How to quantify risk to your information so you can manage it better

You can't manage what you can't measure. That's the idea behind a professional association known as the Factor Analysis of Information Risk (FAIR) Institute. Th...

You can’t manage what you can’t measure. That’s the idea behind a professional association known as the Factor Analysis of Information Risk (FAIR) Institute. The group seeks to advance quantitative measurement and management of risk to information, including in federal organizations. To learn more about what information keepers need to know, the Federal Drive with Tom Temin spoke with the founder of the FAIR Institute, Nick Sanna.

Interview Transcript: 

Tom Temin Fair to say that no pun intended, that most organizations assess their information risk by what comes out on Patch Tuesday or what they read from reports coming from CISA and organizations like that, but not perhaps as scientifically as they might. Is that a good way to put it?

Nick Sanna I think it’s a good way of putting it. I think as a profession for many years. So we have abided by a compliance mentality. There is attack, there’s a new ways of trying to thwart that attack. And so we come up with this list of cybersecurity issues that you need to implement to be safe. But that hasn’t worked very well. And so because a lot of those measures are implemented out of context and what we’re missing is a real understanding of the risk that we are facing and what are the correct measures that are needed to implement to face that specific risk which may change from attack and attack. And so what we’ve been missing in the industry is a risk based view of the problem, and we have been stuck with a compliance view which didn’t get us more secure in many cases.

Tom Temin And maybe just briefly describe what are the ways to approach getting a risk assessment that is based on quantitative assessment, What are the measures people need to have so that they know what the risks really are?

Nick Sanna Yeah, that’s a very good question. To put things in context. Let’s start with a basic definition of what risk is according to this fair standard. So you only have risk when there’s a probability of a loss event. And so when there is an asset of value, you have a threat touching this assets and a threat, you know, action threat actors actions onto the asset result in a material damage to the business. And the damage could be in the form of loss of productivity, progress of liability, reputational loss, and many different damages. And so a control deficiency, which oftentimes we point to as a source of a problem, can be related to a risk if it’s in context of an asset of value. And there’s a thread action there in abstraction, it’s not. And so having the context of the value of the estimate threat activity in a potential impact is what defines the risk.

Tom Temin All right. And how do you put quantities on different risks such that you can manage them better and deploy your cybersecurity resources in a way that mitigates the top risks?

Nick Sanna That’s a very good question as well. And so once we have defined a scenarios in which bad things can happen. So what is a threat actor? What is the asset? What is the impact? You can start looking then at how many times can this happen and what the impact is. And so you think of risk measure being the effect of the likelihood. How many times can this event happen in your organization and what is the impact? So frequency and impact is basically the very basic formula by which you would measure risk.

Tom Temin In other words, it’s an engineering approach to thinking about risk.

Nick Sanna Well I would say more of an accounting approach to saying of measuring risk? Because risk should be a kind of say as a financial discipline. In cyber, for many years we spoke of risk in technical terms, which was, I would say, a piece of it. It was incomplete. And we’re turning what used to be a technical discipline into a business discipline by taking in the technical factor, by putting it in business context and turning it into an actuarial science, which it should be.

Tom Temin So in other words, you look at it almost not as an engineer, but maybe as an insurer would look at risk.

Nick Sanna An insurer or I would say a financial accountant that, you know, in many organizations, you know, there’s many forms of risk in large corporation, they think about market risk, credit risk, some form of operational risk. And cyber should be seen in the same way. How many times can this bad event happen and what is the impact and how can we measure the effectiveness of a security measure in terms of reducing that risk and finding the ROI? Like any business decision, you want to see the return on investment. And so what is the baseline risk and what is the capacity of the security measure in reducing either the frequency or the impact of both? There should be an accounting and a financial exercise, and like any technical discipline, you know, you need to have a business certification that goes along with it and that what models like fear are provide.

Tom Temin We’re speaking with Nick Santa, who is the founder of the Fair Institute. And in your experience, how mature are federal operators, federal agencies with respect to quantifying their risks to information? Because they should talk about it a lot and spend a lot of money on it. And as you say, you know, the breaches and the losses nevertheless continue to happen.

Nick Sanna I think in the federal government we have very strong aspirations to manage cybersecurity from the risk perspective in an effective way. But unfortunately, we revert many times and to be confined to checklists. So if you look at many regulation executives on cybersecurity tell you inspector generals when they assess the readiness of your cyber security operation, they will definitely be very pleased or looking at your risk based approach. But if you apply the checklist and tell me readiness checklist, that’s okay, too. So people fall into the easy check the box, the type of compliance and shy away from what they feel is a bit more advanced or more obscure in their case. In many cases, you know, or more they feel they are less mature in assessing risk and so they fall back on a compliance approach which gets them a pass, you know. But it forces many agencies, unfortunately, into a set up where they’re doing a lot of technical compliance work without a context of risk necessarily, you know, because they’re going down the list and not necessarily focusing resources more on assets that are of value are you know, there are more can I say, more impactful to the organization? And so, again, very strong aspirational goals. But from the tooling perspective, we’re still stuck with checklist. We don’t have advanced, can I say, assessment models. I think there is an aspiration from both the White House and CISO to change that picture, but it’s still in becoming.

Tom Temin And you have this discipline known as factor analysis of information risk. Where should that skill lie? Should it be in the CIO organization? Should it be in the program management? Should it be at the agency? Deputy Director for management level? I mean, who should have this kind of skill?

Nick Sanna That’s a fantastic question. In most organization that we are now working with, that skill oftentimes should be in the CISO office, you know, the office of the Chief Information Security Officer. They are most often tasked with assessing risk, you know, to meet the number of regulatory requirements and also provide the business an understanding of what security measures they should implement. But it should be a specific function that is separate from security operation. Operation is meant to secure the organization, but risk management should be a branch under the CISO that is tasked with assessing and prioritizing those risks so that we can then direct the operations, you know, to focus on what matters. Think of it as like another line of defense, a second line of defense. You know, you have the troops in the front. They engage in the threat actors day to day to trying to secure the organization by implementing better security measures. But you need also the generals on the hill that assess the battlefield and say we have a high priority here. This is the significance. Apply more resources there and price accordingly. So you need both. You need security operations, but also you need a strong risk management function that doesn’t just do compliance.

Tom Temin It strikes me that, you know, because everyone says, well, we never have enough money to do everything we want in order to get the funds or get approval for the funds, you really need to mitigate risk. Speaking in terms of quantitative analysis of what the risk is and therefore this is what we need, makes a much better case to the funders and the financial people than simply saying, well, you know, we’re worried about this or that.

Nick Sanna Absolutely it is the number one method today for prioritizing, you know, security issues in the government is oftentimes the age of a security finding. I asked him how you do it. Well, we have a checklist of compliance. Every day we find findings of noncompliance. We go down the list. And in doing so, they don’t focus on what matters. And they tell me, Nick, it’s a never ending battle because the number of findings that we can resolve is smaller than the findings we get every day. So you’re never going to catch up. And so the only way to catch up is, as you said, prioritize what matters, identify the assets of a significance, are at threat and focus on what’s most at risk and prioritize. And so in a context, where we cannot do everything, focus on matters most and be at peace with that because you’re addressing the biggest bars or risk versus the smallest ones, you know, And it’s almost like if I can use an analogy, oftentimes we spend our security budget like peanut butter on toast, you know, evenly. And what I should probably we should apply more than I say peanut butter where it matters most and less elsewhere. And by not focusing on what matters more, we give the kind of, say, the threat actors an advantage. They know what to focus on to going after high priced assets. And so we cannot afford being distracted and doing busy work and not focus on what matters most.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories