The Open Group Guide
The Open Group Guide
The Open Group is a global consortium that enables the achievement of business objectives
through technology standards. Our diverse membership of more than 800 organizations includes
customers, systems and solutions suppliers, tools vendors, integrators, academics, and
consultants across multiple industries.
The mission of The Open Group is to drive the creation of Boundaryless Information Flow™
achieved by:
Working with customers to capture, understand, and address current and emerging
requirements, establish policies, and share best practices
Working with suppliers, consortia, and standards bodies to develop consensus and
facilitate interoperability, to evolve and integrate specifications and open source
technologies
Offering a comprehensive set of services to enhance the operational efficiency of
consortia
Developing and operating the industry’s premier certification service and encouraging
procurement of certified products
The Open Group publishes a wide range of technical documentation, most of which is focused
on development of Standards and Guides, but which also includes white papers, technical
studies, certification and testing documentation, and business titles. Full details and a catalog are
available at www.opengroup.org/library.
This Document
This document is The Open Group Open FAIR™ Risk Analysis Example Guide. It has been
developed and approved by The Open Group.
Chapter 2 provides two examples of Open FAIR risk analysis that are based on the same risk
scenario – the first example uses qualitative analysis tools that reference quantitative scales, and
the second example uses the Open FAIR™ Risk Analysis Tool with calibrated estimates used
for inputs. These analysis results are then compared. Chapter 3 develops a business case utilizing
results from an Open FAIR risk analysis, and provides examples of communicating Open FAIR
risk analysis results to decision-makers.
All other brands, company, and product names are used for identification purposes only and may
be trademarks that are the sole property of their respective owners.
The Open Group gratefully acknowledges the contribution of the following people in the
development of this document:
Joel Baese, Mosaic451
Steven Bradley, The SABSA Institute
Christopher T. Carlson, C T Carlson LLC (Principal Author)
Jack Freund, Cyber Assessments, Inc.
Apolonio (Apps) Garcia, HealthGuard
Mike Jerbic, Trusted Systems Consulting
Eva Kuiper, The Open Group Invited Expert (Primary Contributor)
Tyanna Smith, Trusted Systems Consulting
John Linford, Security & OTTF Forum Director, The Open Group
The Open Group gratefully acknowledges the Member organizations and their representatives of
The Open Group Security Forum who participated in the review of this document.
(Please note that the links below are good at the time of writing but cannot be guaranteed for the
future.)
ISO Guide 73:2009: Risk Management – Vocabulary; refer to:
https://www.iso.org/standard/44651.html
Problems with Scoring Methods and Ordinal Scales in Risk Assessment, D. Hubbard,
D. Evans, 2010, published by IBM Journal of Research & Development; refer to:
https://pdfs.semanticscholar.org/8c89/6b5700c801a512a91f17803299715858d23f.pdf
Risk Analysis (O-RA), Version 2.0, The Open Group Standard (C20A), November 2020,
published by The Open Group; refer to: www.opengroup.org/c20a
This standard provides a set of standards for various aspects of information security risk
analysis.
Risk Taxonomy (O-RT), Version 3.0, The Open Group Standard (C20B), published by
The Open Group, November 2020; refer to: www.opengroup.org/library/c20b
This standard defines a taxonomy for the factors that drive information security risk.
The Open FAIR™ Risk Analysis Process Guide (G180), January 2018, published by The
Open Group; refer to: www.opengroup.org/library/g180
This guide offers some best practices for performing an Open FAIR risk analysis. It aims
to help risk analysts understand how to apply the Open FAIR risk analysis methodology.
The Open FAIR™ Risk Analysis Tool Beta (I181), January 2018; refer to:
www.opengroup.org/library/i181
This tool can be used to perform a quantitative Open FAIR risk analysis as defined in The
Open Group Risk Analysis (O-RA) and Risk Taxonomy (O-RT) standards. It is provided
in the form of a Microsoft® Excel spreadsheet.
1.1 Objective
This document augments the Risk Analysis Methodology and Process section of The Open
Group Risk Analysis (O-RA) Standard by illustrating the four steps using an example scenario.
It demonstrates use of the Open FAIR™ Risk Analysis Tool that implements The Open Group
Risk Taxonomy (O-RT) Standard.
This document also provides examples of utilizing Open FAIR risk analysis results to inform
business decisions about proposed security changes. This component is a critical aspect of
determining the value of implementing controls or otherwise acting to prevent losses from
occurring or to mitigate losses when they occur.
This document is intended to be a living document. The sections are deliberately organized to
allow additional examples to be added easily as they are contributed/developed.
1.2 Overview
This document is intended to supplement the Open FAIR Body of Knowledge by providing
examples of Open FAIR risk analyses and informing business decisions about proposed security
changes. It is complementary to the Open FAIR™ Risk Analysis Process Guide, relying on the
Process Guide to describe how to complete an Open FAIR risk analysis.
1
Refer to: https://www.nist.gov/cyberframework.
2
ISO/IEC 27005:2018: Information Technology – Security Techniques – Information Security Risk Management; refer to:
https://www.iso.org/standard/75281.html.
3
ISO 31000: Risk Management; refer to: https://www.iso.org/iso-31000-risk-management.html.
This chapter contains the entirely fictional example4 using a qualitative scale that was previously
found in the O-RA Standard, Version 1.0 and the O-RT Standard, Version 2.0. This example
was removed from these documents when the O-RA Standard was updated to Version 2.0 and
the O-RT Standard was updated to Version 3.0.5
The example scenario will first be analyzed qualitatively based on the risk matrices included in
the O-RA Standard, Version 1.0 and the O-RT Standard, Version 2.0. It will then be analyzed
quantitatively, using the Open FAIR Risk Analysis Tool and providing the assumptions and
rationale used for the included estimates. Finally, the qualitative results and the quantitative
results will be compared to demonstrate the value of an Open FAIR approach to risk analysis.
