As usual, all the posts in this series can be found on this page if you want a refresher or are just now jumping on the band wagon.

In the last post in this series, a very very long time ago, we took a look at Threat Event Frequency (TEF). In its most simple form TEF means how often does a threat event happen.

We are now going to take a look at the other component of Loss Frequency (LF), Vulnerability. However, this is not how we normally think of vulnerability.

From the  Introduction, Vulnerability is:

The probability that an asset will be unable to resist the actions of a threat agent.

This is quite different than how we normally define vulnerability as information security professionals. We usually view vulnerability as a specific weakness in a system or application. In FAIR, vulnerability is an inverse measure of the ability of an asset to protect itself against the efforts of a threat agent.

A high probability means that the asset will likely be compromised and a low probability means that the asset will be able to effectively resist. You have to let that one percolate for a bit.

Vulnerability is made up of two factors and here we diverge a bit from the Introduction. Both the introduction and the Open Group Risk Taxonomy use Control Strength and Threat Capability as factors of Vulnerability. Jack has since modified this slightly. Threat Capability (TCap) is still used, but Control Strength has been changed to Resistance Strength (RS.) Let's talk about both of these for a second.

Resistance Strength is the probability that an asset can resist a baseline measure of force . Let's say I have a gate that keeps people from coming into my property. Someone on a bicycle would be kept out, but someone in a Mini Cooper wouldn't. We would probably say that the Resistance Strength at that point is pretty low. Replace that flimsy gate with a door to rival those protecting the installation in Cheyenne Mountain and our Resistance Strength goes through the roof.

Threat Capability is just what it sounds like. How capable are the evil doers that are attempting to compromise my asset. Are they riding bicycles or driving Abrams tanks.

Putting the two together, Resistance Strength and Threat Capability, gives us Vulnerability. For instance,  we have that super strong door we were talking about. There is a very high probability that the door will be able to resist a baseline or average level of force.  How about the evil dude on the bicycle? His Threat Capability is very low. Combining the two gives us a very low probability that the asset will be unable to resist the threat agent, i.e. we're going to be just fine.

Next time we are going to take a quick look at how Threat Event Frequency and Vulnerability define Loss Frequency and then we will start of the Probably Loss side of the Risk equation.

As always, please leave a comment or send me a note at kriggins@infosecramblings.com with your thoughts.


Enhanced by Zemanta


Well, there I go again, I keep saying I am going to get back to it and then leave you hanging. No real excuse this time other than being mondo busy.

As usual, all the posts in this series can be found on this page if you want a refresher or are just now jumping on the band wagon.

Anyway, last time we started talking about the taxonomy and the definition of risk from FAIR's perspective. As mentioned, we are going to leave those alone for a bit. We are going to build the taxonomy from the ground up. So, without further ado, here is where we are starting.

Threat Event Frequency

We start with the first component of Loss Frequency which is threat event frequency (TEF.) From the introduction, threat event frequency is:

The probable frequency, within a given timeframe, that a threat agent will act against an asset.

In other words, how many times within some amount of time will the bad guy try to do something evil to our treasured asset. This is important to know in determining how often we might actually suffer a loss.

So, to figure out the how many in how much part of the equation, we need to look at a couple things, contact and action. However, we are not talking about binary definitions here such as 'was there contact or not'.

First let's talk contact. From the introduction, contact is:

The probable frequency, within a given timeframe, that a threat agent will come into contact with an asset.

There are three things we want to consider. We are interested in whether the bad guy has regular or random contact with our treasure. Is contact the result of just random chance or is there some regularity to the contact? We are also really interested in whether the contact is intentional or not. Is the bad guy looking specifically for the types of treasure you have or are we target of opportunity.

Now action. From the introduction, action is:

The probability that a threat agent will act against an asset once contact occurs.

Again, we want to look at three things, asset value, vulnerability, and risk. Is it worth it to the bad guy to try something, i.e. is the value of the asset high enough. How vulnerable does the bad guy perceive the treasure to be. Our treasure is much less vulnerable sitting in a bank vault than it is sitting unwatched on a table in a crowded room. Finally, what is the risk to the bad guy. How likely is he to get caught if he tries to make contact.

All these factors must be taken into consideration when we we are thinking about threat event frequency.

