SlideShare ist ein Scribd-Unternehmen logo

Risk Analysis Webinar

Jody Keyser
Jody Keyser

The document provides an introduction to Factor Analysis of Information Risk (FAIR), a framework for quantitative risk analysis developed in 2001. It defines key risk concepts, compares qualitative and quantitative approaches, and outlines how FAIR analyzes relationships between threats, vulnerabilities, impacts and other elements to assess overall risk and evaluate mitigation options. The summary also notes that FAIR software from Aliado Accesso can be used to prioritize issues, compare mitigation costs/benefits, and support risk-informed decision making.

1 von 43
Downloaden Sie, um offline zu lesen
Introduction to FAIR Factor Analysis of Information Risk by Patrick Florer, Principal Consultant April 28, 2010 © 2010 Aliado Accesso LLC
Let’s talk about risk © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) Definition of Risk risk (rĭsk) [French risque, from Italian risco, rischio.] 1. The possibility of suffering harm or loss; danger. 2. A factor, thing, element, or course involving uncertain danger; a hazard. 3. The danger or probability of loss to an insurer. 4. The amount that an insurance company stands to lose. 5. The variability of returns from an investment. 6. The chance of nonpayment of a debt. 7. One considered with respect to the possibility of loss: a poor risk. from The American Heritage® Dictionary of the English Language, Fourth Edition. Copyright © 2006, 2000 by Houghton Mifflin Company © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) Definition of Risk risk: Risk is the possibility of suffering harm or loss. It is the potential for realizing unwanted negative consequences of an event. It refers to a situation where a person could do something undesirable or a natural occurrence could cause an undesirable outcome, resulting in a negative impact or consequence. from An Introduction to the OCTAVESM Method by Christopher Alberts and Audrey Dorofee, Software Engineering Institute, Carnegie Mellon University; last updated January 30, 2001 © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) Definition of Risk risk: The probable frequency and probable magnitude of future loss. from the Factor Analysis of Information Risk (FAIR), ©2008 Risk Management Insight, LLC © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) IT – Related Risk The net mission impact considering: 1. The probability that a particular threat-source will exercise accidentally trigger or intentionally exploit) a particular information system vulnerability 2. The resulting impact if this should occur. IT-related risks arise from legal liability or mission loss due to: 1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information 2. Unintentional errors and omissions 3. IT disruptions due to natural or man-made disasters 4. Failure to exercise due care and diligence in the implementation and operation of the IT system. from NIST Special Publication 800-30 © 2010 Aliado Accesso LLC
And now, let’s talk briefly about a few other concepts that will be important in helping you to understand FAIR © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) Possibility vs. Probability What’s the difference? Possibility – “capable of happening, existing, or being true without contradicting proven facts, laws, or circumstances known to be true” Probability – “The likelihood that a given event will occur” And, in statistics - “A number expressing the likelihood that a specific event will occur, expressed as the ratio of the number of actual occurrences to the number of possible occurrences” (All quotes from the American Heritage Dictionary of the English Language, Fourth Edition) © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) Possibility vs. Probability Possibility – a set of outcomes, sometimes binary – yes or no – something that could happen. Understanding the possibilities does not necessarily require data, just a knowledge of possible outcomes Probability – a mathematical calculation with a result where 0 <= P(x) <= 1 Probability is sometimes expressed as a percentage (0 – 100%) , or as an odds ratio (3 out of 4) Probability calculations require data – either actual/historical or estimates © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) Possibility vs. Probability Using a coin as an example … The possibilities are … The probabilities are … Knowing the possibilities does not, in any way, allow you to predict whether the coin will come up heads on the next toss, or on any toss. Knowing the probabilities does not allow you to do this, either, but it does allow you to predict the number of heads that will come up if you toss the coins a large number of times. © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) Precision vs. Accuracy What’s the difference? Precision – “the ability of a measurement to be consistently reproduced” Accuracy – “the ability of a measurement to match the actual value of the quantity being measured” (All quotes from the American Heritage Dictionary of the English Language, Fourth Edition) © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) Precision vs. Accuracy Why does this matter? Precise Accuracy – This would be great, but it is often not achievable. Precision – For example, my watch may run 10 minutes slow with great precision. If you ask me the time, I may tell you the wrong time. Accuracy – My watch runs slow at times and fast at times. If you ask me the time, I will likely say – it’s about 10:00 o’clock – imprecise, perhaps, but good enough for the circumstances. © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) Qualitative vs. Quantitative Methods What’s the difference? Qualitative – low, medium, high, or red, yellow, green, or 1 – 5, etc. Good for some types of quick assessments and quick prioritizations. But - Variability in assessment is a problem, both between different assessors and with the same assessor over time. Qualitative assessments cannot be manipulated arithmetically. Qualitative scales are problematic near the boundaries. Most of the time, when making a qualitative assessment, the