The example scenario used throughout these two analyses is the same:
A Human Resources (HR) executive within a large bank has her username and password written
on a sticky-note stuck to her computer monitor. These authentication credentials allow her to log
onto the network and access the HR applications she is entitled to use.
Both analyses utilize the stages described in the O-RA Standard, Version 2.0, beginning with
identifying the Loss Scenario before evaluating Loss Event Frequency (LEF), evaluating Loss
Magnitude, and finally deriving and articulating risk.
The scales in this example analysis are arbitrary but might act as a starting point for an
organization attempting to implement a quantitative process while still utilizing qualitative
scales – it is assumed that the decision-makers in this example have given approval to these
scales and understand the labels and ranges in them. The example qualitative scales are not
meant to offer standardized scales for organizations; rather, any qualitative scales used by an
organization (if the organization uses qualitative scales) should be adapted based on
organizational capacity for loss, management’s tolerance for loss, and management’s judgment
for the resulting qualitative values of Very High, High, Moderate, etc. when risk factors are
combined within risk matrices.
4
This example is not based on any real-world scenario, but instead depicts a common potential scenario; any similarities to a real
scenario are entirely coincidental, and the example should not be interpreted as being typical of the banking sector.
5
This chapter does not demonstrate implementing a control; rather, it merely presents the status quo analysis both qualitatively and
quantitatively to demonstrate their differences. Chapter 3 demonstrates changes from implementing controls.
In the example scenario provided at the start of this section, there are two possible Primary
Stakeholders: the HR executive, and the large bank employing her. Given that it is the bank that
is accountable for the HR applications and other sensitive employee information, the bank will
be the Primary Stakeholder.
In the example scenario, there are multiple possible Assets: these are the credentials as well as
the applications, systems, and information to which the credentials provide access. For this Loss
Scenario, the Asset will be the credentials because their value is inherited from the assets they
are intended to protect.
This Loss Scenario will focus on the cleaning crew as the most likely Threat Community: they
have regular contact with the Asset; unless there are cameras spread throughout the office, there
is a low risk of detection/capture, and there is minimal level of effort required to use the
credentials.
In the example scenario, the most likely Threat Event is for the malicious use of the Asset by
one or more members of the cleaning crew. The Threat Event would not be the result of error,
failure, or a natural event.
The threat vector, therefore, would be one or more members of the cleaning crew using the
authentication credentials written on the sticky-note to log into the HR executive’s computer and
gaining unauthorized access to the information they are intended to protect.
In the example scenario, the Threat Community could take one or more actions against the
Asset: They could use the credentials to access, misuse, disclose, modify, or deny access to the
sensitive employee information they are intended to protect.
The Loss Scenario will focus on the malicious access to and misuse of sensitive employee
information by one or more members of the cleaning crew, using the executive’s log-on
credentials posted on a sticky-note. The malicious access to and misuse of the sensitive
employee information will result in primary productivity and response losses for the bank – there
The specificity of this description excludes events whereby a cleaning crew member used the
credentials to log on and surf the Internet, check their social media accounts, or even send illicit
email. It also stipulates that the intent be malicious, which excludes acts of simple curiosity, and
involves misuse versus destruction. These other scenarios could be separate analyses of their
own if they were deemed relevant enough.
Now that the Primary Stakeholder, Asset, Threat Community, Threat Event, and Loss Event
have all been identified, the Loss Scenario can be decomposed and written as a single sentence
to tell the story of the loss.
Cleaning crew member(s) find and copy an HR executive’s user ID and password found on a
sticky-note, and using those credentials, they maliciously access and misuse sensitive employee
information; when this event occurs, the bank always suffers primary productivity and response
losses, and the bank may also suffer secondary response costs and fines and judgments.
Threat Event Frequency (TEF) is based upon how frequently contact between the Threat Agent
and the Asset occurs (the Contact Frequency) and the probability that the Threat Agent would
act against the Asset (the Probability of Action).
As stated previously, TEF will be estimated by considering Contact Frequency and Probability
of Action.
Contact has already been determined to be regular between the cleaning crew and the Asset,
though a specific number of times/week or times/month was not initially determined. Based on
typical business operations, this analysis assumes that the cleaning crew visits the bank once per
week – this is the Contact Frequency, and it would be estimated as High, based on the example
qualitative scale below.
Rating Description
Very Low (VL) < 0.1 times per year (less than once every 10 years)
This analysis also assumes that cleaning crews are generally comprised of honest people, that an
HR executive’s credentials typically would not be viewed or recognized as especially valuable to
them, and that the perceived risk associated with illicit use might be high. This means the
Probability of Action is Very Low – cleaning crew members are extremely unlikely to act
against the Asset, even if contact is made – based on the example qualitative scale below.
Rating Description
As a result, TEF can be estimated to be Very Low, using the example risk matrix below.
VH M H VH VH VH
H L M H H H
M VL L M M M
Probability of Action
(PoA) L VL VL L L L
VL VL VL VL VL VL
VL L M H VH
As a result, based on the example qualitative scale below, a Threat Event would only be
estimated to occur less than once every ten years.
Very Low (VL) < 0.1 times per year (less than once every 10 years)
A cleaning crew could contain an employee with motive, sufficient computing experience to
recognize the potential value of these credentials, and with a high enough risk tolerance to try
their hand at illicit use. However, the probable TEF is Very Low.
