The recent data breach at HCA exposed more than 1 million patient records at the San Antonio Methodist Hospital. This latest data breach incident only increases the urgency for heightened awareness and vigilance against unauthorized access to company and personal information. As long-time providers of IT services and solutions, our expert cybersecurity and compliance practice is focused on using the risk management framework, better known as the FAIR™ model, to increase our clients’ cybersecurity protection and assess risks within their systems.
FAIR™ stands for Factor Analysis of Information Risk. This model is a widely accepted cybersecurity risk management analysis model that helps organizations assess and quantify the cyber risks specific to their organization more efficiently. When applied, the FAIR™ model helps organizations better understand, analyze and quantify information risk in financial terms. This approach provides a structure for our clients to use in assessing and evaluating the probable frequency and potential impact of an identified risk.
To keep the approach somewhat simple, the FAIR™ risk model consists of two main components: Loss Event Frequency (LEF) and Probable Loss Magnitude (PLM). What does this mean exactly?
Loss Event Frequency (LEF): LEF is the probable frequency at which a given threat event will result in a loss. It is determined by evaluating the Threat Event Frequency (TEF) – how often a threat agent acts – and the Vulnerability (V) – the probability that an asset will not resist the actions of a threat agent.
Probable Loss Magnitude (PLM): PLM is the probable magnitude of loss given that a loss event has occurred. It is determined by evaluating the potential loss related to each asset at risk, which involves an assessment of primary and secondary losses.
Some current examples of how we apply the FAIR™ model to an integrated risk management solution include:
- Cloud Data Breach Risk Assessment: Suppose a company plans to migrate its sensitive customer data to the cloud and wants to understand the financial risk associated with a potential data breach. The company would use the FAIR™ model to evaluate this risk, which would analyze the Loss Event Frequency (how often they believe breaches might occur) based on their threat landscape and the cloud provider’s security. They’d also calculate the Probable Loss Magnitude by considering the potential regulatory fines, the cost to notify affected customers and the potential loss of customer trust (and associated business).
- Ransomware Attack Risk Assessment: Consider an organization that has been the victim of several ransomware attacks and wants to invest in new security controls. They could use the FAIR™ model to understand the financial impact of a potential future attack and then assess the Threat Event Frequency based on the number of ransomware attack attempts already made and the effectiveness of their current security controls. Then the Probable Loss Magnitude would be evaluated by considering the cost of downtime, potential ransom payments and recovery costs.
- Third-Party Vendor Risk Assessment: Take a company that relies on a third-party vendor to process credit card transactions. They could use the FAIR™ model to evaluate the risk of a potential data breach at the vendor. The Loss Event Frequency would be based on the vendor’s security practices and the threat landscape for credit card processors. The Probable Loss Magnitude would consider the cost of potential fraud, regulatory fines and reputation damage.
- BYOD (Bring Your Own Device) Policy Risk Assessment: For example, if a company considers implementing a BYOD policy, it might use the FAIR™ model to understand the associated risks. The Loss Event Frequency is evaluated by considering the security practices of their employees and the threat landscape for personal devices. The Probable Loss Magnitude would consider the potential for data loss or unauthorized access to company systems.
In each scenario, the FAIR™ model provides a structured cyber risk quantification process with financial results. This helps the company make informed decisions about where to invest in security, what risk levels to accept and what risks to mitigate.
If any of the above scenarios hit home for you, a cybersecurity risk assessment using the FAIR™ might be the right solution for you. We are at the ready to meet with you and help you get your company protected from the cyberthreats overwhelming the internet. To schedule your assessment or learn more about the process, please contact our team today.