assessor has a number in mind anyway – why not just use the number? © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) Qualitative vs. Quantitative Methods What’s the difference? Quantitative – Uses cardinal numbers – everyone understands numbers 3 means 3 and $100k means $100k. You can add, subtract, or do whatever you wish with numbers – you don’t have to guess! But – Quantitative approaches require data, either actual/historical, or estimated. This may or may not be as big a problem as you might think! © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) Measurement What’s the purpose of taking a measurement? To reduce uncertainty . Sometimes the “perfect” answer is unattainable. But, in many cases, it doesn’t matter. A reduction in uncertainty is what is required. How much do we need to reduce uncertainty? Only as much as required by the decision at hand. And if we cannot reduce uncertainty to that level, then what? We can either collect more measurements, or work with what we have. © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) Variability and Uncertainty What’s the difference? “Variability is the effect of chance and is a function of the system. It is not reproducible through either study or further measurement, but may be reduced by changing the physical system” 1 “Uncertainty is the assessor’s lack of knowledge (level of ignorance) about the parameters that characterize the physical system being modeled. It is sometimes reducible through further measurement or study, or by consulting more experts” 1 1 David Vose, Risk Analysis, A Quantitative Guide, 3rd edition, 2008, pp. 47-48 © 2010 Aliado Accesso LLC
So, now that we have addressed all of that – What is FAIR? © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) Defensible Risk Analysis  Framework of interconnected models that describe how key elements of the information risk landscape work.  Models that analyze the underlying dynamics of the information risk landscape.  Developed in 2001 and under continual evolution, FAIR was created by a CISO who was trying to find answers to : • How much risk do we have? • How much less/more risk will we have if ...? • What are our most significant issues? © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) Defensible Risk Analysis Future development underway in 2009-2011 by Aliado Accesso:  Decision Analytics based upon the Value of Additional Information  Opportunity Risk applications  Risk Analysis SaaS delivered by the Aliado Accesso web portal (under development)  Risk Analysis Training via CBT and Instructor-led courses © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) How is FAIR Different  Emphasis on Risk  Logical and Rational Framework  Quantitative  Flexible  Rigorous  Repeatable © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) FAIR is being used to…  Prioritize risk issues for metric development and analysis  Identify and compare risk mitigation cost-benefit propositions  Design sophisticated what-if analyses  Business case development for security and risk management initiatives  Strategic development of a risk and security program while augmenting current risk frameworks  Opportunity Risk analysis  Breaking down communication barriers between business units and IT security enabling well-informed business decisions © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) The Relationship between Primary and Secondary Loss: Scenario – a laptop is lost or stolen 1) Encryption, no sensitive data – small primary loss, no secondary loss 2) Encryption, sensitive data – small primary loss, no secondary loss 3) No encryption, no sensitive data – small primary loss, no secondary loss 4) No encryption, sensitive data – small primary loss, large secondary loss © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) Aliado Accesso Confidential and Proprietary © 2010 Aliado Accesso LLC Copyright (c) 2010 Aliado Accesso, LLC
Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) About Aliado  Mission: Develop risk analysis software and methodologies to deliver education, consulting, and certifications to the enterprise for an accurate and defensible risk management program.  Founded by security professionals who have designed and executed enterprise security programs.  Markets: Retail, Financial Services, Aerospace, Manufacturing, Government, and Education.  Strategic Position: To be the partnering source for the ongoing development of your company’s risk management program and the education of the people who execute the plan. © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) What Aliado does … Aliado’s risk management software gives organizations the key to translate risk loss exposure into real dollar values so that decision makers can strategically manage their IT Security budget and resources year after year. Our consultants can either implement a program from scratch or validate your current program. FAIR is a software and methodology for your on-going risk management program. No more: • High/Medium/Low Categories • Checking Boxes for Frameworks • Implementing the Latest Security Software • Selling by FUD © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) FAIR Decision Analysis Packages  Payment Card Industry (PCI)  Privacy  Application Security  Data Loss Prevention (DLP/ILP)  Cloud Computing  Root Cause Analysis  Decision Analysis © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) FAIR Decision Analysis Offering FAIR Decision Analysis Offering - $995 For the month of May, we are offering a special promotion on our FAIRLite risk analysis offering. This assessment includes the following:  Consult with you to perform a FAIRLite quantitative analysis of a single scenario.  Provide a written summary and verbal explanation of the results.  Within 6 months, provide a re-analysis of the same scenario with updated information for $295. For more information or to sign up, please contact sales@aliadocorp.com. © 2010 Aliado Accesso LLC
Factor Analysis of Information Risk (FAIR) Contact Us Jody Keyser jkeyser@aliadocorp.com www.aliadocorp.com 1-888-373-0680 © 2010 Aliado Accesso LLC