The example scenario is missing information that could impact TEF by reducing Probability of
Action:
The cleaning crew could be escorted through their rounds by a member of the physical
security team
The premises could be well covered by CCTV
The cleaning crew employees could be bonded and undergo thorough background checks
The cleaning crew employees could have been with the company for years
None of these are guarantees of TEF being 0, of course, but they are relevant considerations that
affect the likelihood of misbehavior.
Vulnerability is the probability that a Threat Event results in a Loss Event, and it can either be
estimated directly by comparing the number of Loss Events to the total Threat Events or by
considering how Threat Capability compares to Resistance Strength.
This example will estimate Vulnerability by comparing Threat Capability to Resistance Strength
and working at the lower level of the Open FAIR taxonomy.
In this example scenario, Threat Capability is based on the skill (in this case, reading ability) and
resources (time) the average member of this Threat Community can use against a password
written on a sticky-note. Based on the example qualitative scale below, the Threat Capability of
the cleaning crew can be estimated to be Moderate (meaning average skill and resources), as
compared to the overall threat population.
Very High (VH) Top 2% when compared against the overall threat population
High (H) Top 16% when compared against the overall threat population
Moderate (M) Average skill and resources (between bottom 16% and top 16%)
Low (L) Bottom 16% when compared against the overall threat population
Very Low (VL) Bottom 2% when compared against the overall threat population
Note: Threat Capability is always estimated relative to the scenario. If the scenario was
different, and instead was evaluating the cleaning crew’s capability to execute a
Structured Query Language (SQL) injection attack, Threat Capability would likely be
estimated to be Low or even Very Low.
In this example scenario, because the credentials are in plain sight and in plain text, the
Resistance Strength is Very Low, based on the example qualitative scale below. This would
mean the Asset is protected from only the bottom 2% of an average threat population.
Rating Description
Very High (VH) Protects against all but the top 2% of an average threat population
High (H) Protects against all but the top 16% of an average threat population
Low (L) Only protects against bottom 16% of an average threat population
Very Low (VL) Only protects against bottom 2% of an average threat population
Based on the estimates of Threat Capability being Moderate and Resistance Strength being Very
Low, Vulnerability can then be estimated to be Very High using the example risk matrix below.
VH VH VH VH H M
H VH VH H M L
M VH H M L VL
Threat Capability
(TCap)
L H M L VL VL
VL M L VL VL VL
VL L M H VH
In this example scenario, given a TEF of Low and Vulnerability of Very High, the LEF would
likely be Low, based on the example risk matrix below.
VH M H VH VH VH
H L M H H H
M VL L M M M
Threat Event
Frequency (TEF)
L VL VL L L L
VL VL VL VL VL VL
VL L M H VH
Vulnerability (Vuln)
Note: Vulnerability is depicted as a percentage, which means that a Primary Stakeholder can
never be more than 100% vulnerable. Consequently, the LEF will never be greater than
the TEF.
Within this scenario, there were two actions identified as being most likely for the Threat
Community to take that would cause a Primary Loss:
Access – the cleaning crew does not have authorized access to the sensitive employee
information
Misuse – employee records typically have information that can be used to execute identity
theft, which introduces potential legal and reputation loss
The Loss Scenario focuses on access and misuse (e.g., identity theft) because it is a common
concern for scenarios such as this.
A key assumption in the Loss Magnitude portion of this analysis is that the volume of
compromised employee information is limited to the number of employee records in the system.
This is relevant because even a loss of, for example, 15,000 employee records pales in
comparison to breaches of customer records, which can number in the millions. It may also be
reasonable to assume that the volume of compromised employee records would be much
smaller, due to factors such as:
Cleaning crew member concerns regarding higher risk from taking more data
Cleaning crew intent to personally execute identity theft versus selling the information for
others to abuse
When performing an analysis, the analyst needs to develop a rationale that supports their
foundational assumptions. When using the qualitative values such as in this example, it
sometimes makes sense to perform multiple scenario analyses: one for best-case, another for
most likely, and a third for worst-case.
The next step is to estimate the PLM for access and misuse based on the Open FAIR forms of
loss.
Forms of Loss
L M — — — —
The example qualitative scale below presents a set of ranges to characterize Loss Magnitude.
The ranges within the scale reflect this example organization’s capacity for loss and/or
management’s tolerance for loss.
The estimate for PLM – comprised of productivity and response losses – in this scenario is
Moderate based on the following rationale:
Productivity – although there may be some amount of disruption to the organization,
there is no operational outage associated with this scenario and the organization should
continue to be able to deliver its goods and services to its customers; for these reasons,
monetary loss severity would be expected to be low
Response – primary response costs in this scenario will involve, at a minimum, the
following activities: investigation of the breach, assessment and audit, crisis management,
and internal communications
Since the breach involved employee data, which is protected Personally Identifiable
Information (PII) in many localities, this will trigger notifications to all employees within
the compromised application. It is likely that outside experts will be required to determine
the notification requirements, per locality of employee (whether residence or nationality,
depending on the specific breach notification law).
This rationale is based on what is expected to happen versus best and worst-case. This highlights
the fact that ordinal matrices tied to numeric ranges are limited in how effectively they represent
the full range of possible outcomes. As stated earlier, the analyst might need to perform multiple
scenario analyses to present all results: one for best-case, another for most likely, and a third for
worst-case.
This example analysis does not estimate PLM for replacement, fines and judgments, competitive
advantage, or reputation. Given the definitions for Primary and Secondary Loss, as well as the
individual definitions for each of these forms of loss, some of these forms of loss are more
relevant for Secondary Loss in this scenario.
