FAIR and NIST CSF: The Chocolate in your Peanut Butter

From the Blog

It is not possible to swing a stick in the cybersecurity world without hitting the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). But how does the Factor Analysis of Information Risk (FAIR) standard — much less well known — fit into the mix? And why is it important.

The development of the CSF ratified a consensus that cybersecurity should operate within organizations according to the principles of risk management. The CSF promised that “using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes” (CSF p. v) would allow organizations to identify, assess, and manage cyber risk cost-effectively.

Now over half a decade into the CSF era of cybersecurity, it is fair to say that it has had a fundamental impact on the way organizations think about cybersecurity. Less clear is whether the CSF has demonstrated that its risk-based approach allows organizations to assess the cost-effectiveness of information security controls.

Into this environment comes a new Profile submitted to and published by NIST to supplement the cybersecurity community’s understanding of the CSF by integrating CSF with the Factor Analysis of Information Risk (FAIR) standard. The security organization for Cimpress, a company with over 10,000 employees and 17 business lines in the “Mass Customization” market for consumer goods, used FAIR’s quantitative method to improve its initial qualitative assessment of its business lines’ cybersecurity programs under CSF.

Practiced without additional tools, CSF does not provide a quantitative measure that allows for cost-effectiveness calculations. Cimpress’s use of FAIR represents one way of using the FAIR standard in a way consistent with CSF to communicate risk outside of the security program in terms that translate to the language used by other business stakeholders. Using FAIR “turned the process into a highly measurable one that can be more easily justified in terms of budget allocation and risk tolerance.” In specific terms, the implementation of FAIR applied to one CSF subcategory of controls was measured to “yield a reduction in the expected loss for a factory related scenario of $540K, and the cost of the increase in maturity is annualized at $120K.” (See Cimpress’s two-page summary on NIST’s website for more on the implementation of FAIR into CSF.)

Realizing the promise of the CSF by adding a quantitative measurement system adds several important elements to the efficacy of the CSF outside of the cybersecurity stack. By communicating the return on investment (ROI) of a planned activity, the organization’s leadership can understand clearly why the action is recommended and what it should accomplish. These metrics can be reported up to the Board, which will find financial measures of risk and return more legible than typical cybersecurity reporting and metrics. The cybersecurity team can also clearly communicate how it prioritizes addressing gaps that a compliance-oriented audit might identify.

The most effective way to implement this measurement approach would allow for a single measure of risk for the entire information security program that business leaders can interrogate to learn where the risk actually lies and how to cost-effectively reduce it. This advanced level of quantitative risk management requires a well-designed and comprehensive program that will provide a complete record of all the assumptions that underlie the analysis that leads to the risk values. Only if done with a comprehensive approach can the final result provide a basis for making cybersecurity decisions across the organization.

Contact us to let us know if you are embarking on a comprehensive quantitative cybersecurity risk assessment so we can work with you and assist with the processes and tools that ensure success.

P.S. For those who read all the way to the bottom, an Easter Egg hinted by the image at the top. The Hewlett Foundation sponsored a competition for more vital and useful imagery around cybersecurity and just awarded the winners of that competition. The images are all available for use under the Creative Commons Attributable 4.0 International (CC BY 4.0) license and available for download here. These images add a lot to the otherwise available visual vocabulary for cybersecurity and I hope to see a lot more of them!

Adam Bobrow