Empfohlen

Information Security Risk Quantification
Information Security Risk QuantificationInformation Security Risk Quantification
Information Security Risk QuantificationJoel Baese
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskOsama Salah
 
Economically driven Cyber Risk Management
Economically driven Cyber Risk ManagementEconomically driven Cyber Risk Management
Economically driven Cyber Risk ManagementOsama Salah
 
Introduction to Open FAIR
Introduction to Open FAIRIntroduction to Open FAIR
Introduction to Open FAIR"Apolonio \"Apps\"" Garcia
 
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskMeasuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskTony Martin-Vegue
 
Executive Travel, Keeping Your Employees Safe
Executive Travel, Keeping Your Employees SafeExecutive Travel, Keeping Your Employees Safe
Executive Travel, Keeping Your Employees SafeResolver Inc.
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis"Apolonio \"Apps\"" Garcia
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...EC-Council
 

Empfohlen

Information Security Risk Quantification
Information Security Risk QuantificationInformation Security Risk Quantification
Information Security Risk QuantificationJoel Baese
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskOsama Salah
 
Economically driven Cyber Risk Management
Economically driven Cyber Risk ManagementEconomically driven Cyber Risk Management
Economically driven Cyber Risk ManagementOsama Salah
 
Introduction to Open FAIR
Introduction to Open FAIRIntroduction to Open FAIR
Introduction to Open FAIR"Apolonio \"Apps\"" Garcia
 
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskMeasuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskTony Martin-Vegue
 
Executive Travel, Keeping Your Employees Safe
Executive Travel, Keeping Your Employees SafeExecutive Travel, Keeping Your Employees Safe
Executive Travel, Keeping Your Employees SafeResolver Inc.
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis"Apolonio \"Apps\"" Garcia
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...EC-Council
 
Risk Analysis for Dummies
Risk Analysis for DummiesRisk Analysis for Dummies
Risk Analysis for DummiesWilliam L. McGill
 
The Role of Data Science in Enterprise Risk Management, Presented by John Liu
The Role of Data Science in Enterprise Risk Management, Presented by John LiuThe Role of Data Science in Enterprise Risk Management, Presented by John Liu
The Role of Data Science in Enterprise Risk Management, Presented by John LiuNashvilleTechCouncil
 
Social Media Risk Metrics
Social Media Risk MetricsSocial Media Risk Metrics
Social Media Risk MetricsIftach Ian Amit
 
Risk Assessment About Building And Risk
Risk Assessment About Building And RiskRisk Assessment About Building And Risk
Risk Assessment About Building And RiskFaheem Ul Hasan
 
How to Do a Formal Risk Assessment
How to Do a Formal Risk AssessmentHow to Do a Formal Risk Assessment
How to Do a Formal Risk AssessmentPraveen Vackayil
 
Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
Global CISO Forum 2017: How To Measure Anything In Cybersecurity RiskGlobal CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
Global CISO Forum 2017: How To Measure Anything In Cybersecurity RiskEC-Council
 
From your Pocket to your Heart and Back
From your Pocket to your Heart and BackFrom your Pocket to your Heart and Back
From your Pocket to your Heart and BackIftach Ian Amit
 
Advantages of Regression Models Over Expert Judgement for Characterizing Cybe...
Advantages of Regression Models Over Expert Judgement for Characterizing Cybe...Advantages of Regression Models Over Expert Judgement for Characterizing Cybe...
Advantages of Regression Models Over Expert Judgement for Characterizing Cybe...Thomas Lee
 
4 Steps to Intelligent Risk Taking
4 Steps to Intelligent Risk Taking 4 Steps to Intelligent Risk Taking
4 Steps to Intelligent Risk Taking PECB
 
Intro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseIntro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseRoger Grimes
 
Risk Calculator PowerPoint Presentation Slides
Risk Calculator PowerPoint Presentation SlidesRisk Calculator PowerPoint Presentation Slides
Risk Calculator PowerPoint Presentation SlidesSlideTeam
 
Eco secu infocom
Eco secu infocomEco secu infocom
Eco secu infocom92pawansingh
 
Risk-benefit analysis
Risk-benefit analysisRisk-benefit analysis
Risk-benefit analysisSKS
 
The New Risk Management Framework after the 2008 Financial Crisis
The New Risk Management Framework after the 2008 Financial CrisisThe New Risk Management Framework after the 2008 Financial Crisis
The New Risk Management Framework after the 2008 Financial CrisisBarry Schachter
 
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...Sans survey - maturing - specializing-incident-response-capabilities-needed-p...
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...CMR WORLD TECH
 
Hutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaHutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaAlexander Hutton
 
ADCB Presentation - MENA Bank Tech June 2014 v2
ADCB Presentation - MENA Bank Tech June 2014 v2ADCB Presentation - MENA Bank Tech June 2014 v2
ADCB Presentation - MENA Bank Tech June 2014 v2Simon Baig, FCCA, CGEIT, MSc
 
Calculate the Risk
Calculate the RiskCalculate the Risk
Calculate the RiskSalih Islam
 
Adversarial Safety Analysis
Adversarial Safety AnalysisAdversarial Safety Analysis
Adversarial Safety AnalysisRoger Johnston
 
Maximising Capital Investments - is guesswork eroding your bottomline?
Maximising Capital Investments - is guesswork eroding your bottomline?Maximising Capital Investments - is guesswork eroding your bottomline?
Maximising Capital Investments - is guesswork eroding your bottomline?Michael McKeon
 
Measurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Measurement, Qualitative vs Quantitative Methods, and other Cool StuffMeasurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Measurement, Qualitative vs Quantitative Methods, and other Cool StuffPatrick Florer
 
Measurement, Quantitative vs. Qualitative and Other Cool Stuff
Measurement, Quantitative vs. Qualitative and Other Cool StuffMeasurement, Quantitative vs. Qualitative and Other Cool Stuff
Measurement, Quantitative vs. Qualitative and Other Cool StuffJody Keyser
 

Weitere ähnliche Inhalte

Was ist angesagt?