Secondary Loss is comprised of the SLEF and the SLM, and Secondary Loss only occurs if
reactions from Secondary Stakeholders cause one or more additional losses for the Primary
Stakeholder.
In this scenario, regulators may react negatively to an event where a large loss of employee-
sensitive information was compromised, at least in part because of questions the event might
raise regarding controls over customer information. How severely regulators react will likely be
a function of their perception of the existing overall control environment.
Although most Loss Scenarios will not treat employees as Secondary Stakeholders, there are
exceptions in this example that make it reasonable to treat them as Secondary Stakeholders: the
affected employees could potentially leave the organization and/or file lawsuits. These possible
actions mean Secondary Losses would come from fines and judgments by regulators, which
would also create secondary response losses.
SLEF is the conditional probability that a Primary Loss will result in a Secondary Loss. Because
this event involves the compromise of personal information, it is highly likely that one or more
of the Secondary Stakeholder communities would be required to be informed and have to be
“managed”. Consequently, the probability of Secondary Loss Events occurring is Very High, or
around 90 to 100% probability of occurring, based on the example qualitative scale below.
Rating Description
Figure 10: Example Qualitative Scale for Secondary Loss Event Frequency
This analysis assumes that all 15,000 employee records are taken. The rationale behind this
assumption is that if someone is going to take the personal risk of performing this sort of illicit
action, they are likely to try to maximize the value proposition. This rationale can be used to
estimate the SLM for response losses and fines and judgments (by regulators) based on the Open
FAIR forms of loss.
Forms of Loss
— M — L — —
The example qualitative scale below presents a set of ranges to characterize SLM. The ranges
within the scale reflect this example organization’s capacity for loss and/or management’s
tolerance for loss.
The estimate for SLM – comprised of response losses and fines and judgments – in this scenario
is Moderate based on the following rationale:
Response – in this scenario, response costs would include executive time spent in
meetings, notification costs, credit monitoring, and expenses associated with inside and
outside legal counsel
A specific breakdown is:
— Executive time: 40 hours @ $300 per hour = $12,000
— Notification costs: $5 per employee
— Credit monitoring: $25 * 15,000 employees * 5% acceptance rate = $18,750
— Legal expenses: $100,000
— TOTAL: $200,000 (approx.)
Fines and Judgments – provided that the company was not negligent in handling the
event, and made a concerted effort to protect employee interests, fines and judgments are
assumed to be low (if any at all)
No productivity loss would occur as a Secondary Loss because the organization is still able to
provide its goods and services.
No damage to competitive position would occur because their competitors would not have
improved their products and services, nor did the products and services of the organization
diminish.
Note: If any employees actually suffered loss through identify theft, it is possible that the
organization would have to cover those losses. In such a case, those losses would be
accounted for as secondary replacement costs.
The value of Moderate is selected based on the approximate TOTAL value and these rationales.
Secondary Loss
VH L M M H VH
H L L M M H
M L L L M M
Secondary Loss
Magnitude (SLM)
L VL L L L M
VL VL VL L L L
VL L M H VH
In this example scenario, given a PLM of Moderate and Secondary Loss of Moderate, the Loss
Magnitude would likely be Moderate, based on the example risk matrix below.
VH M H VH VH VH
H L M H VH VH
M VL L M H VH
Primary Loss
Magnitude (PLM)
L VL VL L M H
VL VL VL VL L M
VL L M H VH
Secondary Loss
Assuming that the example risk matrix below has been “approved” by the leadership of the
fictional bank, the Risk associated with this scenario would be Low – based upon a Low
Risk
VH M H VH VH VH
H L M H VH VH
M VL L M H VH
Loss Magnitude (LM)
L VL VL L M H
VL VL VL VL L M
VL L M H VH
Cleaning crew member(s) find and copy an HR executive’s user ID and password found on a
sticky-note, and using those credentials, they maliciously access and misuse sensitive employee
information; when this event occurs, the bank always suffers primary productivity and response
losses, and the bank may also suffer secondary response costs and fines and judgments.
However, this quantitative version of the analysis estimates TEF directly instead of attempting to
derive it by estimating Contact Frequency and Probability of Action – rarely in a real-world
analysis will a risk analyst need or be able to derive TEF from Contact Frequency and
Probability of Action, so this quantitative version of the analysis utilizes the same approach.
As stated previously, contact has been determined to occur regularly between the cleaning crew
and the Asset – once per week. However, not every Contact Event always results in a Threat
Event, so TEF will be less than Contact Frequency.
This quantitative version of the analysis also assumes that cleaning crews are generally
comprised of honest people, that an HR executive’s credentials typically would not be viewed or
recognized as especially valuable to them, and that the perceived risk associated with illicit use
might be high.
As a result, TEF is estimated to have a minimum of 0.1 events per year, a maximum of 1 event
per year, and a most likely of 0.5 events per year. The minimum and maximum values come
from the ends of the qualitative TEF scale from Section 2.1.2.1, with the most likely value being
chosen as the median.
The values for TEF are input to the Open FAIR Risk Analysis Tool.
Figure 15: Threat Event Frequency in the Open FAIR Risk Analysis Tool
Note: Values are only input into the boxes for Current (Cur.) risk analysis; no changes have
been proposed that would impact the analysis and provide values for boxes for a
Proposed (Prop.) risk analysis. Therefore, these boxes are left empty. This will be the
case for future figures, too.
In this quantitative version of the risk analysis, Threat Capability is still based on the skill (in
this case, reading ability) and resources (time) the average member of this Threat Community
can use against a password written on a sticky-note.
