CIS RAM and FAIR integration

By Denny Wan

Peer reviewed by Chris Cronin

Synopsis

The Center for Internet® Security Risk Assessment Method (CIS RAM)[1] is a documented process for conducting risk assessments that address requirements for security, business, regulations, and duty of care requirements. It also assists in the selection and prioritisation of safeguards discussed in the CIS Controls framework. Results are expressed as a risk score in an ordinal scale of 1-25. It is proposed to integrate the Open Group FAIR framework[2] into the risk quantification process to produce risk scores on a continual scale expressed as statistical distributions. Continual scale is better suited for the calculation of Return on Investment (ROI) on the proposed safeguards.

CIS RAM principles

 CIS RAM helps organizations determine whether security controls are reasonable given the potential harm that may come to others, and the burden those controls may pose to an organization. CIS RAM is based on the Duty of Care Risk Analysis (DoCRA) standard[3] which expresses risk in terms that are equally meaningful to security technicians, business management, and legal authorities that interpret negligence and regulatory compliance using ‘due care’ and ‘negligence’ constructs. Developed in the United States, and applicable to other national legal systems, DoCRA principles address the need to demonstrate balance between risk to the public, and the business goals of organizations that pose that risk. The three principles in the Duty of Care Risk Analysis (DoCRA) standard are:

  1. Consider the interests of all parties that may be harmed by the risk
  2. Reduce risks to an acceptable level
  3. Safeguards must not be more burdensome than the risks they protect against

The application of these principles to CIS RAM is depicted below:

CIS RAM Principles

Furthermore, CIS RAM assesses risk impact from multiple dimensions reflecting the organisational mission, objectives and obligations. The highest impact score amongst these dimensions is then used to calculate the risk score by multiplying it with the likelihood as depicted below:

CIS RAM impact score calculation

The final risk scores are expressed in an ordinal scale of 1-25 which is subject to interpretation by assessors and reviewers of the risk analysis. Potential differences in interpretation can lead to communication gaps in the risk management process, particularly when the risk analysis and recommendations on safeguards are to be presented to audiences not familiar with the targeted risk areas.

Integration with the Open Group FAIR framework

The Open Group FAIR framework is a commonly accepted cyber risk quantification framework using a published risk taxonomy and risk analysis standard to describe the risk quantification approach. The resultant risk score is expressed in a continual scale expressed as statistical distributions. The FAIR Risk Taxonomy and associated loss exceedance curve are depicted below:

FAIR Taxonomy

FAIR Taxonomy

Loss exceedance curve

Loss exceedance curve

Mapping of CIS RAM terminology to the FAIR framework:

No alt text provided for this image

The FAIR quantification approach allows reviewers of the risk analysis to understand the assumptions and data sources used to derive the risk score. The expression of the risk score as a statistical distribution facilitates the calculation of ROI on the proposed safeguards as depicted below:

ROI of cyber security management investments

Sample calculation of the ROI in cyber security management investments

A quantified risk analysis approach

The Integration between CIS (Controls and RAM) and the FAIR framework is depicted below:

FAIR integration with CIS RAM

By combining FAIR and CIS RAM, we could present a risk assessment method that more objectively evaluates risk and ROI while also demonstrating due care for others.

This whitepaper is available for downloaded here[4].

About the author

Denny Wan is the principal consultant of Security Express and has over 20 years’ experience in cyber risk management, audit and infrastructure design. He is a certified PCI QSA and CISSP. Denny is chair of the Sydney Chapter of the FAIR Institute and a postgraduate research at Optus Macquarie University Cyber Security Hub researching into cyber insurance pricing strategies. He is a frequent speaker and presenter at information security conferences and events.

About the reviewer

Chris Cronin is an ISO 27001 Auditor and has over 15 years of experience helping organizations with policy design, security controls, audit, risk assessment and information security management systems within a cohesive risk management process. Chris is Chair of The DoCRA Council and the principal author of CIS Risk Assessment Method (RAM). He is a frequent speaker and presenter at information security conferences and events. Chris earned his Masters of Arts from Case Western Reserve University.

[1] https://learn.cisecurity.org/cis-ram

[2] http://www.opengroup.org/subjectareas/security/risk

[3] https://docra.org/

[4] https://www.securityexpress.com.au/wp-content/uploads/2019/03/CIS-RAM-FAIR.pdf

Find the original article here: https://www.linkedin.com/pulse/cis-ram-fair-integration-denny-wan/