By Denny Wan
Peer reviewed by Chris Cronin
Synopsis
The Center for Internet® Security Risk Assessment Method (CIS RAM)[1] is a documented process for conducting risk assessments that address requirements for security, business, regulations, and duty of care requirements. It also assists in the selection and prioritisation of safeguards discussed in the CIS Controls framework. Results are expressed as a risk score in an ordinal scale of 1-25. It is proposed to integrate the Open Group FAIR framework[2] into the risk quantification process to produce risk scores on a continual scale expressed as statistical distributions. Continual scale is better suited for the calculation of Return on Investment (ROI) on the proposed safeguards.
CIS RAM principles
CIS RAM helps organizations determine whether security controls are reasonable given the potential harm that may come to others, and the burden those controls may pose to an organization. CIS RAM is based on the Duty of Care Risk Analysis (DoCRA) standard[3] which expresses risk in terms that are equally meaningful to security technicians, business management, and legal authorities that interpret negligence and regulatory compliance using ‘due care’ and ‘negligence’ constructs. Developed in the United States, and applicable to other national legal systems, DoCRA principles address the need to demonstrate balance between risk to the public, and the business goals of organizations that pose that risk. The three principles in the Duty of Care Risk Analysis (DoCRA) standard are:
- Consider the interests of all parties that may be harmed by the risk
- Reduce risks to an acceptable level
- Safeguards must not be more burdensome than the risks they protect against
The application of these principles to CIS RAM is depicted below:
Furthermore, CIS RAM assesses risk impact from multiple dimensions reflecting the organisational mission, objectives and obligations. The highest impact score amongst these dimensions is then used to calculate the risk score by multiplying it with the likelihood as depicted below:
The final risk scores are expressed in an ordinal scale of 1-25 which is subject to interpretation by assessors and reviewers of the risk analysis. Potential differences in interpretation can lead to communication gaps in the risk management process, particularly when the risk analysis and recommendations on safeguards are to be presented to audiences not familiar with the targeted risk areas.
Integration with the Open Group FAIR framework
The Open Group FAIR framework is a commonly accepted cyber risk quantification framework using a published risk taxonomy and risk analysis standard to describe the risk quantification approach. The resultant risk score is expressed in a continual scale expressed as statistical distributions. The FAIR Risk Taxonomy and associated loss exceedance curve are depicted below:
FAIR Taxonomy
Loss exceedance curve
Mapping of CIS RAM terminology to the FAIR framework:
The FAIR quantification approach allows reviewers of the risk analysis to understand the assumptions and data sources used to derive the risk score. The expression of the risk score as a statistical distribution facilitates the calculation of ROI on the proposed safeguards as depicted below:
Sample calculation of the ROI in cyber security management investments
A quantified risk analysis approach
The Integration between CIS (Controls and RAM) and the FAIR framework is depicted below:
By combining FAIR and CIS RAM, we could present a risk assessment method that more objectively evaluates risk and ROI while also demonstrating due care for others.
This whitepaper is available for downloaded here[4].
About the author
Denny Wan is the principal consultant of Security Express and has over 20 years’ experience in cyber risk management, audit and infrastructure design. He is a certified PCI QSA and CISSP. Denny is chair of the Sydney Chapter of the FAIR Institute and a postgraduate research at Optus Macquarie University Cyber Security Hub researching into cyber insurance pricing strategies. He is a frequent speaker and presenter at information security conferences and events.
About the reviewer
Chris Cronin is an ISO 27001 Auditor and has over 15 years of experience helping organizations with policy design, security controls, audit, risk assessment and information security management systems within a cohesive risk management process. Chris is Chair of The DoCRA Council and the principal author of CIS Risk Assessment Method (RAM). He is a frequent speaker and presenter at information security conferences and events. Chris earned his Masters of Arts from Case Western Reserve University.
[1] https://learn.cisecurity.org/cis-ram
[2] http://www.opengroup.org/subjectareas/security/risk
[3] https://docra.org/
[4] https://www.securityexpress.com.au/wp-content/uploads/2019/03/CIS-RAM-FAIR.pdf
Find the original article here: https://www.linkedin.com/pulse/cis-ram-fair-integration-denny-wan/