For consistency, this quantitative version of the analysis will also estimate Vulnerability by
comparing Threat Capability to Resistance Strength and working at the lower level of the Open
FAIR taxonomy.
However, Threat Capability in this case is estimated without a qualitative scale. The calibrated
estimate for most likely Threat Capability is 50%, with a minimum of 25% and a maximum of
75% based on a reasonable comparison to the overall threat population. These values are input to
the Open FAIR Risk Analysis Tool.
Resistance Strength is also estimated without a qualitative scale. As a result, the calibrated
estimate for Resistance Strength maximum is 4%, the minimum is 0%, and the most likely is
2%, which are input to the Open FAIR Risk Analysis Tool.
Figure 17: Resistance Strength in the Open FAIR Risk Analysis Tool
The maximum Resistance Strength in this example is only 4%, which is well below the Threat
Capability minimum of 25%. As a result, the Open FAIR Risk Analysis Tool calculates
Vulnerability as 100%. In other words, if one or more members of the cleaning crew decide to
use the credentials, they would be expected to gain access every time.
Figure 18 displays the result of the analysis of TEF and Vulnerability from the Open FAIR Risk
Analysis Tool.
Figure 18: Loss Event Frequency in the Open FAIR Risk Analysis Tool
Figure 18 indicates that no loss is estimated to occur about 60% of the time and that one Loss
Event would occur about 33% of the time. In other words, one Loss Event is only estimated to
occur once every three years. There is also only a 7% chance that more than one Loss Event
would occur in a single year.
This quantitative version of the risk analysis will also focus on the two actions identified as
being most likely for the Threat Community to take that would cause a Primary Loss:
Access – the cleaning crew does not have authorized access to the sensitive employee
information
Misuse – employee records typically have information that can be used to execute identity
theft, which introduces potential legal and reputation loss
This quantitative version of the risk analysis also assumes that the volume of compromised
employee information would be limited to the number of employee records in the system.
The next step is to estimate the PLM for access and misuse, which would directly cause
productivity and responses losses for the Primary Stakeholder.
Forms of Loss
— — — —
The estimates for PLM are based on the following rationale, which is still based on what is
expected to happen versus best and worst-case:
Productivity – although there may be some amount of disruption to the organization,
there is no operational outage associated with this scenario and the organization should
continue to be able to deliver its goods and services to its customers
The calibrated estimate for PLM minimum is $10,000, the most likely is $45,000, and the
maximum is $60,000, which are input to the Open FAIR Risk Analysis Tool (in
thousands).
Response – primary response costs in this scenario are limited to person-hours involved in
the investigation, any costs related to dealing with the agency that provides the cleaning
crew, as well as any forensic expenses that might arise
A common source for this data would be other incidents the organization may have
experienced, or in some cases, industry data. The calibrated estimate for PLM minimum is
$100,000, the most likely is $300,000, and the maximum is $800,000, which are input to
the Open FAIR Risk Analysis Tool (in thousands).
This quantitative version of the risk analysis also does not estimate PLM for replacement, fines
and judgments, competitive advantage, or reputation. Given the definitions for Primary and
Secondary Loss, as well as the individual definitions for each of these forms of loss, some of
these forms of loss are more relevant for Secondary Loss in this scenario.
In this quantitative version, little is changed for any Secondary Losses. Regulators may still react
negatively to an event where a large loss of employee-sensitive information was compromised,
at least in part because of questions the event might raise regarding controls over customer
information, and how severely regulators react will likely be a function of their perception of the
existing overall control environment.
Since customer information is still not involved in this scenario, this quantitative version of the
risk analysis also assumes minimal, if any, negative reaction from customers. Likewise, a
compromise of employee information is unlikely to generate much concern with shareholders
because the event does not reflect badly on the fundamental value proposition of the institution.
Although most Loss Scenarios will not treat employees as Secondary Stakeholders, there are the
same exceptions in this example that make it reasonable to treat them as Secondary
Stakeholders: the affected employees could potentially leave the organization and/or file
lawsuits. These possible actions mean Secondary Losses would come from fines and judgments
by regulators, which would also create secondary response losses.
With this in mind and because this event involves the compromise of personal information, it is
virtually guaranteed that one or more of the Secondary Stakeholder communities would be
informed and have to be “managed”. Consequently, the calibrated estimate for most likely SLEF
is 95%, with a minimum of 90% and a maximum of 100%.
Forms of Loss
— — — —
Estimates for the volume of response losses and fines and judgments can then be estimated using
the following rationale:
Response – in this scenario, response costs would include executive time spent in
meetings, notification costs, credit monitoring, and expenses associated with inside and
outside legal counsel
The calibrated estimate for SLM minimum is $100,000, the most likely is $200,000, and
the maximum is $300,000, which are input to the Open FAIR Risk Analysis Tool (in
thousands). A specific breakdown is:
— Executive time: 40 hours @ $300 per hour = $12,000
— Notification costs: $5 per employee
— Credit monitoring: $25 * 15,000 employees * 5% acceptance rate = $18,750
— Legal expenses: $100,000
— TOTAL: $200,000 (most likely value)
Fines and Judgments – provided that the company was not negligent in handling the
event, and made a concerted effort to protect employee interests, fines and judgments
should be low (if any at all)
The calibrated estimate for SLM minimum is $0, the most likely is $10,000, and the
maximum is $20,000, which are input to the Open FAIR Risk Analysis Tool (in
thousands).
No productivity loss would occur as a Secondary Loss because the organization is still able to
provide its goods and services.
No damage to competitive position would occur because their competitors would not have
improved their products and services, nor did the products and services of the organization
diminish.
