fbpx
Wikipedia

Factor analysis of information risk

Factor analysis of information risk (FAIR) is a taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of data loss events. It is not a methodology for performing an enterprise (or individual) risk assessment.[1]

FAIR is also a risk management framework developed by Jack A. Jones, and it can help organizations understand, analyze, and measure information risk according to Whitman & Mattord (2013).

A number of methodologies deal with risk management in an IT environment or IT risk, related to information security management systems and standards like ISO/IEC 27000-series.

FAIR complements the other methodologies by providing a way to produce consistent, defensible belief statements about risk.[2]

Although the basic taxonomy and methods have been made available for non-commercial use under a creative commons license, FAIR itself is proprietary. Using FAIR to analyze someone else's risk for commercial gain (e.g. through consulting or as part of a software application) requires a license from RMI.[3]

Documentation edit

FAIR's main document is "An Introduction to Factor Analysis of Information Risk (FAIR)", Risk Management Insight LLC, November 2006;[4]

The contents of this white paper and the FAIR framework itself are released under the Creative Commons Attribution-Noncommercial-Share Alike 2.5 license. The document first defines what risk is. The Risk and Risk Analysis section discusses risk concepts and some of the realities surrounding risk analysis and probabilities. This provides a common foundation for understanding and applying FAIR. The Risk Landscape Components section briefly describes the four primary components that make up any risk scenario. These components have characteristics (factors) that, in combination with one another, drive risk. Risk Factoring begins to decompose information risk into its fundamental parts. The resulting taxonomy describes how the factors combine to drive risk, and establishes a foundation for the rest of the FAIR framework.

The Controls section briefly introduces the three dimensions of a controls landscape. Measuring Risk briefly discusses measurement concepts and challenges, and then provides a high-level discussion of risk factor measurements.

Main concepts edit

FAIR underlines that risk is an uncertain event and one should not focus on what is possible, but on how probable a given event is. This probabilistic approach is applied to every factor that is analyzed. The risk is the probability of a loss tied to an asset. In FAIR, risk is defined as the “probable frequency and probable magnitude of future loss.”[5] FAIR further decomposes risk by breaking down different factors that make up probable frequency and probable loss that can be measured in a quantifiable number.  These factors include: Threat Event Frequency, Contact Frequency, Probability of Action, Vulnerability, Threat Capability, Difficult, Loss Event Frequency, Primary Loss Magnitude, Secondary Loss Event Frequency, Secondary Loss Magnitude, and Secondary Risk.

Asset edit

An asset’s loss potential stems from the value it represents and/or the liability it introduces to an organization.[4] For example, customer information provides value through its role in generating revenue for a commercial organization. That same information also can introduce liability to the organization if a legal duty exists to protect it, or if customers have an expectation that the information about them will be appropriately protected.

FAIR defines six kind of loss:[4]

  1. Productivity – a reduction of the organization to effectively produce goods or services in order to generate value
  2. Response – the resources spent while acting following an adverse event
  3. Replacement – the expense to substitute/repair an affected asset
  4. Fines and judgments (F/J) – the cost of the overall legal procedure deriving from the adverse event
  5. Competitive advantage (CA)- missed opportunities due to the security incident
  6. Reputation – missed opportunities or sales due to the diminishing corporate image following the event

FAIR defines value/liability as:[4]

  1. Critical – the effect on the organization productivity
  2. Cost – the bare cost of the asset, the cost of replacing a compromised asset
  3. Sensitivity – the cost associated to the disclosure of the information, further divided into:
    1. Embarrassment – the disclosure states the inappropriate behavior of the management of the company
    2. Competitive advantage – the loss of competitive advantage tied to the disclosure
    3. Legal/regulatory – the cost associated with the possible law violations
    4. General – other losses tied to the sensitivity of data

Threat edit

Threat agents can be grouped by Threat Communities, subsets of the overall threat agent population that share key characteristics. Threat communities must be precisely defined in order to effectively evaluate effect (loss magnitude).

