while reading through this ... I kinda disagree with the reasons why the assets are assets. Does it make sense ?

An example: to me, the bandwidth is not an asset because some evildoer might want to use it but because it supports the delivery of the information to our users. Any impact on this will lower our capability to deliver the intended service at the intended quality level.

Just my 2 cents ... I might as well correct myself when I totally grasp F.A.I.R !

Thank you for the comment and the suggestion of creating a data flow diagram. While not a new concept to me, the formal representation of data flows is something that I have not spent a great deal of time exploring. I now consider that a deficiency in my skill set. Thanks for giving me more to study and a great idea for another blog post, if not series.

That being said, you are correct that in a real world scenario we would be headed straight for a nice threat modeling session. For this particular series though, my main goal is to explore the terminology and methods provided by FAIR for analyzing risk. To that end, I have a particular set of threats that we will be looking at that will let us put FAIR to work. We will be looking at data flows, but in a very informal method. This maybe not the best choice, but I believe we can get where we want to go.

That being said, I appreciate your thoughts and suggestions. I particularly agree with the thought you express regarding objectively quantifying our spend.

-Kevin

I suggest that you create a data flow diagram (DFD) and then map out how the data flows.

You're headed one step away from Threat Modeling, so you might as well take the leap. This may shed some different light on your current effort. Reach out to Michael Howard for the most recent and refined approach.

I'm interested in where this is headed. I judged an Information Security award a couple years back, read Jack's information about FAIR and it sparked my curiosity then, and our industry is headed towards objectively quantifying our spend in order to protect our companies and I've not see concrete analysis anywhere in the Infosec space for how to accomplish this. ROSI does not work and TCO is just counting up the spend, and CFOs want to know ROI.

Thanks,
Phil Agcaoili

Thank you for the comment and the very good point you make.

Kevin

Just wanted to add that, although information is virtually always an asset, it also can be (at the same time) a liability. For example, the sensitive personal information that allows us to service our customers also represents potential loss through the legal and contractual obligations that come with having it. This is probably intuitively obvious to everyone who reads your stuff, but it isn't often distinguished effectively in risk analyses. By making the distinction, it's a bit easier to clarify and better estimate the loss potential within a scenario.

Thanks!
Jack