For some time now we heard the story about quantitative risk management and why it is so much better than our old loss-times-probability, green-yellow-red approach. Even outside the financial community we are supposed to throw out our old heatmaps and replace them with value-at-risk predictions.
How many standardized and established methods are there for quantitative risk management today? 1, 2, 3, more? I´m not asking for another tool…
I´m thinking first and foremost of Factor Analysis of Information Risk (FAIR) when it comes to quantitative risk management. I believe that Jack Freund and Jack Jones did a fantastic job for explaining and promoting this methodology. Their book “Measuring and Managing Information Risk: A FAIR Approach” is my go-to book for this topic. Same is true for the FAIR Institute (www.fairinstitute.org) and FAIR-U / RiskLense (fairu.net) and their effort in promoting a better as well as more robust risk management.
So why the provocative title?
For example, let’s log into the FAIR-U tool to perform a web-based risk analysis. The “What´s New in FAIR-U” banner is from August 17th, 2018. No update since then?
The icons for some of the educational partners on https://www.fairinstitute.org/fair-university-curriculum are broken, a sure sign that nobody looked at this page for some time.
A quick search for “Factor Analysis of Information Risk” and “FAIR” at Webster University and George Mason University returned no results. UMass shows a hit, but it is a class from 2017: https://infosec.cs.umass.edu/content/infosec-690r-information-risk-management-0 . The link to Arizona State returns an “Error 403 – access denied”, GCU returns “Page Not Found”, and so on.
The local chapters listed at www.fairinstitute.org are still very US-centric. There is a local chapter in London that seems to consist of a single person. Paris has a local chapter with two people from a training and consulting house. That’s it for Europe!
The Open Group (opengroup.org) Security Forum manages and updates Open FAIR. Many of the documents in their library seem to be old, e.g. “THE OPEN GROUP CERTIFICATION FOR PEOPLE: OPEN FAIR™ PROGRAM CONFIGURATION” with a last update from April 2017. Their FAIR blog has a single, lonely entry from 2017.
The recent fun I had with installing Oracle Crystal Ball and RiskKit let to my question above: Am I right, am I wrong? What is your opinion when it comes to quantitative risk management standards outside of the regulated financial industry and their Basel III accord?
Jan Klingel
To bolster my argument: In 2016 (!) the US Comptroller of the Currency, the Federal Reserve System, and the Federal Deposit Insurance Corporation started an advance notice of proposed rulemaking (ANPR) to define and receive comments on an enhanced cyber risk management standard addressing five categories of cyber standards: Cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness.
Section VII of the notice is titled “Approach to Quantifying Cyber Risk” and explicitly names FAIR and GQIM (a non-quantitative approach from CMU) as known methodologies. This should give people in the finance industry hope, right? Unfortunately, the rulemaking process is still in status “Proposed Rule Stage”, with the next milestone coming up on 10/00/2021 (no typo! I guess only a government system can allow a date like this).
Some people referenced the Cybersecurity Assessment Tool (CAT) from the US Federal Financial Institutions Examination Council (FFIEC) in their proposals. As Jack Jones from the FAIR Institute commented: „However, the tool itself, uses a qualitative scale (Least, Minimal, Moderate, Significant, Most) to determine risk vs. truly “measuring” risk in terms of dollars and cents.“. So it seems not everybody understood what the ANPR is asking for in section VII.
Another interesting fact: In its publication „Integrating Cybersecurity and Enterprise Risk Management (ERM)“ [NISTIR 8286] from last year the National Institute of Standards and Technology (NIST) mentions FAIR in chapter „Risk Analysis Types“ as a viable risk analysis methodologies – the only quantitative methodology.
NIST plans to present more details about these methodologies in the future: „A detailed consideration of risk analysis techniques, including worked examples, will be provided in a subsequent NIST publication.“. I am looking forward to this!
FAIR war ein wichtiger erster Schritt im Cyber-Risikomanagement, weil es abstrakte Risiken in konkrete Faktoren aufgliedert, die – im Idealfall – beobachtet und zur Risikoabschätzung genutzt werden können. Doch genau hier liegt das Problem:
🚨 Warum ist FAIR überholungsbedürftig?
– Falsche Annahmen über Angriffshäufigkeit: FAIR setzt eine feste und bekannte Obergrenze für die Anzahl der Angriffe voraus – eine Annahme, die in der Realität nicht haltbar ist. In der Praxis kann sich die Bedrohungslage abrupt verschärfen, z. B. durch Massenangriffe, neue Angreifer oder neue Angriffstechniken.
– Unpassende Verteilungen: FAIR nutzt PERT-Verteilungen für nahezu alles – doch gerade für Cyber-Angriffe ist das nicht realistisch. Eine plötzlich explodierende Angriffswelle wird von FAIR nicht adäquat abgebildet. Das Modell ist blind für diese kritische Situation.
– Probleme bei der Verwundbarkeitsbewertung: Das Modell stellt Angriff und Verteidigung als Kampf zweier PERT-verteilter Stärken dar. Doch wie genau soll man diese Verteilungen parametrisieren? FAIR bleibt hier rein spekulativ.
💡 Ein modernerer Ansatz für Cyber-Risiken
In Risk Kit gibt es eine Fallstudie, die diese Schwächen adressiert und ein realistischeres Modell zur Cyber-Risikobewertung vorstellt. Dieses Modell wird direkt mitgeliefert und in einem ausführlichen Video erläutert: 🎥 https://youtu.be/Oun8Dql1qKo?si=lOUFbE6nfC1xbaKD.
🌍 Von Einzelrisiken zu strategischen Clustern
Risk Kit geht noch einen Schritt weiter: Statt tausender einzelner Cyber-Risiken werden diese zu Risikoclustern verdichtet. Das macht sie kommunizierbar und strategisch nutzbar – etwa für das Enterprise Risk Management oder die Unternehmenssteuerung.
🚀 Das Ergebnis:
✅ Mehr Transparenz in der Cyber-Risikobewertung
✅ Bessere Integration in die Unternehmenssteuerung
✅ Realistische Modellierung mit praxisnahen Annahmen
📌 Mehr dazu: https://www.wehrspohn.de/produkte/risk-kit
Hallo Herr Wehrspohn,
vielen Dank für diese Sicht von Ihnen auf das Thema. Ich arbeite gerade privat mit einer Testlizenz Ihrer Software Risk Kit – vielen Dank dafür! Ich bin schon immer ein Fan von Risk Kit gewesen, auch wenn ich es beruflich nicht einsetzen kann.
Viele Grüße, Jan Klingel