Next we will explore the other half of loss frequency, vulnerability. I'll tell you right now that it is not what you think it is, unless, of course, you are already familiar with the FAIR Taxonomy. :)

As usual, drop me a note or leave me a comment with your thoughts.



First, I apologize for the long absence of any further posts in this series. I am sure everybody thought I had decided not to continue. Not the case. With the presentation at Secure360, a bathroom remodel and life in general getting in the way, I didn't take the time to keep on top of this series.

Anyway, let's dive back in. All the posts in this series can be found on this page if you want a refresher or are just now jumping on the band wagon.

In the last post I said we were going to talk a little more about assets, but we are not. We are going to start in on the taxonomy and pick up those words about assets a little later. First, what in the world is a taxonomy? I asked myself this question late last year.

From wikipedia:

...In addition, the word is also used as a count noun: a taxonomy, or taxonomic scheme, is a particular classification ("the taxonomy of ..."), arranged in a hierarchical structure. Typically this is organised by subtype-supertype relationships, also called parent-child relationships...

At the top of a taxonomy is the item being represented. I guess that means we should define exactly what we are building this taxonomy for. One would think I'd have gotten to this a bit earlier. Apparently not :) Okay. Here we go. Let's define RISK.


From the introduction:

Risk - The probable frequency and probable magnitude of future loss

If risk is defined as above, then the very top of our taxonomy looks like this:


Starting with the next post, we will begin to build out the rest of the taxonomy. However, we are going to start from the bottom.

As always, I am interested in what you have say. Please leave comments or email me if you like. My email address is on the about page.


{ 1 comment }

This is the presentation I gave at Secure360 2009 titled "Measuring and Communicating Risk using Factor Analysis of Information Risk (FAIR)."

As always, I am interested in your feedback.



Speaking at Secure360

by kriggins on March 16, 2009

in Announcement, Conferences, fair, Risk Management

I am really excited. I will be speaking at Secure360. The conference takes place on May 12th and 13th in St. Paul, Minnesota. I will be speaking in the afternoon on the 13th.

From the Secure360 website:

The Upper Midwest Security Alliance (UMSA) serves business, government, and education professionals in the Twin Cities and surrounding areas. The Secure360 conference is the primary mission of UMSA. The annual event is a unique opportunity to explore the latest threats and opportunities in enterprise risk management.

The title of my talk is "Measuring and Communicating Risk with Factor Analysis of Information Risk (FAIR)."



Exploring F.A.I.R – Assets Redux

by kriggins on February 26, 2009

in fair, Risk Management

So, to revisit the post which sparked the last few, let's talk about assets. Before we get started though, just a reminder that all the posts in this series can be found on this page.

And now, on with the show. We have described the organization for which we are performing the assessment. We have also described, to a certain extent, the architecture of the system involved.

Again, we are going to take things in a little different order than presented in the Introduction to FAIR. The first thing we are going to look at is asset. From the introduction:

Any data, device, or other component of the environment that supports information-related activities, which can be illicitly accessed, used, disclosed, altered, destroyed, and/or stolen, resulting in loss.

With this definition in mind, why don't we make a list of the assets we might be concerned about.

  • Bandwidth
  • Hardware (Servers, routers, switches, firewalls, etc.)
  • Services (Web services and database services)
  • Information (Tax code and tax rates)

The bandwidth is an asset because evil doers on the internet need a way to spread their evil. They would much prefer to use our bandwidth than pay for their own.

The hardware is an asset because someone might want to steal it or run their own software on it.

The services provided are an asset for similar reasons. The evil doers need places to put the stuff they want to spread or a place to stash the stuff they have already taken elsewhere.

The information is an asset because...well...it's why the rest of the stuff is there in the first place :) Seriously, information is always an asset. As discussed in the first post on assets, it likely doesn't matter if the information is classified as public or not. The integrity and availability of that public information can be very important.

For instance, in our case, the information defines how much money a company will have to pay in taxes. If it is modified or deleted, it can have a serious effect on the revenue of the state.

Ideally, we would perform a risk analysis for each asset "class" above and incorporate all the results into our risk assessment. For our purposes though, we are going to concentrate on just one, the information.

In the next post in this series we will take a look at threats and threat agents.

As always, please let me know your thoughts in the comments.


Image courtesy of tao_zyn.
Reblog this post [with Zemanta]