The Role of Data Science in Enterprise Risk Management, Presented by John Liu
The Role of Data Science in Enterprise Risk Management, Presented by John LiuThe Role of Data Science in Enterprise Risk Management, Presented by John Liu
The Role of Data Science in Enterprise Risk Management, Presented by John LiuNashvilleTechCouncil
 
Social Media Risk Metrics
Social Media Risk MetricsSocial Media Risk Metrics
Social Media Risk MetricsIftach Ian Amit
 
Risk Assessment About Building And Risk
Risk Assessment About Building And RiskRisk Assessment About Building And Risk
Risk Assessment About Building And RiskFaheem Ul Hasan
 
How to Do a Formal Risk Assessment
How to Do a Formal Risk AssessmentHow to Do a Formal Risk Assessment
How to Do a Formal Risk AssessmentPraveen Vackayil
 
Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
Global CISO Forum 2017: How To Measure Anything In Cybersecurity RiskGlobal CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
Global CISO Forum 2017: How To Measure Anything In Cybersecurity RiskEC-Council
 
From your Pocket to your Heart and Back
From your Pocket to your Heart and BackFrom your Pocket to your Heart and Back
From your Pocket to your Heart and BackIftach Ian Amit
 
Advantages of Regression Models Over Expert Judgement for Characterizing Cybe...
Advantages of Regression Models Over Expert Judgement for Characterizing Cybe...Advantages of Regression Models Over Expert Judgement for Characterizing Cybe...
Advantages of Regression Models Over Expert Judgement for Characterizing Cybe...Thomas Lee
 
4 Steps to Intelligent Risk Taking
4 Steps to Intelligent Risk Taking 4 Steps to Intelligent Risk Taking
4 Steps to Intelligent Risk Taking PECB
 
Intro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseIntro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseRoger Grimes
 
Risk Calculator PowerPoint Presentation Slides
Risk Calculator PowerPoint Presentation SlidesRisk Calculator PowerPoint Presentation Slides
Risk Calculator PowerPoint Presentation SlidesSlideTeam
 
Risk-benefit analysis
Risk-benefit analysisRisk-benefit analysis
Risk-benefit analysisSKS
 
The New Risk Management Framework after the 2008 Financial Crisis
The New Risk Management Framework after the 2008 Financial CrisisThe New Risk Management Framework after the 2008 Financial Crisis
The New Risk Management Framework after the 2008 Financial CrisisBarry Schachter
 
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...Sans survey - maturing - specializing-incident-response-capabilities-needed-p...
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...CMR WORLD TECH
 
Hutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaHutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaAlexander Hutton
 
Calculate the Risk
Calculate the RiskCalculate the Risk
Calculate the RiskSalih Islam
 
Adversarial Safety Analysis
Adversarial Safety AnalysisAdversarial Safety Analysis
Adversarial Safety AnalysisRoger Johnston
 
Maximising Capital Investments - is guesswork eroding your bottomline?
Maximising Capital Investments - is guesswork eroding your bottomline?Maximising Capital Investments - is guesswork eroding your bottomline?
Maximising Capital Investments - is guesswork eroding your bottomline?Michael McKeon
 

Was ist angesagt? (20)

Risk Analysis for Dummies
Risk Analysis for DummiesRisk Analysis for Dummies
Risk Analysis for Dummies
 
The Role of Data Science in Enterprise Risk Management, Presented by John Liu
The Role of Data Science in Enterprise Risk Management, Presented by John LiuThe Role of Data Science in Enterprise Risk Management, Presented by John Liu
The Role of Data Science in Enterprise Risk Management, Presented by John Liu
 
Social Media Risk Metrics
Social Media Risk MetricsSocial Media Risk Metrics
Social Media Risk Metrics
 
Risk Assessment About Building And Risk
Risk Assessment About Building And RiskRisk Assessment About Building And Risk
Risk Assessment About Building And Risk
 
How to Do a Formal Risk Assessment
How to Do a Formal Risk AssessmentHow to Do a Formal Risk Assessment
How to Do a Formal Risk Assessment
 
Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
Global CISO Forum 2017: How To Measure Anything In Cybersecurity RiskGlobal CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
 
From your Pocket to your Heart and Back
From your Pocket to your Heart and BackFrom your Pocket to your Heart and Back
From your Pocket to your Heart and Back
 
Advantages of Regression Models Over Expert Judgement for Characterizing Cybe...
Advantages of Regression Models Over Expert Judgement for Characterizing Cybe...Advantages of Regression Models Over Expert Judgement for Characterizing Cybe...
Advantages of Regression Models Over Expert Judgement for Characterizing Cybe...
 