Threat agents can act differently on an asset:[4]

  • Access – read the data without proper authorization
  • Misuse – use the asset without authorization and or differently from the intended usage
  • Disclose – the agent lets other people access the data
  • Modify – change the asset (data or configuration modification)
  • Deny access – the threat agent do not let the legitimate intended users to access the asset

These actions can affect different assets in different ways: the effect varies in relationship with the characteristics of the asset and its usage. Some assets have high criticality but low sensitivity: denial of access has a much higher effect than disclosure on such assets. On the other hand, an asset with highly sensitive data can have a low productivity effect if not available, but embarrassment and legal effect if that data is disclosed: for example the availability of former patient health data does not affect a healthcare organization's productivity but its disclosure can cost the organization millions of dollars. [6] A single event can involve different assets: a [laptop theft] affects the availability of the laptop itself but can lead to the potential disclosure of the information stored on it.

The combination of an asset's characteristics and the type of action against that asset that determines the fundamental nature and degree of loss.

See also edit

Notes and references edit

  1. ^ Technical Standard Risk Taxonomy ISBN 1-931624-77-1 Document Number: C081 Published by The Open Group, January 2009.
  2. ^ Technical Standard Risk Taxonomy, Section 1.5 ISBN 1-931624-77-1 Document Number: C081 Published by The Open Group, January 2009.
  3. ^ "The Open Group - Risk Management". The Open Group. 2019.
  4. ^ a b c d e
  5. ^ Freund, Jack; Jones, Jack (2015). Measuring and Managing Information Risk. Waltham, MA: Butterworth-Heinemann. ISBN 9780127999326.
  6. ^ Friedman, Terry (27 January 2009). "VA will pay $20 million to settle lawsuit over stolen laptop's data". CNN. Retrieved 1 February 2022.

Works cited edit

  • Whitman, Michael E.; Mattord, Herbert J. (18 October 2013). Management of Information Security. Cengage Learning. ISBN 978-1-305-15603-6.

External links edit

  • Risk Management Insight
  • FAIR Risk Taxonomy
  • Patent application
  • Open FAIR Certification