The most likely values for SLM for response losses and fines and judgments were derived from
calculations and rationale above and are input to the Open FAIR Risk Analysis Tool along with
the calibrated estimates for SLEF from above.
Figure 20: Secondary Loss in the Open FAIR Risk Analysis Tool
Figure 21 displays the combined Loss Magnitude results for a single estimated Loss Event from
the Open FAIR Risk Analysis Tool.
Figure 21: Loss Magnitude for a Single Total Loss in the Open FAIR Risk Analysis Tool
This indicates that from all of the simulated trials generated by the Open FAIR Risk Analysis
Tool, a single Loss Event would have an average loss of $659,000. The single simulated trial
(out of 100) presented in Figure 21 would result in loss of $702,000. Moreover, there is a 65%
chance of loss exceeding $715,000 and an 85% chance of loss exceeding $500,000.
Figure 22: Total Risk in the Open FAIR Risk Analysis Tool
Figure 22 indiciates the total risk (accounting for both LEF and Loss Magnitude) estimated in
the quantitative version of the anlaysis. Figure 22 depicts 100 trials6 and plots the distribution of
them. In these 100 trials, the average annualized loss exposure is $309,000. In about 60% of
simulated trials, the annualized loss exposure would be less than $50,000. However, there is a
31% chance that loss will exceed $500,000. In other words, a loss exceeding $500,000 is
estimated to occur once every roughly three years.
6
The Open FAIR Risk Analysis Tool simulates 100 years of outcomes by default, which can be adjusted according to preference.
7
For more information on this subject, see Hubbard & Evans (2010).
The quantitative version of the risk analysis shows an average loss of around $300,000. This
falls within the Moderate range of the example qualitative scale for Loss Magnitude from the
qualitative version of the analysis, shown below. This contrasts with the estimate of Low from
the qualitative version of the analysis.
In Figure 22, the bar graph for Loss Magnitude from the quantitative version of the analysis also
shows that in about 60% of the simulated trials, the losses would be considered Low if using the
example qualitative scale for Loss Magnitude from the qualitative version of the analysis that is
shown in Figure 23. In other words, about 60% of losses fall between $10,000 and $99,999.
However, the shorter bars starting at $350,000 coupled with a chance of loss exceeding
$500,000 as 31% (or the chance of loss exceeding $500,000 occurring once every ~3 years)
shows a probability of a Moderate loss, if utilizing the example qualitative scale for Loss
Magnitude from the qualitative version of the analysis.
In this example, the quantitative version of the risk analysis result indicates higher average risk
than the qualitative analysis. The quantitative analysis also provides specifics on the potential
frequency and magnitude of loss, making the results more defensible to decision-makers who
must determine what, if anything, they should do.
Figure 24: Example Qualitative Scale for Risk based on Range for Loss Magnitude
In a real analysis, the risk analyst may choose to evaluate and report on more than one Threat
Community or more than one type of Loss Event. However, sometimes by initially assessing the
most probable and perceived significant scenario, that single scenario may provide enough
information to lead to a well-informed decision, particularly if the results are expressed
quantitatively according to the preference of the decision-maker(s).
This chapter presents examples8 of using Open FAIR risk analysis results to inform business
decisions about proposed security changes. The examples use a spreadsheet based on Appendix
A of the Open FAIR Risk Analysis Process Guide to organize the analysis. The Open FAIR Risk
Analysis Tool is used to perform the risk analysis. The examples include the full rationale for
calibrated estimates used. The intent of each case is to answer the question: “What do we do
about the identified risk?”
Each section presents a different example of using Open FAIR risk analysis results in a business
case. These different examples include considerations such as the risk assessment framework
used by the organization (e.g., from NIST, ISO/IEC). The sections follow the same structure as
the stages described in the O-RA Standard, Version 2.0, beginning with identifying the Loss
Scenario before evaluating LEF, evaluating Loss Magnitude, and finally deriving and
articulating risk; they conclude by preparing the business case.
3.1.1 Background
An organization executive, John T. Boss, has become concerned by reports of new features in a
competitor’s product that are suspiciously like proprietary capabilities in his organization’s
product. He engages the risk analyst to initiate a risk analysis in which John T. Boss is identified
as the Primary Stakeholder.
The Primary Stakeholder identifies an initial risk question with a defined scope. The risk analyst
facilitates documenting the Primary Stakeholder’s perspective which is refined into the Loss
Scenario that will be analyzed.
At this point the risk analyst works with appropriate staff to identify investment options for
reducing risk and possibly cost. This example assumes that one risk reduction investment,
implementing Product X, has been identified. Ultimately the analysis must demonstrate the
expected business benefits of implementing Product X.
The example begins with the current risk scenario, then follows with the scenario accounting for
implementing the proposed security product. It concludes with the Open FAIR analysis results.
8
Version 1.0 of this document is published with only one example, but The Open Group Security Forum welcomes additional,
contributed examples to expand this section (see Section 1.3: Future Directions).
9
This example is not based on any real-world scenario, but instead depicts a common potential scenario; any similarities to a real
scenario are entirely coincidental, and the example should not be interpreted as being typical.
Initial Risk Question What is the risk associated with employees selling product development
information to competitors?
Loss Scenario
Threat Action Insider Threat Agent removes copies of files from the Windows or UNIX®
host to a location outside the organization.
Current Risk Scenario An insider removes copies of files from Windows or UNIX host to a
location outside the organization with the intent to sell proprietary
information to a competitor.
A Loss Event occurs when unstructured proprietary data is sold to a competitor who uses the
information to enhance their product to improve their competitive position. First, an insider must
intentionally export files containing the unstructured proprietary information (e.g., words and
images developed with typical applications) by sending them to an Internet location outside the
organization (e.g., their home).