4 Steps to Intelligent Risk Taking
4 Steps to Intelligent Risk Taking 4 Steps to Intelligent Risk Taking
4 Steps to Intelligent Risk Taking
 
Intro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseIntro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security Defense
 
Risk Calculator PowerPoint Presentation Slides
Risk Calculator PowerPoint Presentation SlidesRisk Calculator PowerPoint Presentation Slides
Risk Calculator PowerPoint Presentation Slides
 
Eco secu infocom
Eco secu infocomEco secu infocom
Eco secu infocom
 
Risk-benefit analysis
Risk-benefit analysisRisk-benefit analysis
Risk-benefit analysis
 
The New Risk Management Framework after the 2008 Financial Crisis
The New Risk Management Framework after the 2008 Financial CrisisThe New Risk Management Framework after the 2008 Financial Crisis
The New Risk Management Framework after the 2008 Financial Crisis
 
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...Sans survey - maturing - specializing-incident-response-capabilities-needed-p...
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...
 
Hutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaHutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelona
 
ADCB Presentation - MENA Bank Tech June 2014 v2
ADCB Presentation - MENA Bank Tech June 2014 v2ADCB Presentation - MENA Bank Tech June 2014 v2
ADCB Presentation - MENA Bank Tech June 2014 v2
 
Calculate the Risk
Calculate the RiskCalculate the Risk
Calculate the Risk
 
Adversarial Safety Analysis
Adversarial Safety AnalysisAdversarial Safety Analysis
Adversarial Safety Analysis
 
Maximising Capital Investments - is guesswork eroding your bottomline?
Maximising Capital Investments - is guesswork eroding your bottomline?Maximising Capital Investments - is guesswork eroding your bottomline?
Maximising Capital Investments - is guesswork eroding your bottomline?
 

Ähnlich wie Risk Analysis Webinar

Measurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Measurement, Qualitative vs Quantitative Methods, and other Cool StuffMeasurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Measurement, Qualitative vs Quantitative Methods, and other Cool StuffPatrick Florer
 
Measurement, Quantitative vs. Qualitative and Other Cool Stuff
Measurement, Quantitative vs. Qualitative and Other Cool StuffMeasurement, Quantitative vs. Qualitative and Other Cool Stuff
Measurement, Quantitative vs. Qualitative and Other Cool StuffJody Keyser
 
ISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersMarc Vael
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability Resolver Inc.
 
Smu seminar 2014_03_26 v3
Smu seminar 2014_03_26 v3Smu seminar 2014_03_26 v3
Smu seminar 2014_03_26 v3Patrick Florer
 
The Future of Advanced Analytics
The Future of Advanced AnalyticsThe Future of Advanced Analytics
The Future of Advanced AnalyticsHaystax Technology
 
Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report Graeme Cross
 
Integrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3SIntegrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3SEdgevalue
 
Database Security Is Vital For Any And Every Organization
Database Security Is Vital For Any And Every OrganizationDatabase Security Is Vital For Any And Every Organization
Database Security Is Vital For Any And Every OrganizationApril Dillard
 
Rcs webinar 1 2011_06_23
Rcs webinar 1 2011_06_23Rcs webinar 1 2011_06_23
Rcs webinar 1 2011_06_23Jeff Bodin
 
Base Rate Fallacy Sira Con 2012 05
Base Rate Fallacy Sira Con 2012 05Base Rate Fallacy Sira Con 2012 05
Base Rate Fallacy Sira Con 2012 05hgoodnight
 
CONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISKCONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISKcscpconf
 
Uncovering Fraud in Key Financial Accounts using Data Analysis
Uncovering Fraud in Key Financial Accounts using Data AnalysisUncovering Fraud in Key Financial Accounts using Data Analysis
Uncovering Fraud in Key Financial Accounts using Data AnalysisFraudBusters
 
WANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language ProblemWANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language ProblemEvan Francen
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Samuel Loomis
 
ERM Presentation
ERM PresentationERM Presentation
ERM PresentationH Contrex
 
Keynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware DallasKeynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware DallasEvan Francen
 
Rcs triumfant watchful_webinar_final
Rcs triumfant watchful_webinar_finalRcs triumfant watchful_webinar_final
Rcs triumfant watchful_webinar_finalPatrick Florer
 

Ähnlich wie Risk Analysis Webinar (20)

Measurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Measurement, Qualitative vs Quantitative Methods, and other Cool StuffMeasurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Measurement, Qualitative vs Quantitative Methods, and other Cool Stuff
 
Measurement, Quantitative vs. Qualitative and Other Cool Stuff
Measurement, Quantitative vs. Qualitative and Other Cool StuffMeasurement, Quantitative vs. Qualitative and Other Cool Stuff
Measurement, Quantitative vs. Qualitative and Other Cool Stuff
 
ISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholders
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability
 
Smu seminar 2014_03_26 v3
Smu seminar 2014_03_26 v3Smu seminar 2014_03_26 v3
Smu seminar 2014_03_26 v3
 
The Future of Advanced Analytics
The Future of Advanced AnalyticsThe Future of Advanced Analytics
The Future of Advanced Analytics
 
Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report Ponemon 2015 EMEA Cyber Impact Report
Ponemon 2015 EMEA Cyber Impact Report
 
Integrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3SIntegrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3S
 
Data Breach Risk Intelligence
Data Breach Risk IntelligenceData Breach Risk Intelligence
Data Breach Risk Intelligence
 
