A FAIR Way from Fear, Uncertainty and Doubt
Organization executives started paying attention to computing security in the early 1990’s. Digital networks had been established to support selective communication with suppliers, evolving to include massive digital product definition data. On one hand executives expressed vague fears, uncertainty and doubt about the potential for data loss, yet at the same time challenged costs for proposed security control improvement projects. The typical security executive presentation at least introduced the idea of a scale balancing security costs against the potential for loss but relied on personal persuasion to gain support for projects.
The organization used a 5×5 risk grid for reporting schedule, cost and technical risk associated with projects. Placement of a “risk” on the grid was the subjective judgement of a project manager, with adjustments to the status associated with a “risk mitigation” plan. The security function adopted use of the risk grid primarily because it was recognized. While many organizations labeled any technical “vulnerability” finding or a non-compliance as a risk, we used the grid to communicate only the primary risk scenarios for the organization. An example for illustration: Theft of proprietary information by insiders. Note that the asset (proprietary information) and the threat agent (insiders) are specifically identified. While this focused attention of the few key risk scenarios, the lack of granularity in the 5×5 matrix made communicating progress on risk reduction impossible.
The FAIR methodology first came to my attention around 2010. I was attracted to the clarity provided by the FAIR taxonomy in understanding how to measure risk. However, lack of a tool for performing a FAIR risk analysis stymied progress at the time. Fortunately, now there is are some choices of tools available to perform FAIR risk analyses.