The analysis begins with the risk analyst determining the Open FAIR taxonomy level at which
calibrated estimates can be developed for LEF.
3.1.2.2.1 Estimate the Loss Event Frequency – Threat Event Frequency
The risk analyst determines that LEF cannot be estimated directly, but that TEF can.
Table 2: Current Scenario Loss Event Frequency
If sufficient data exists and is determined to be stable and reliable, TEF may be determined directly.
Many times it is possible to determine TEF without drilling down to Contact Frequency and Probability
of Action.
Over that timeframe what are The computing files All employees have As a result, the
the number of Threat Events collected by the FBI daily contact with estimate of TEF is a
where the Threat Agent(s) in suggests at least five some data files. It is minimum of five
the Loss Scenario may come separate events in one reasonable to events/year and a
into contact with the asset(s)? year based on file date anticipate that a very maximum events/year
stamps. As there are small number would of 15, with a most
multiple competitors, not be deterred by likely value of 10
it is probable that having signed an events/year.
activities of other information
cyber criminals have protection
not been detected. agreement, stealing
proprietary
information.
Based upon the timeframe and number of events, what is the derived TEF in units of events per unit
time? Provide a range: min, most likely, max. If the Threat Event occurs less than once per year,
represent as a fraction; e.g., once every ten years = 1/10 = .1
Threat Event Frequency TEF – Min Value TEF – Most Likely TEF – Max Value
Value
Input Values 5 10 15
The risk analyst determines that the current Vulnerability can be estimated directly.
Table 4: Current Scenario Vulnerability
May we drill down to the LEF unknown; please enter Vulnerability information.
Vulnerability level for the
analysis?
If sufficient data exists and is determined to be stable and reliable, Vulnerability may be determined
directly. It is sometimes possible to determine Vulnerability without drilling down to Threat Capability
and Resistance Strength when sufficient data is available.
If you have chosen to input Vulnerability is related By default, While employees have
Vulnerability directly, how was to the quantity of files employees cannot unlimited frequency of
Vulnerability derived? Provide that categories of access any group of access to files for
details. employees are Windows file shares which they are
authorized to access or SharePoint sites. authorized, the access
(i.e., have at least a Access for a specific management process
“read” access group is granted does limit the number
authorization). The (access of files they are
Vulnerability related to authorization) authorized to access.
newer employees (i.e., through an access However, the access
files for which they do management process management process
have authorized resulting in the user rarely removes access
access) will be far less being allowed for once authorized (even
than for the most read-only access or in the case when the
senior employees. full access. employee leaves the
While these senior organization). As
employees have employees move to
greater authorized different functions of
access, the the organization, they
authorization is likely will collect more
constrained to their access authorizations
specialty (engineering, over time. Therefore,
finance, marketing, an insider has the
personnel, etc.). capability of stealing
The estimate for any file to which they
Vulnerability have previously been
maximum is 80% for granted access.
the senior employees
who have authorized
access to many but not
all files; the estimate
for Vulnerability
minimum is 5% for the
most junior
employees; and the
estimate for
Vulnerability most
likely value is 40% for
the average employee.
Currently there is no means of detecting and therefore responding to Loss Events for this
situation; hence, there is no estimate for PLM which is composed only of response loss.
3.1.2.3.2 Estimate the Secondary Loss
The risk analyst identifies the Secondary Stakeholder as a competitor. While they do not suffer a
loss, they are considered a Secondary Stakeholder10 as a best fit to the definition11 in the Open
FAIR Body of Knowledge, since they potentially cause an additional loss to the Primary
Stakeholder as a result of fallout from the Primary Loss.
Table 6: Current Scenario Secondary Loss Event Frequency
Secondary Loss Event Frequency (SLEF) – The percentage of Primary Loss Events resulting in
Secondary Loss Events; e.g., minimum 90%, most likely 95%, maximum 100%.
10
According to Section 4.5.2 of the O-RT Standard, Version 3.0: “Although called ‘Secondary Stakeholders’, they are most
accurately viewed as ‘Secondary Threat Agents’ when they begin acting against the Primary Stakeholder’s Assets.”
11
Use the terms within the Open FAIR Body of Knowledge to the best extent you can in your analysis. They may not always work
perfectly, so be pragmatic. Document how you interpreted and utilized the Open FAIR terms in your analysis, particularly if they do
not exactly match the Open FAIR Body of Knowledge.
Current Loss Scenario An insider removes copies of files from the Windows or UNIX host to
a location outside the organization.
Selection Rationale A market survey and an options analysis were performed, resulting in
the identification of a product that meets requirements.
A Loss Event for unstructured data occurs when the insider exfiltrates files from the Windows or
UNIX host to a location outside the organization’s control. In this case, the insider exports files
containing the unstructured data (e.g., words and images developed with typical applications) by
sending them to an Internet location outside the organization (e.g., their home).
The risk analyst determines the level at which calibrated estimates can be developed.
Product X is implemented in the organization without employees being informed. Therefore, the
proposed scenario does not change TEF.12
12
If employees are informed that Product X is being implemented, the Probability of Action of an insider acting against the
organization might be reduced due to perceiving an increased risk of being caught and suffering undesirable consequences – the
reduced Probability of Action, in turn, would result in a reduced TEF. If the organization chose to inform employees, it could
potentially further reduce risk by removing or reducing the incentive of employee(s) acting.
The risk analyst determines that Vulnerability can be estimated directly for the proposed
scenario.
Table 9: Proposed Scenario Vulnerability
May we drill down to the LEF unknown; please enter Vulnerability information.
Vulnerability level for the
analysis?