Database Security Is Vital For Any And Every Organization
Database Security Is Vital For Any And Every OrganizationDatabase Security Is Vital For Any And Every Organization
Database Security Is Vital For Any And Every Organization
 
Rcs webinar 1 2011_06_23
Rcs webinar 1 2011_06_23Rcs webinar 1 2011_06_23
Rcs webinar 1 2011_06_23
 
Base Rate Fallacy Sira Con 2012 05
Base Rate Fallacy Sira Con 2012 05Base Rate Fallacy Sira Con 2012 05
Base Rate Fallacy Sira Con 2012 05
 
R af d
R af dR af d
R af d
 
CONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISKCONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISK
 
Uncovering Fraud in Key Financial Accounts using Data Analysis
Uncovering Fraud in Key Financial Accounts using Data AnalysisUncovering Fraud in Key Financial Accounts using Data Analysis
Uncovering Fraud in Key Financial Accounts using Data Analysis
 
WANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language ProblemWANTED - People Committed to Solving Our Information Security Language Problem
WANTED - People Committed to Solving Our Information Security Language Problem
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016
 
ERM Presentation
ERM PresentationERM Presentation
ERM Presentation
 
Keynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware DallasKeynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware Dallas
 
Rcs triumfant watchful_webinar_final
Rcs triumfant watchful_webinar_finalRcs triumfant watchful_webinar_final
Rcs triumfant watchful_webinar_final
 

Mehr von Jody Keyser

Aliado risk management presentation v3a
Aliado risk management presentation v3aAliado risk management presentation v3a
Aliado risk management presentation v3aJody Keyser
 
Cloud is not an option, but is security?
Cloud is not an option, but is security?Cloud is not an option, but is security?
Cloud is not an option, but is security?Jody Keyser
 
AIE- A New Method for Quantifying IT Value
AIE- A New Method for Quantifying IT ValueAIE- A New Method for Quantifying IT Value
AIE- A New Method for Quantifying IT ValueJody Keyser
 
Risk Return Analysis - IT infrastructure - Risk Management
Risk Return Analysis - IT infrastructure - Risk ManagementRisk Return Analysis - IT infrastructure - Risk Management
Risk Return Analysis - IT infrastructure - Risk ManagementJody Keyser
 
IT Performance Management - Doug Hubbard
IT Performance Management - Doug Hubbard IT Performance Management - Doug Hubbard
IT Performance Management - Doug Hubbard Jody Keyser
 
Measuring Risk - What Doesn’t Work and What Does
Measuring Risk - What Doesn’t Work and What DoesMeasuring Risk - What Doesn’t Work and What Does
Measuring Risk - What Doesn’t Work and What DoesJody Keyser
 

Mehr von Jody Keyser (6)

Aliado risk management presentation v3a
Aliado risk management presentation v3aAliado risk management presentation v3a
Aliado risk management presentation v3a
 
Cloud is not an option, but is security?
Cloud is not an option, but is security?Cloud is not an option, but is security?
Cloud is not an option, but is security?
 
AIE- A New Method for Quantifying IT Value
AIE- A New Method for Quantifying IT ValueAIE- A New Method for Quantifying IT Value
AIE- A New Method for Quantifying IT Value
 
Risk Return Analysis - IT infrastructure - Risk Management
Risk Return Analysis - IT infrastructure - Risk ManagementRisk Return Analysis - IT infrastructure - Risk Management
Risk Return Analysis - IT infrastructure - Risk Management
 
IT Performance Management - Doug Hubbard
IT Performance Management - Doug Hubbard IT Performance Management - Doug Hubbard
IT Performance Management - Doug Hubbard
 
Measuring Risk - What Doesn’t Work and What Does
Measuring Risk - What Doesn’t Work and What DoesMeasuring Risk - What Doesn’t Work and What Does
Measuring Risk - What Doesn’t Work and What Does
 

