March 21, 2024
Cyber Risk

How to Scope a Risk Analysis Using FAIR

To get the most business value from cyber risk quantification, follow these steps.

By Jeff Copeland

There is nothing finer than a well-constructed and thought-out risk scenario for FAIR quantitative analysis.

Risk scenarios describe in detail

  1. The asset at risk
  2. The threat actor attacking the asset and the actor’s intent
  3. The method of attack
  4. The loss to the organization

The scenario unto itself represents the culmination of an individual’s, or better yet, a group’s understanding of the problem at hand (i.e. how loss will materialize as the outcome of an attack).

If this sensation is unfamiliar to you as a risk analyst, you truly are missing out on the most important and rewarding aspects of your chosen profession.

As you see, the work ahead hinges on this one aspect of the risk analysis process. When done well, identifying and gathering the data for an analysis is straightforward, stress-free and produces a result that meets the expectations of your stakeholders. On the other hand, when done poorly, ill-conceived assumptions and rushed thinking lead to additional work and ultimately a subpar analysis.

Let’s walk through the scoping process for a FAIR analysis:


We start FAIR scoping by trying to answer the following questions:

  1. “What business unit or other grouping in the organization do we want to protect?”
  2. “What is the purpose of the analysis?”
  3. “What is the reason for, or what decision are we trying to inform?”
  4. "Is the analysis more strategic, (for instance, what are the organization’s top 10 risks) or more tactical in nature (for instance, what is the ROI on X security initiative)?"

Having these answers will let us know how broad or granular our approach should be going forward.

Business Resources

Once we have solidified the purpose of the analysis, our next move is identifying the at-risk resources or assets belonging to the business group. Business resources can include a wide range of data, business processes, and cash. For a tactical analysis, this answer is relatively straightforward. Yet for a strategic analysis, this may take some additional thought as multiple scenarios covering multiple resources may be required to sufficiently inform stakeholder decisions. In either case, we need to know:

  1. “What resources should be included?” The ultimate asset might be a data type (PII, PHI, PCI, etc.) or a critical application.
  2. “What and where is the data or asset located?”

It also doesn’t hurt to get an understanding of the volume, or amount of information contained in the database.

Threat Actors

Now that we've identified the purpose of the analysis, and the assets to be included, what threat actors should we be concerned with? Is the asset, or assets we identified most susceptible to attacks from malicious external actors (i.e. cyber criminals, general hackers, nation states, etc.) and/or internal actors (i.e. privileged insiders, both from a malicious or accidental perspective)?

It's important to keep in mind that you can scope all threat actors under the sun, but here we want to leverage the concept of possibility vs. probability. If your industry, and the asset you are scoping is of no concern or value to nation states, you end up providing little to no value to your stakeholders by gathering data and providing results that prove just that. Focus on the probable threat actors to affect the scenario you are scoping; your stakeholders will thank you.

Attack Outcomes

We can leverage the known techniques and tactics of threat actors to identify the probable attack outcomes we would expect for our risk scenario. We can:

  1. Map attack outcome to threat actor and business resource
  2. Map business resource to attack outcome and threat actor

In other words…

If (1) we start with a concern about ransomware with data exfiltration, mapping would reveal that one probable threat actor would be an APT threat actor going after sensitive personal data

If (2) we are concerned about protecting sensitive personal data, mapping would identify that one probable outcome would be ransomware with data exfiltration by an APT threat actor.

Now that we have a good understanding of the probable threat landscape that is of most concern to our analysis, how does the loss manifest itself?

Loss Event

The last component, identifying how the loss will actually take place, is probably the most critical component of them all. To a novice, this may sound like an obvious or insignificant aspect, but it will and should inform the entire analysis. An example: If conducting a DDoS attack analysis on a company’s primary retail website, what represents the loss event?

  1. Is it the inability to access the website?
  2. Is it some form of degradation?

The answer to these questions should dictate a lot, from:

  1. How frequently these types of losses are experienced?
  2. What controls are in place to reduce/mitigate the loss?
  3. What’s the resulting impact if it does occur?

There you have it. By identifying and critically thinking through each of these components, you will drastically increase your odds of scoping an analysis that meets needs of your stakeholders, while also achieving one of the finer aspects of the risk analysis process.

The SAFE One Platform Automates Risk Scenario Scoping and Analysis

Safe Security built its SAFE One risk analysis platform from the ground up to analyze FAIR scenarios. We do the heavy lifting on data collection and computation behind the screen and make risk scenario creation a point and click operation for our users.

Automated risk scenario creation. Once we have a client’s data onboard, creating a scenario (or many) is a simple sequence of selecting the business group, selecting an asset from that group, selecting the threat actor and the outcome – or simply selecting from an extensive library of prepackaged scenarios. The scenarios are all fully FAIR-compliant.

FAIR-MAM automates loss data collection. The platform incorporates the FAIR Materiality Assessment Model (FAIR-MAM) for the highest level of accuracy in loss data, updated and always-on for scenario input.

FAIR-CAM automates controls analysis. The platform also incorporates the FAIR Controls Analytics Model (FAIR-CAM) for continuous monitoring of the strength of cyber controls in a client’s environment – essential for an accurate reading on loss-event frequency.

Automated threat actor behavior analysis. The platform integrates the standard MITRE ATT&CK framework for predictive analytics to inform scenario creation.

Automated loss-event frequency and loss magnitude calculation. To put it all together, the platform generates analysis in real time for the two key data points of FAIR analysis based on industry-standard data and telemetry gathered from clients through APIs. The platform displays up-to-the-minute results for all your scenarios in a single interface.

Learn how the SAFE One platform can power your risk management program with the speed, accuracy, and high confidence of FAIR analysis, automated. Contact us for a demo.