If sufficient data exists and is determined to be stable and reliable, Vulnerability may be determined
directly. It is sometimes possible to determine Vulnerability without drilling down to Threat Capability
and Resistance Strength when sufficient data is available.
Vulnerability Vuln – Min Value Vuln – Most Likely Vuln – Max Value
Value
The risk analyst provides an estimate for response loss since the proposed scenario includes an
incident detection capability.
Table 10: Proposed Scenario Primary Loss Magnitude
Finally, the risk analyst provides an estimate for SLEF. SLM is not affected by implementing
Product X.
Table 11: Proposed Scenario Secondary Loss Event Frequency
Secondary Loss Event Frequency (SLEF) – The percentage of Primary Loss Events resulting in
Secondary Loss Events; e.g., minimum 90%, most likely 95%, maximum 100%.
Figure 25 shows how the calibrated estimates of TEF and Vulnerability are recorded in the Open
FAIR Risk Analysis Tool.
Figure 25: Record Loss Event Frequency in the Open FAIR Risk Analysis Tool
Figure 26: Record Loss Magnitude in the Open FAIR Risk Analysis Tool
The results for frequency of Loss Events are shown in the Open FAIR Risk Analysis Tool.
Figure 27: Display Loss Events in the Open FAIR Risk Analysis Tool
Figure 28: Adjust Percentile Loss in the Open FAIR Risk Analysis Tool
These results show that risk before implementing Product X is about $2.2 million13 (average
annualized loss exposure) and after implementing Product X is about $240,000 (average
annualized loss exposure). These values can then be used to prepare the business case.
13
Estimates are kept at this level of precision to avoid presenting falsely overly precise estimates generated by the Open FAIR Risk
Analysis Tool; this is a common issue of most tools.
There is one additional benefit from Product X not related to risk: reduced delay of authorizing
access for new employees, which would otherwise delay their productivity. In this case, the
organization has 10,000 employees. The average turnover rate for employees in the organization
is about 1,200 to 1,500 employees each year. The estimate for lost productivity is 20 to 30% for
2 to 10 days for delay in gaining access. The variation arises based on the number of different
accesses required (time to request and to administer access), the number of different access
requests required, and the variation in the delay associated with processing multiple access
requests. An average employee fully-loaded hourly value is $100. Averages are used to compute
an annual productivity loss of:
The proposed project costs include the initial and annual costs of Product X plus the costs of
selecting and implementing the product. For simplicity, the business case compares the current
average Loss Magnitude against the proposed average Loss Magnitude plus the product’s annual
cost.
Investment overview
Project name: Product X
Project sponsor: John T. Boss
Date of request: <Date>
General description of benefits: Reduce risk of insider threat (employee)
ROI measures
Cost of capital 5%
Net present value $3,176,899
Return on investment 55% 118% 199%
Payback (in years) 1.58
This analysis could include more details, such as by replacing the average values, including
those for acquiring and implementing the product, in the calculations with distributions and
spreading them across multiple years. This example compares the discounted cash flows to
determine payback on the investment.
An act taken against an Asset by a Threat Agent. Requires first that contact occurs between the
Asset and Threat Agent.
Asset
Contact Event
Occurs when a Threat Agent establishes a physical or virtual (e.g., network) connection to an
Asset.
The probable frequency, within a given timeframe, that a Threat Agent will come into contact
with an Asset.
Control
Any person, policy, process, or technology that has the potential to reduce the Loss Event
Frequency (LEF) – Loss Prevention Controls – and/or Loss Magnitude (LM) – Loss Mitigation
Controls.
FAIR
Loss Event
Occurs when a Threat Agent’s action (Threat Event) is successful in breaching or impairing an
Asset.
The probable frequency, within a given timeframe, that a Threat Agent will inflict harm upon an
Asset.
Loss Flow
The structured decomposition of how losses materialize when a Loss Event occurs.
Loss Scenario
The story of loss that forms a sentence from the perspective of the Primary Stakeholder.
Primary Stakeholder
The probability that a Threat Agent will act against an Asset once contact occurs.
The strength of a Control as compared to the probable level of force (as embodied by the time,
resources, and technological capability; measured as a percentile) that a Threat Agent is capable
of applying against an Asset.
Risk
Risk Analysis
The process to comprehend the nature of risk and determine the level of risk. [Source: ISO
Guide 73:2009]
Risk Assessment
The overall process of risk identification, risk analysis, and risk evaluation. [Source: ISO Guide
73:2009]
Risk Factors
The individual components that determine risk, including Loss Event Frequency, Loss
Magnitude, Threat Event Frequency, etc.
Risk Management
Coordinated activities to direct and control an organization with regard to risk. [Source: ISO
Guide 73:2009]
Individuals or organizations that may be affected by events that occur to Assets outside of their
control. For example, consumers are Secondary Stakeholders in a scenario where their personal
private information may be inappropriately disclosed or stolen.
Threat
Anything that is capable of acting in a manner resulting in harm to an Asset and/or organization;
for example, acts of God (weather, geological events, etc.), malicious actors, errors, failures.
Threat Agent
Any agent (e.g., object, substance, human) that is capable of acting against an Asset in a manner
that can result in harm.
The probable level of force (as embodied by the time, resources, and technological capability)
that a Threat Agent is capable of applying against an Asset.
Threat Community
A subset of the overall Threat Agent population that shares key characteristics.
Threat Event
The probable frequency, within a given timeframe, that a Threat Agent will act against an Asset.
Vulnerability (Vuln)
The probability that a Threat Event will become a Loss Event; probability that Threat Capability
is greater than Resistance Strength. (Synonym: Susceptibility)