Quantitative Risk Management with FAIR — Sharing the journey

Though I’ve known about FAIR (Factor Analysis of Information Risk) for many years and studied it for a number of different security certifications I’ve taken over the years, I never had the experience of using it on a day to day basis as always worked for organisations that had purely Qualitative Risk Management approaches.

I’ve recently decided to “up my Risk Management game” and get more acquainted with Quantitative approaches and FAIR seems to be a good candidate. Bought the Body of Knowledge from OpenFAIR and have been avidly reading it. Also, this is aligning with me being involved in conversations about development of MapScript (mapscript.org) and the new version is to have a cost model, so I’m hoping these write-ups will have a useful input into supporting the development of MapScript too, so it’s both selfish and selfless 🙂

I decided I’d be sharing my learning journey as well, so it’s likely I’ll butcher some of the concepts or approaches and get it wrong, but hopefully I can get feedback from people more knowledgeable than me in making it better and avoiding pitfalls.

I’ll be doing a few different experiments, which will be based on hypothetical scenarios involving a bogus organisation which will described as Juice Shop, and which Operational systems will be exactly the simple architecture in OWASP Juice Shop.

For this first scenario, I’ll be considering a scenario where I’ll assess the risk posed by Ransomware to the threat community of ‘Customer Support’ which I’m defining as being a 20 person team working 8×5.

In the next blog post, I’ll go through the 4 stages of a FAIR Risk Assessment, doing one blog post per Stage. I’ll then move to more complicated scenarios involving breaches of the customer database.

Would be very happy to receive any commentary, suggestions or challenges to the assumptions I’ll be making and reference to materials to base some of those assumptions on.