Risk Analysis Webinar

  • 1. Introduction to FAIR Factor Analysis of Information Risk by Patrick Florer, Principal Consultant April 28, 2010 © 2010 Aliado Accesso LLC
  • 2. Let’s talk about risk © 2010 Aliado Accesso LLC
  • 3. Factor Analysis of Information Risk (FAIR) Definition of Risk risk (rĭsk) [French risque, from Italian risco, rischio.] 1. The possibility of suffering harm or loss; danger. 2. A factor, thing, element, or course involving uncertain danger; a hazard. 3. The danger or probability of loss to an insurer. 4. The amount that an insurance company stands to lose. 5. The variability of returns from an investment. 6. The chance of nonpayment of a debt. 7. One considered with respect to the possibility of loss: a poor risk. from The American Heritage® Dictionary of the English Language, Fourth Edition. Copyright © 2006, 2000 by Houghton Mifflin Company © 2010 Aliado Accesso LLC
  • 4. Factor Analysis of Information Risk (FAIR) Definition of Risk risk: Risk is the possibility of suffering harm or loss. It is the potential for realizing unwanted negative consequences of an event. It refers to a situation where a person could do something undesirable or a natural occurrence could cause an undesirable outcome, resulting in a negative impact or consequence. from An Introduction to the OCTAVESM Method by Christopher Alberts and Audrey Dorofee, Software Engineering Institute, Carnegie Mellon University; last updated January 30, 2001 © 2010 Aliado Accesso LLC
  • 5. Factor Analysis of Information Risk (FAIR) Definition of Risk risk: The probable frequency and probable magnitude of future loss. from the Factor Analysis of Information Risk (FAIR), ©2008 Risk Management Insight, LLC © 2010 Aliado Accesso LLC
  • 6. Factor Analysis of Information Risk (FAIR) IT – Related Risk The net mission impact considering: 1. The probability that a particular threat-source will exercise accidentally trigger or intentionally exploit) a particular information system vulnerability 2. The resulting impact if this should occur. IT-related risks arise from legal liability or mission loss due to: 1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information 2. Unintentional errors and omissions 3. IT disruptions due to natural or man-made disasters 4. Failure to exercise due care and diligence in the implementation and operation of the IT system. from NIST Special Publication 800-30 © 2010 Aliado Accesso LLC
  • 7. And now, let’s talk briefly about a few other concepts that will be important in helping you to understand FAIR © 2010 Aliado Accesso LLC
  • 8. Factor Analysis of Information Risk (FAIR) Possibility vs. Probability What’s the difference? Possibility – “capable of happening, existing, or being true without contradicting proven facts, laws, or circumstances known to be true” Probability – “The likelihood that a given event will occur” And, in statistics - “A number expressing the likelihood that a specific event will occur, expressed as the ratio of the number of actual occurrences to the number of possible occurrences” (All quotes from the American Heritage Dictionary of the English Language, Fourth Edition) © 2010 Aliado Accesso LLC
  • 9. Factor Analysis of Information Risk (FAIR) Possibility vs. Probability Possibility – a set of outcomes, sometimes binary – yes or no – something that could happen. Understanding the possibilities does not necessarily require data, just a knowledge of possible outcomes Probability – a mathematical calculation with a result where 0 <= P(x) <= 1 Probability is sometimes expressed as a percentage (0 – 100%) , or as an odds ratio (3 out of 4) Probability calculations require data – either actual/historical or estimates © 2010 Aliado Accesso LLC
  • 10. Factor Analysis of Information Risk (FAIR) Possibility vs. Probability Using a coin as an example … The possibilities are … The probabilities are … Knowing the possibilities does not, in any way, allow you to predict whether the coin will come up heads on the next toss, or on any toss. Knowing the probabilities does not allow you to do this, either, but it does allow you to predict the number of heads that will come up if you toss the coins a large number of times. © 2010 Aliado Accesso LLC
  • 11. Factor Analysis of Information Risk (FAIR) Precision vs. Accuracy What’s the difference? Precision – “the ability of a measurement to be consistently reproduced” Accuracy – “the ability of a measurement to match the actual value of the quantity being measured” (All quotes from the American Heritage Dictionary of the English Language, Fourth Edition) © 2010 Aliado Accesso LLC
  • 12. Factor Analysis of Information Risk (FAIR) Precision vs. Accuracy Why does this matter? Precise Accuracy – This would be great, but it is often not achievable. Precision – For example, my watch may run 10 minutes slow with great precision. If you ask me the time, I may tell you the wrong time. Accuracy – My watch runs slow at times and fast at times. If you ask me the time, I will likely say – it’s about 10:00 o’clock – imprecise, perhaps, but good enough for the circumstances. © 2010 Aliado Accesso LLC
  • 13. Factor Analysis of Information Risk (FAIR) Qualitative vs. Quantitative Methods What’s the difference? Qualitative – low, medium, high, or red, yellow, green, or 1 – 5, etc. Good for some types of quick assessments and quick prioritizations. But - Variability in assessment is a problem, both between different assessors and with the same assessor over time. Qualitative assessments cannot be manipulated arithmetically. Qualitative scales are problematic near the boundaries. Most of the time, when making a qualitative assessment, the assessor has a number in mind anyway – why not just use the number? © 2010 Aliado Accesso LLC
  • 14. Factor Analysis of Information Risk (FAIR) Qualitative vs. Quantitative Methods What’s the difference? Quantitative – Uses cardinal numbers – everyone understands numbers 3 means 3 and $100k means $100k. You can add, subtract, or do whatever you wish with numbers – you don’t have to guess! But – Quantitative approaches require data, either actual/historical, or estimated. This may or may not be as big a problem as you might think! © 2010 Aliado Accesso LLC
