relationship between all components. This module digs deeper into scoping a risk assessment, understanding how controls fit in and performing an analysis.

 

Assignments:

 

Scoping an Analysis

·     Read Chapter 6 (Decompose It) from “How to Measure Anything in Cybersecurity Risk”

·     Read Chapter 6 (Analysis Process) “Measuring and Managing Information Risk: a FAIR Approach”

·      “Where to Find Risk Scenarios to Analyze” | FAIR Institute blog post 

 

Controls in a FAIR Analysis:

·      Read Open Group Standard for Risk Analysis (C13G), p. 31-34

·     Read Chapter 11 (Controls) “Measuring and Managing Information Risk: a FAIR Approach”

 

You are highly encouraged to start performing hour own FAIR analyses. There are many applications and you can even roll your own. Here are the tools I know of. I don’t endorse any one, and in fact – you should try them all.

 

·     Basic Risk Analysis – pages 205-214 from “Measuring and Managing Information Risk: a FAIR Approach”| Pen and paper, qualitative method

·     FAIR-U | Free, basic version of RiskLens. For non-commercial use only. Registration required.

·     RiskLens | Included here to be thorough. Commercial, fee-based FAIR application.

·     Evaluator | Open source, OpenFAIR implementation, built and run on R

·     FAIR Tool | Another open source application, built on R + Shiny. 

·     OpenFAIR Risk Analysis Tool(spreadsheet,data sheetguide to theory of application) | OpenGroup’s Excel-based application. Registration required.

 

Read as many FAIR analyses can you muster:

 

From “Measuring and Managing Information Risk: a FAIR Approach”

·     Inappropriate access privileges – p. 123

·     Privileged Insider/snooping – p. 128

·     Privileged Insider/malicious – p. 130

·     Cybercriminal – p. 142

·     Unencrypted internal network traffic – p. 150

·     Privileged insider – p. 153

·     Nonprivileged insider – p. 164

·     Malicious cybercriminal – p. 171

·     Website denial of service – p. 175

·     Advanced attacker – p. 177

·     Basic attacker – p. 186

 

Other sources:

·      Amazon S3 | FAIR Institute blog post (not a great analysis, but good to see analysis scoping) 

·      Silicon Valley Megastorm | by Steve Poppe 

·      Project Risk part 1 | FAIR Institute Blog Post (I don’t think he ever posted part 2. This is incomplete but still good to understanding scoping)

·      Weight on a Rope | by Steve Poppe  

·      Business Continuity | by Steve Poppe

·      Analyze Risk in a Retail Environment | OpenGroup Webinar. Registration required.

·      A Cost-Benefit Analysis of Connecting Home Dialysis Machines Online to Hospitals in Norway | OpenGroup white paper. Registration required.

·      RiskLens Case Studies | Risk analysis case studies published by RiskLens. They vary in analysis depth; few are great, some are less so. I enjoy reading these but WARNING – you have to give your email address up and they will start to contact you. Registration required.

 

 

Module 5: How to Measure Anything

Estimated Study Time: (4-6 hours)

 

This module covers the most common question and criticism of any type of quantitative analysis: where do you get your data? Doug Hubbard famously said, “You have more data than THINK and you need less data than you THINK.”

 

There are two types of data that can be used in a FAIR analysis; empirical data and the opinion of subject matter experts. Typically, a risk analyst will use a combination of both data sources. Empirical data may not exactly fit the scoping or assumptions of a particular risk analysis and a subject matter expert will be used to make adjustments.

 

Assignments:

·     Read Chapter 2, A Measurement Primer for Cybersecurity (starting on p. 19) from “How to Measure Anything in Cybersecurity Risk”

·     Read Chapter 7: Calibrated Estimates: How Much Do You Know? (starting on p. 133) from “How to Measure Anything in Cybersecurity Risk” by Hubbard & Seiersen

·     Read Chapter 5: Measurement (starting on p. 75) from “Measuring and Managing Risk: A FAIR Approach” by Jack & Jack

·     Read the section titled Risk Measurement and Calibration (pages 6-7) Open Group Standard for Risk Analysis (C13G)

 

Read the posts below on the following topics:

 

Where do I get data?

·     No Data? No Problem | FAIR Institute Blog Post

·     How to Deal with "Data Challenged" Risk Analyses |FAIR Institute Blog Post

·     Five Data Points Can Clinch a Business Case | Hubbard’s Blog

 

How do you use data in a FAIR analysis?

·      White Paper: Effectively Leveraging Data in FAIR Analyses |FAIR Institute White Paper (registration required)

·     Techniques for Probability Estimates | Less Wrong blog

 

Measurements

·     Hubbard: Challenge Me | Doug Hubbard blog post (Fantastic post in which readers try to stump Hubbard on measuring intangibles, and he tells you how to measure them. Read through the comments.)

·     The Measurement Challenge | Doug Hubbard blog post (Continuation of the above)

 

Calibration

·     Overconfidence: The Mother of All Biases | Psychology Today

·     Calibration Test | I would like everyone to take at least one of the quizzes. Are you overconfident, underconfident or perfectly calibrated?

 

Extra Reading:

·     Chapter 6 “The Limits of Expert Knowledge: Why We Don’t Know What We Think We Know About Uncertainty” (starting on p. 95) | The Failure of Risk Management by Doug Hubbard

 

·     Thinking Fast and Slow by Daniel Kanhemen | (I know it’s not feasible to ask you all to read a nearly 500 page book in this study group, but if you truly want to take your risk analysis skills to the next level, read this eventually.)

 

 

Module 6: Interpreting and Reporting Results

Estimated Study Time: (2-3 hours)

 

This module covers how to analyze, interpret and report results from a FAIR analysis, as well as a few readings on how to integrate FAIR with a larger cyber risk management or enterprise risk management program.

 

Assignments:

 

FAIR and the Risk Management Universe

·     Risk Management: Out with the Old, In with the New! | Blog post by Russell Thomas

     

·     Read Chapter 12, A Call to Action: How to Roll Out Cybersecurity Risk Management from “How to Measure Anything in Cybersecurity Risk” by Hubbard and Seiersen

·      NIST CSF & FAIR, part 1 through 5 | FAIR Institute blog post (make sure you click through and read parts 1- through 5)

·     The OpenFAIR / NIST Cybersecurity FrameworkCookbook | OpenGroup whitepaper (registration required)

·      Enterprise Risk Standards: Where does FAIR fit in? | FAIR Institute blog post

·      FAIR - ISO/IEC 27005 Cookbook | OpenGroup

 

 

Reporting Results:

 

·     Read Chapter 7, Interpreting Results from “Measuring and Managing Information Risk” by Jones and Freund

·     Read Chapter 13 Information Security Metrics from “Measuring and Managing Information Risk” by Jones and Freund

·     Communicating Risk: Loss Exceedance Curves| blog post by Jay Jacobs

·     Read the Visualizing RiskSupporting the Decision and Where to Go From Here sections (pages 46-54) from “How to Measure Anything in Cybersecurity Risk” by Hubbard and Seiersen