CXOWARE has already brought to market FAIRiq; an application that is leading an evolutionary advancement in quantitative information security and operational risk management for large corporate environments.  FAIRiq is built as the foundational decision-analysis application enabling an organization to measure economic loss associated with information security & operational risk.  The application is designed with flexible data export capability which makes it a nice compliment to the leading GRC applications on the market.

If you’d like to hear more about this new adventure I am beginning, please reach out!

Cheers.

See the presentation deck embedded below:

Calibration

We used FAIR to analyze the risk associated with the use of a underwater camera housing while scuba diving.

- Asset(s): The housing itself and of course the camera inside
- Threat: Water Pressure - interesting challenge is that this threat is not uniform. The pressure changes from 0-30ft is 200x. Any 30ft additional below that is around 50%.
- Threat Event Frequency - isn’t # of dives per year rather the number of pressure changes (based on 30ft increments). We calculated a range of # of dives per year. Then a range related to depths per dive and finally calculated a TEF range for Min, M/L, and Max Pressure Changes per year.
- Vulnerability - We used data from customer reviews on housing to gather a % of failures. But this is a percent based on population of owners over their total TEF. This lead to some more fun calculations.

- Primary Losses - Included Replacement and Response Costs. Replacement costs were pretty straightforward, included whether the camera housing was under warranty. Response costs included the intrinsic and practical costs associated with this loss event.
- Secondary Losses - We did not calculate any.

Well first let’s briefly discuss what the purpose of the analysis was. The person whom I was working with is an active diver and recently added the diving camera and housing as an add-on to their homeowner insurance policy. There were also options (more expensive) to get a policy on the equipment from a diving-related entity. The question was whether the cost of insuring the equipment was a good decision.

The homeowner insurance policy add-on cost around $10 a year**.
The diving specific insurance policy cost was over $100 a year.
**The homeowner was a general add-on and would additionally cover theft of the equipment, which wasn’t included in the diving specific policy.

Here was the quantitative results from the FAIR analysis:

What we gather from the analysis is the following:
- A loss event (which means the leaking of a camera housing) has a low probable frequency (about once every 30 years).
- A loss event when it does occur will likely cost around $3000.
- The forecasted annualized loss exposure is about $100.

Based on this information, the homeowner’s insurance add-on is a great deal. The scuba-specific entity’s policy actually appears to be fairly well calculated.

What a interesting, practical and let’s be honest fun scenario to model!

See below for the embedded deck:
*Note: I walked through 2 key examples within FAIRiq which is not part of the slides.

FAIR Scoping

Read the article here: http://blogs.cisco.com/security/a-fair-way-to-assess-security-risk/

Cisco has found, just like Redpoint Risk has, that FAIR can provide clients with truly valuable information and understanding of risks.

For those who already have been through FAIR training - please feel free to share this with any of your colleagues who may be interested.

Attend the training and you will have the capability to:
· Make risk based prioritization decisions
· Quantify IT security risk in $$$
· Make a compelling business case for IT security initiatives
· Compare compensating controls, aid in vendor selection.

“Security’s value proposition is its ability to affect risk (the frequency and magnitude of loss). As a result, those professionals who understand both security and risk are able to bridge the gap, provide exceptional value, and distinguish themselves from their peers.” Jack Jones, Inventor of FAIR.

For a detailed course agenda and to register for an upcoming class please visit: http://www.cxoware.com/training/

Apply the 25% Discount by using the following promotion code: SPRING25

If you have any questions or would like to discuss other FAIR related topics, please contact me.

Its a great source of Risk & Infosec data.

Download the report here: http://t.co/rpqwUVyA

Short answer…. Maybe.

Let’s be transparent this is not a sales pitch nor a convincing argument. It is an attempt to be honest and save both of us resources & time. With any problem, there are multiple possible options. We hope to represent one option under consideration.

Now that we have that clear; back to the initial question: Why work with Redpoint Risk?

The true question you need to ask yourself is:
Which of the following approaches is right for you?

Traditional Risk Management Firm
Operates in this order: WHAT -> HOW -> WHY. 
They tell you what they can do for you. 
Then they explain how they can accomplish it.
They then *sometimes* explain why you should do this in the first place. But more often than not this justification is less than desirable: ex. “To meet regulatory requirements.”

vs.

Redpoint Risk
Operates in opposite of this approach:
We start with the real WHY and then the HOW which as an outcome produces the WHAT.

It may seem trivial but in the end WHAT (pun intended) they will accomplish will be significantly different from the WHAT we will end up as a result of our approach, even if it sounds similar. They are driven by the WHAT and that direction is honestly simplier (read as ‘easier’) than ours. Case in point: There are well-established, traditional, and generally accepted qualitative risk frameworks that these firms can help you efficiently adopt. This is HOW they may help you can accomplish your goal.

If your comfortable with the first option, then let me go back to my stated attempt and save us both time and resources. Redpoint Risk is not the best firm for you to work with.

But I am concerned at the end you will little to no additional value from WHAT you were doing before, and you may start questioning WHY you did this in the first place.

Our Approach Our Belief in our order:

WHY: We believe that risk management has one central purpose: making better, well-informed decisions.

HOW: We work with our clients to:
- Educate them on how to consisently define, break-down, and understand risk and its related components
- Show that risk can & should be communicated in the language of business; dollars & cents
- Leverage FAIR to quantitatively measure risks
- Design a Risk program where FAIR aligns with an appropriate risk management framework
- Build credibility when speaking about risk among business leadership by making risk analysis defensible and informative
- Enable an organization’s leadership to see risk as tangible, measureable, and an important component of decisions.

WHAT: By working with Redpoint Risk; we together will design, develop and build an effective and valuable risk management program.

I hope you now understand a little bit more about Redpoint Risk’s approach. If this sounds like the objectives you want to accomplish related to risk within your organization, let’s begin a discussion.

If you were one of the 20 professional participants or are interested to hear more, feel free to reach out to me.

Love this !

Credit: Alan Webber from Rules of Thumb