In most organization, now days, information assets are fundamental; hence, a lot of resources are invested in protecting them. However, today, the decisions made by the management regarding the scope of invested resources is based on partial information in a “foreign” language – the technology language. Potentially resulting with excessive investments in protecting less business critical assets and lacking of investment on business critical assets. A solution to this challenge is in the ability to “translate” between business priority and technology challenges.
Information risk analysis is a relatively new discipline, and too often, information security risk decisions fall victim to one or both of the following fundamental problems: (1) the wrong people are making the decisions due to lack of clear decision as per who in the organization needs to manage the risk, what are his responsibilities and what is expected from him, which might lead to unmet expectations and objectives, lack of executive management support, and setting priorities which doesn’t make business sense and/or (2) decisions are made based on partial information, partial understanding of the risk, and without seeing the organization as a whole which generally results in spending on the wrong things, spending too much, or not spending enough
Information provided from audits and security assessments often focuses heavily on control conditions and does not explicitly take into consideration stakeholders, asset value/liability, or threat conditions. The assessor may consider some informal “gut” inclusion of those factors, but unless inclusion is explicit, risk ratings tend to inflate — sometimes significantly. This risk inflation and the tendency to protect assets rather than stakeholder interests contribute significantly to overall cost-ineffectiveness.
Information-related risk is only one of many risk domains management and the board of directors has to manage (e.g., market, insurance, investment, etc.). In complex business conditions and with limited resources it becomes significant to create appropriate balance in deploying resources to sync and manage the entire risk portfolio. This situation is basically a competition between risks and the way to solve it is by creating prioritization based on a common language (preferably monetary).
By definition, most CISOs are technology oriented and aren’t part of the executive management which implies that they don’t have a view into the entire risk portfolio and often enough don’t have an understanding of the organization’s risk tolerance, liability and business goals. On the other hand, only few executives have a profound technical understanding of threats and technology controls. As a result, entrusting the CISO with the information risk management requires that he’ll a deep understanding of the business elements. Entrusting this responsibility with the business executives (as mostly done) requires that the technology people would provide them with complete, clear, unbiased, and useful information about the threats the possible implications and the available controls. That would assure that decision making if risk informed and derived from panic or technological trends. Both cases require a common language and a clear understanding of roles and responsibilities.
The missing link is a common language that enables quantifying information risks to monetary value that are understood by all stakeholders.
One of the methodologies that provide an answer to this need is Factor Analysis of Information Risk (FAIR) – FAIR is an easy to understand, effective, methodology and toolset for risk analysis, risk management, root cause analysis and decision making. FAIR enables the organization to significantly improve its information risk management process by allowing risk reporting in a cost-effective manner (as customary with business risks) , budget optimization, and a foundation from which to develop a scientific approach to quantitative information risk management.
FAIR’s quantitative capabilities enable a real understanding of “how much” in regards to ,how much risk does X represent, how much less risk will we have if we do ABC, how much more (or less) effective is risk solution A than risk solution B? and since FAIR is quantitative (monetary) its also very useful for the following:
· A base for creating a priorities work plan and budget based on monetary values
· Proves Due Care to the stakeholders
· Enabling a clear view of liabilities and a baseline for negotiation with the insurer
FAIR analyzes any form of risk possible. It is agnostic, so it can analyze and compare risk issues of very different types, which allow management to determine what their highest priorities are and where to focus their resources.
On your next encounter of a risk related decision – be it a renewal of some security product license, a strategy on how to secure a product/server/information asset, or any other decision that takes into account a threat to some asset, make sure you try to play around with such a methodology and challenge yourself with a proper analysis of all the parameters.
We know we do that all the time…
One Comment
Nice work. I like your proposition. Reminds me of my Campus days using the statisic models. All the Best in Your Business.
2 Trackbacks
[...] Security Art « Risk Informed Decision Making [...]
[...] I suppose you have read Yoram’s earlier post about risk informed decision making, so I won’t elaborate on this for too long, nevertheless, we are often posed with the [...]