By Bob Maley
In a mature risk management program, risk is usually defined in business terms (financial impact) and then measured against factors such as risk appetite (the defined dollar figure of risk that a company is willing to accept) and risk tolerance (the percent beyond the defined dollar amount that a company is willing to tolerate). However, many organizations have a hard time measuring third-party risk in these terms. This creates frustrations for both risk practitioners who want a more effective way to quantify results and business decision makers who want clear metrics in order to make more informed decisions.
Historically, resources have mostly been spent on qualifying this risk via questionnaires and risk scoring. Findings, which are often incredibly technical and complicated, are generally presented in heatmap style – red, orange, yellow, green – accompanied by a score, or letter grade like we do at Black Kite. For companies with third-party risk management (TPRM) programs that do this well, I commend you. Getting to this stage is an accomplishment. But how do you then quantify these findings to measure against risk appetite and risk tolerance? And how do you easily communicate to stakeholders how you’ve come to these conclusions?
Leveraging FAIR assessment at scale for TPRM helps attain the goal of cost effectively achieving and maintaining an acceptable level of loss exposure, while also clearly conveying the breadth of probable impact to the organization.
What is FAIR?
- Factor Analysis of Information Risk (FAIR) is the only international standard quantitative model for information security and operational risk. The model:
- Provides a model for understanding, analyzing and quantifying information risk in financial terms.
- Is unlike risk assessment frameworks that focus output on qualitative color charts or numerical weighted scales.
- Builds a foundation for developing a robust approach to information risk management.
- The FAIR model components are specifically designed to support risk quantification, through:
- A standard taxonomy and ontology for information and operational risk.
- A framework for establishing data collection criteria.
- Measurement scales for risk factors.
- A modeling construct for analyzing complex risk scenarios.
- The FAIR model analysis complements existing risk management frameworks by building on qualitative efforts in order to better quantify risk. Shortcomings in risk management frameworks include:
- Organizations such as NIST, ISO, OCTAVE, ISACA, etc. are useful for defining and assessing risk management programs, but go no further than those parameters.
- Most frameworks prescribe the need to quantify risk, but for the most part, they leave it up to the practitioners to figure that process out.
- Some are silent on the subject of how to compute risk, while others are open in the allowance of third-party methods.
- Frameworks such as NIST 800-30 attempt to measure risk, but fall short as they rely on qualitative (not quantitative) scales and flawed definitions.
FAIR helps fill the gaps in other risk management frameworks by providing a proven and standard risk quantification methodology that can be leveraged on other frameworks.
How Black Kite integrates and scales FAIR to quantify third-party risks
From a high level, technical data is used to feed FAIR calculations to achieve a data-based score. This technical score alone gives you an overall cyber-hygiene grade and is part of a greater risk assessment. But just because a company is assigned a certain grade does not necessarily mean that there is a high risk posed to your organization. A score alone lacks context related to business impact.
Through 3D Vendor [email protected] (SM) with FAIR a more useful probability can be calculated of the financial impact a vendor might make by using technical data, not just the score, in conjunction with other peer-related data. Such data can be garnered from research as the annual IBM/Ponemon study, Verizon Data Breach report, Black Kite’s ongoing monitoring of publicly announced breaches.
For example, a probability is calculated of the financial impact in the event that a vendor were to have a cyber incident occur in the next twelve months. The probability is below your risk appetite yet the technical score is a C-. Based on risk appetite, your business may decide that doing a deeper dive or committing more resources to requiring the vendor to improve their grade may not make good business sense. In another example, you might have a vendor with a B+ grade, yet that vendor shows a high probable financial impact. To further and more effectively limit risk and financial loss, you may want to conduct a deeper assessment, prioritize continuous monitoring, alerting on variance, etc. as part of ongoing third-party due diligence for this B+ vendor.
The Black Kite FAIR report gives you the guidance to assist you in making these types of decisions and also gives you the capability to tailor specific analysis where more complete data is available to you. You can easily and instantly update numerous indicators and data points to tailor the results for your vendors whenever more data becomes available.