The Factor Analysis of Information Risk (FAIR) is the de facto standard quantitative model for information security and operational risk. And while FAIR continues to have a positive impact on how security professionals think about and communicate risk, the upfront costs associated with starting a FAIR program and the time it takes to realize actual value from those investments has made FAIR inaccessible to many enterprises.
“The current proposition for organizations pioneering in cyber risk quantification is a hard pill to swallow. The most well known approach, the one being held out to FAIR devotees, is one of a lot of heavy lifting without a lot of benefit,” said Steve Ward, Vice President at ThreatConnect and a cyber risk expert. “We’re talking about a heavily manual process involving personal interaction, investigation and interrogation of subject matter experts around the organization to expose the data that is needed to accurately quantify risk. So, early adopters in FAIR are basically finding that there’s a lot of promise, but there’s a ton of struggle on the implementation, and there’s not a lot of shelf life to make that investment worthwhile.”
The Costs of Building a FAIR Program
Building a FAIR program inside your enterprise is not for the faint of heart. Although every business is different, justifying an upfront investment on training, hiring, on either building your own tool or using one that doesn’t offer much in the way of any operational benefit – over the course of a year or more before you begin to see a return on your investment – is just not a defensible position. The cost and time considerations of implementing FAIR include:
- Training personnel on the FAIR standard ($1,500 per employee for basic fundamentals, $1,200 per employee for the analyst team)
- Hiring an internal staff (salaries, benefits – headcount you don’t have)
- Scope and calculate risk scenarios – over a period of months
- Either you build an internal tool or buy software that scales at the enterprise level
- If you buy the most well-known commercially available software, you will also require hundreds of thousands of dollars in professional services
“We’re being told to go get your steno pads and do this investigation, spend a lot of money and an inordinate amount of time getting there,” said Ward. “And then once you produce the output, well, guess what? Someone already moved the cheese on you. The threat landscape has evolved. Things are changing with respect to the state of your controls. Things are changing with respect to your exposure from a vulnerability perspective. The world evolves underneath your feet, and you don’t have a good and effective way to actually respond to it and recalibrate your risk.”
Jack Freund is the Head of Cyber Risk Methodology at VisibleRisk and is the co-author of “Measuring and Managing Information Risk: A FAIR Approach,” the book that laid the foundation for the FAIR standard. According to Freund, the manual nature of FAIR adoption is a legitimate criticism.
“I think there’s some truth to that. I’ve struggled myself with this because it’s difficult to pay enough people to click and type your way to getting all the different types of a FAIR analysis you might need,” Freund said, during a recent interview with the ThreatConnect Podcast.
“I think there’s definitely a space for people to say, ‘Okay, I like FAIR. I think it makes sense, but let’s go ahead and find a way to automate this and to sort of pull in a bunch of data crunched up together and then spit it out the other side in seconds.’ I think there’s definitely a need for that,” said Freund.
The Benefits of Automating Cyber Risk Quantification
The requirement to automate the quantitative process, to map to FAIR but make it better, could not be more urgent. Cyber risk quantification (CRQ) is an industry in its infancy, but it is critical to improving the way cybersecurity actually works. But if we continue to allow organizations to drown in the complexity and cost of leveraging FAIR, that could spell disaster for the fledgling CRQ market and would amount to a major setback for cybersecurity as a whole.
At ThreatConnect, our Risk Quantifier solution is designed to drive complexity, time and cost out of the CRQ process. We deliver a decision support system that operates in real time rather than waiting for lengthy interviews, training and manual reviews. It is also supported by a threat intelligence platform (TIP) that injects real-world threat actor analysis into your risk models, and security orchestration, automation and response (SOAR) to turn that intelligence into action throughout your existing security infrastructure.
Listen to the latest ThreatConnect Podcast: Improving Upon The FAIR Standard’s Time-to-Value
Our Risk-Threat-Response (RQ, TIP & SOAR) approach to automating the CRQ process provides for:
Proactive Risk Modeling and Prediction
- Leverage existing data to map a forensic view of the unified risk environment. You can use that data to model probable attack vectors against the entire security lifecycle in key areas of your business to predict loss exposure and business impact, so you stay ahead of unacceptable losses.
- Business Benefit? C-Suite leaders and board members can clearly see potential hazards, narrow the focus to the risks that matter most and better understand the need to fund and support specific mitigation measures.
Establish a Baseline, Mitigate and Monitor for Changes
- Monitor changes to the threat landscape built into your modelling and then assess the potential of those changes to cause your business harm.
- Business Benefit? Armed with metrics like business interruption, reputational damage, and legal fines, leaders can proactively escalate security initiatives.
Recommend and Drive Smart Action
- Activate risk mitigation plans with recommended security controls to reduce loss exposure. Engage the entire security team in response to the risks that matter most, automate workflows to increase efficiency and use orchestration to integrate your technology stack.
- Business Benefit? Calculate the return-on-investment of your security tools and technologies by demonstrating risk reduction to underpin budget proposals and defend security decisions.
“We say, ‘make quantification simpler, make it faster, make it more reliable and based on real world threats’,” said Ward. “We make it easy — not a year of organizational disruption and a massive upfront investment, but months, even weeks, to see the big picture. The FAIR proposition to chief information security officers (CISOs) can’t be to hire more experts, add more complexity, spend hundreds of thousands of dollars on professional services, and spend a year or more building a system. That’s just an untenable position for most CISOs.”