factor, analysis, information, risk, fair, taxonomy, factors, that, contribute, risk, they, affect, each, other, primarily, concerned, with, establishing, accurate, probabilities, frequency, magnitude, data, loss, events, methodology, performing, enterprise, i. Factor analysis of information risk FAIR is a taxonomy of the factors that contribute to risk and how they affect each other It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of data loss events It is not a methodology for performing an enterprise or individual risk assessment 1 FAIR is also a risk management framework developed by Jack A Jones and it can help organizations understand analyze and measure information risk according to Whitman amp Mattord 2013 A number of methodologies deal with risk management in an IT environment or IT risk related to information security management systems and standards like ISO IEC 27000 series FAIR complements the other methodologies by providing a way to produce consistent defensible belief statements about risk 2 Although the basic taxonomy and methods have been made available for non commercial use under a creative commons license FAIR itself is proprietary Using FAIR to analyze someone else s risk for commercial gain e g through consulting or as part of a software application requires a license from RMI 3 Contents 1 Documentation 2 Main concepts 2 1 Asset 2 2 Threat 3 See also 4 Notes and references 4 1 Works cited 5 External linksDocumentation editFAIR s main document is An Introduction to Factor Analysis of Information Risk FAIR Risk Management Insight LLC November 2006 4 The contents of this white paper and the FAIR framework itself are released under the Creative Commons Attribution Noncommercial Share Alike 2 5 license The document first defines what risk is The Risk and Risk Analysis section discusses risk concepts and some of the realities surrounding risk analysis and probabilities This provides a common foundation for understanding and applying FAIR The Risk Landscape Components section briefly describes the four primary components that make up any risk scenario These components have characteristics factors that in combination with one another drive risk Risk Factoring begins to decompose information risk into its fundamental parts The resulting taxonomy describes how the factors combine to drive risk and establishes a foundation for the rest of the FAIR framework The Controls section briefly introduces the three dimensions of a controls landscape Measuring Risk briefly discusses measurement concepts and challenges and then provides a high level discussion of risk factor measurements Main concepts editFAIR underlines that risk is an uncertain event and one should not focus on what is possible but on how probable a given event is This probabilistic approach is applied to every factor that is analyzed The risk is the probability of a loss tied to an asset In FAIR risk is defined as the probable frequency and probable magnitude of future loss 5 FAIR further decomposes risk by breaking down different factors that make up probable frequency and probable loss that can be measured in a quantifiable number These factors include Threat Event Frequency Contact Frequency Probability of Action Vulnerability Threat Capability Difficult Loss Event Frequency Primary Loss Magnitude Secondary Loss Event Frequency Secondary Loss Magnitude and Secondary Risk Asset edit An asset s loss potential stems from the value it represents and or the liability it introduces to an organization 4 For example customer information provides value through its role in generating revenue for a commercial organization That same information also can introduce liability to the organization if a legal duty exists to protect it or if customers have an expectation that the information about them will be appropriately protected FAIR defines six kind of loss 4 Productivity a reduction of the organization to effectively produce goods or services in order to generate value Response the resources spent while acting following an adverse event Replacement the expense to substitute repair an affected asset Fines and judgments F J the cost of the overall legal procedure deriving from the adverse event Competitive advantage CA missed opportunities due to the security incident Reputation missed opportunities or sales due to the diminishing corporate image following the event FAIR defines value liability as 4 Critical the effect on the organization productivity Cost the bare cost of the asset the cost of replacing a compromised asset Sensitivity the cost associated to the disclosure of the information further divided into Embarrassment the disclosure states the inappropriate behavior of the management of the company Competitive advantage the loss of competitive advantage tied to the disclosure Legal regulatory the cost associated with the possible law violations General other losses tied to the sensitivity of data Threat edit Threat agents can be grouped by Threat Communities subsets of the overall threat agent population that share key characteristics Threat communities must be precisely defined in order to effectively evaluate effect loss magnitude Threat agents can act differently on an asset 4 Access read the data without proper authorization Misuse use the asset without authorization and or differently from the intended usage Disclose the agent lets other people access the data Modify change the asset data or configuration modification Deny access the threat agent do not let the legitimate intended users to access the asset These actions can affect different assets in different ways the effect varies in relationship with the characteristics of the asset and its usage Some assets have high criticality but low sensitivity denial of access has a much higher effect than disclosure on such assets On the other hand an asset with highly sensitive data can have a low productivity effect if not available but embarrassment and legal effect if that data is disclosed for example the availability of former patient health data does not affect a healthcare organization s productivity but its disclosure can cost the organization millions of dollars 6 A single event can involve different assets a laptop theft affects the availability of the laptop itself but can lead to the potential disclosure of the information stored on it The combination of an asset s characteristics and the type of action against that asset that determines the fundamental nature and degree of loss See also editInformation security management ISACA ISO IEC 27001 Risk management Vulnerability computing Notes and references edit Technical Standard Risk Taxonomy ISBN 1 931624 77 1 Document Number C081 Published by The Open Group January 2009 Technical Standard Risk Taxonomy Section 1 5 ISBN 1 931624 77 1 Document Number C081 Published by The Open Group January 2009 The Open Group Risk Management The Open Group 2019 a b c d e An Introduction to Factor Analysis of Information Risk FAIR Risk Management Insight LLC November 2006 Freund Jack Jones Jack 2015 Measuring and Managing Information Risk Waltham MA Butterworth Heinemann ISBN 9780127999326 Friedman Terry 27 January 2009 VA will pay 20 million to settle lawsuit over stolen laptop s data CNN Retrieved 1 February 2022 Works cited edit Whitman Michael E Mattord Herbert J 18 October 2013 Management of Information Security Cengage Learning ISBN 978 1 305 15603 6 External links editRisk Management Insight FAIR Basic Risk assessment guide FAIR Risk Taxonomy Patent application Open FAIR Certification Retrieved from https en wikipedia org w index php title Factor analysis of information risk amp oldid 1188668585, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.