  • 15. Factor Analysis of Information Risk (FAIR) Measurement What’s the purpose of taking a measurement? To reduce uncertainty . Sometimes the “perfect” answer is unattainable. But, in many cases, it doesn’t matter. A reduction in uncertainty is what is required. How much do we need to reduce uncertainty? Only as much as required by the decision at hand. And if we cannot reduce uncertainty to that level, then what? We can either collect more measurements, or work with what we have. © 2010 Aliado Accesso LLC
  • 16. Factor Analysis of Information Risk (FAIR) Variability and Uncertainty What’s the difference? “Variability is the effect of chance and is a function of the system. It is not reproducible through either study or further measurement, but may be reduced by changing the physical system” 1 “Uncertainty is the assessor’s lack of knowledge (level of ignorance) about the parameters that characterize the physical system being modeled. It is sometimes reducible through further measurement or study, or by consulting more experts” 1 1 David Vose, Risk Analysis, A Quantitative Guide, 3rd edition, 2008, pp. 47-48 © 2010 Aliado Accesso LLC
  • 17. So, now that we have addressed all of that – What is FAIR? © 2010 Aliado Accesso LLC
  • 18. Factor Analysis of Information Risk (FAIR) Defensible Risk Analysis  Framework of interconnected models that describe how key elements of the information risk landscape work.  Models that analyze the underlying dynamics of the information risk landscape.  Developed in 2001 and under continual evolution, FAIR was created by a CISO who was trying to find answers to : • How much risk do we have? • How much less/more risk will we have if ...? • What are our most significant issues? © 2010 Aliado Accesso LLC
  • 19. Factor Analysis of Information Risk (FAIR) Defensible Risk Analysis Future development underway in 2009-2011 by Aliado Accesso:  Decision Analytics based upon the Value of Additional Information  Opportunity Risk applications  Risk Analysis SaaS delivered by the Aliado Accesso web portal (under development)  Risk Analysis Training via CBT and Instructor-led courses © 2010 Aliado Accesso LLC
  • 20. Factor Analysis of Information Risk (FAIR) How is FAIR Different  Emphasis on Risk  Logical and Rational Framework  Quantitative  Flexible  Rigorous  Repeatable © 2010 Aliado Accesso LLC
  • 21. Factor Analysis of Information Risk (FAIR) FAIR is being used to…  Prioritize risk issues for metric development and analysis  Identify and compare risk mitigation cost-benefit propositions  Design sophisticated what-if analyses  Business case development for security and risk management initiatives  Strategic development of a risk and security program while augmenting current risk frameworks  Opportunity Risk analysis  Breaking down communication barriers between business units and IT security enabling well-informed business decisions © 2010 Aliado Accesso LLC
  • 22. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  • 23. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  • 24. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  • 25. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  • 26. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  • 27. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  • 28. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  • 29. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  • 30. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  • 31. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  • 32. Factor Analysis of Information Risk (FAIR) The Relationship between Primary and Secondary Loss: Scenario – a laptop is lost or stolen 1) Encryption, no sensitive data – small primary loss, no secondary loss 2) Encryption, sensitive data – small primary loss, no secondary loss 3) No encryption, no sensitive data – small primary loss, no secondary loss 4) No encryption, sensitive data – small primary loss, large secondary loss © 2010 Aliado Accesso LLC
  • 33. Factor Analysis of Information Risk (FAIR) Aliado Accesso Confidential and Proprietary © 2010 Aliado Accesso LLC Copyright (c) 2010 Aliado Accesso, LLC
  • 34. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  • 35. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  • 36. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  • 37. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  • 38. Factor Analysis of Information Risk (FAIR) © 2010 Aliado Accesso LLC
  • 39. Factor Analysis of Information Risk (FAIR) About Aliado  Mission: Develop risk analysis software and methodologies to deliver education, consulting, and certifications to the enterprise for an accurate and defensible risk management program.  Founded by security professionals who have designed and executed enterprise security programs.  Markets: Retail, Financial Services, Aerospace, Manufacturing, Government, and Education.  Strategic Position: To be the partnering source for the ongoing development of your company’s risk management program and the education of the people who execute the plan. © 2010 Aliado Accesso LLC
  • 40. Factor Analysis of Information Risk (FAIR) What Aliado does … Aliado’s risk management software gives organizations the key to translate risk loss exposure into real dollar values so that decision makers can strategically manage their IT Security budget and resources year after year. Our consultants can either implement a program from scratch or validate your current program. FAIR is a software and methodology for your on-going risk management program. No more: • High/Medium/Low Categories • Checking Boxes for Frameworks • Implementing the Latest Security Software • Selling by FUD © 2010 Aliado Accesso LLC
  • 41. Factor Analysis of Information Risk (FAIR) FAIR Decision Analysis Packages  Payment Card Industry (PCI)  Privacy  Application Security  Data Loss Prevention (DLP/ILP)  Cloud Computing  Root Cause Analysis  Decision Analysis © 2010 Aliado Accesso LLC
  • 42. Factor Analysis of Information Risk (FAIR) FAIR Decision Analysis Offering FAIR Decision Analysis Offering - $995 For the month of May, we are offering a special promotion on our FAIRLite risk analysis offering. This assessment includes the following:  Consult with you to perform a FAIRLite quantitative analysis of a single scenario.  Provide a written summary and verbal explanation of the results.  Within 6 months, provide a re-analysis of the same scenario with updated information for $295. For more information or to sign up, please contact sales@aliadocorp.com. © 2010 Aliado Accesso LLC
  • 43. Factor Analysis of Information Risk (FAIR) Contact Us Jody Keyser jkeyser@aliadocorp.com www.aliadocorp.com 1-888-373-0680 © 2010 Aliado Accesso LLC