How to Provide Transparency
In the 2010’s, the organization was primarily US based, with an employee presence in many countries. This US based intranet had a few portals to the internet but was otherwise an isolated network with segments that served literally hundreds of buildings or campuses across the US. All other locations accessed the intranet by connecting through the perimeter. Over time selected organization buildings at international locations were connected to the intranet.
The criteria for approving and international connection to the organization intranet included business and security considerations. The dominant element in the security criteria was country threat, which was subjectively understood by security personnel, particularly those involved in investigative support. But there was no means to objectively define the threat to executives. Frustration and anger was common.
By this time, I had been studying and using FAIR for several years. My partner in the International organization had become aware of a variety of country rating systems. This spawned the question: can multiple country rating systems be combined and weighted to provide a transparent country threat rating?
The solution had three elements. First all sources had to be normalized to a 0-100 score. Second, each rating was aligned with an element of the FAIR taxonomy elements related to threat, specifically Threat Event Frequency (emphasizing Probability of Action) and Threat Capability. Finally, the elements were given weights, recognizing that some had a stronger correlation to threat than others. Organization ratings that informed this analysis were also incorporated. The result was displayed as a sorted list of threat ratings; those below a threshold could be allowed to connect to the intranet. While executives who were told no were still not happy, the method made the decision process transparent thus eliminating surprises.