By John Linford, Forum Director, The Open Group Security Forum and Open Trusted Technology Forum
The Open Group Security Forum is thrilled to announce the publication of an update to the Open FAIR™ Body of Knowledge (BoK). The Open FAIR BoK is comprised of The Open Group Risk Taxonomy (O-RT) Standard and The Open Group Risk Analysis (O-RA) Standard. The Open Group initiated a standards effort regarding FAIR ~10 years ago, and these standards define the official, open, vendor-neutral and consensus-developed definition of FAIR.
The update to the Open FAIR BoK brings O-RA to Version 2.0 and brings O-RT to Version 3.0. O-RT was the document originally brought into The Open Group Security Forum, and O-RA was created afterward. This then led to O-RT being updated to Version 2.0. As a result, there were several discrepancies and much redundancy between the documents. This time, the Security Forum made a concerted effort to update the documents side-by-side, removing the discrepancies and eliminating redundancy as much as possible.
Although this update to the Open FAIR BoK brings both O-RA and O-RT to new versions, there was not a substantial change to content in either document; rather, the documents were restructured to allow better introduction and description of current content.
This blog post is the third of three in a series to describe updates to the Open FAIR™ Body of Knowledge. It will describe specific updates to O-RT to bring it to Version 3.0. The first post described revisions made to both O-RA and O-RT for consistency between the documents; the second post described specific updates to O-RA to bring it to Version 2.0.
Updates to The Open Group Risk Taxonomy (O-RT) Standard
The Open FAIR BoK Update Working Group focused on refining and clarifying terms and definitions presented within O-RT to make them more easily understandable, particularly to those new to Open FAIR.
One of the first ways this was done was by tying the definitions for risk management, risk assessment, and risk analysis to those from ISO Guide 73:2009. Open FAIR remains a risk analysis standard that fits well within other risk assessment and risk management approaches. Crucially, the “risk management stack” remains unchanged—Open FAIR provides the risk model used to provide meaningful measurements that then allow effective comparisons and well-informed decisions based on those comparisons, culminating in effective management.
Figure 1: Risk Management Stack
As another update intended to improve understandability, the Open FAIR definition for risk—the probable frequency and probable magnitude of future loss (also known as “loss exposure”) that a Primary Stakeholder will bear within some defined time period—was shifted to the very beginning of Section 4.0: Technical Requirements within O-RT. Shifting the definition earlier allowed better introduction of the Open FAIR risk taxonomy. The taxonomy itself did see one small change: Within Loss Magnitude, “Primary Loss” was renamed to “Primary Loss Magnitude” to better align with the components of Secondary Loss.
Figure 2: High-Level Risk Taxonomy Abstraction
By introducing risk earlier in the document, O-RT can now better define risk and its measurement. Open FAIR defines risk as resulting in a loss and does not consider speculative risk that generates either a loss or a gain—this is a new clarification. Additionally, O-RT now clarifies that Open FAIR risk factors are assumed to be independently identically distributed—in other words, each risk factor has the same probability distribution as the others, and all are mutually independent. This had previously been implicit in Open FAIR but never stated.
After clarifying that a risk measurement is an estimate of the likelihood and impact of adverse events (losses), O-RT also clarifies that risk measurements are never predictions—they are estimates that can be accurate or inaccurate, depending on whether the observed loss event matches the estimated results.
With these core ideas established, O-RT moves into breaking down the Loss Event Frequency and Loss Magnitude sides of the taxonomy.
While little changed in descriptions of Loss Event Frequency, there were several refinements.
The subsection on Vulnerability now states that “susceptibility” is an accepted synonym for Vulnerability—however, the normative term for the Open FAIR Certification Exam will remain Vulnerability. Moreover, estimation of Vulnerability was clarified:
- It can be estimated by observing the fraction of Threat Events that become Loss Events.
- It can be derived from knowing or estimating the Threat Capability and the Asset’s Resistance Strength to that Threat Capability and then estimating or simulating the probability that the Threat Capability exceeds Resistance Strength.
Descriptions of Threat Capability and Resistance Strength were also refined to ensure they relate to each other. Both are still measured as a percentile.
- Threat Capability is the probable level of force (as embodied by the time, resources, and technological capability) that a Threat Agent is capable of applying against an Asset.
- Resistance Strength is the strength of a Control as compared to the Threat Capability.
Finally, after presenting and defining all of the Loss Event Frequency factors, a summary table is included.
|Loss Event Frequency Factor||Description||Unit of Measure|
|Loss Event Frequency||Probable number of economic losses within a given time period||Events per unit time (e.g., events per year); or the probability of a single Loss Event in a given timeframe (e.g., 20% chance within the next year)|
|Threat Event Frequency||Probable number of Threat Agent attempts at creating a loss within a given time period||Events per unit time (e.g., events per year); or the probability of a single Threat Event in a given timeframe (e.g., 20% chance within the next year)|
|Vulnerability||Probability that a Threat Event becomes a Loss Event; probability that Threat Capability is greater than Resistance Strength (Synonym: Susceptibility)||Probability (between 0-1 or measured as a percentage, between 0 and 100%)|
|Contact Frequency||Probable number of times a Threat Agent contacts the stakeholder’s Asset within a given time period||Events per unit time (e.g., events per year); or the probability of a single Contact Event in a given timeframe (e.g., 20% chance within the next year)|
|Probability of Action||Probability that a Contact Event becomes a Threat Event||Probability (between 0-1 or measured as a percentage, between 0 and 100%)|
|Threat Capability||The relative ranking of a Threat Agent’s skill, resources, and time within a Threat Community||Percentile (0-100)|
|Resistance Strength||The ability to resist a Threat Community’s range of skills, resources, and time||Percentile (0-100)|
Table 1: Loss Event Frequency Factors
Similar to the section on Loss Event Frequency, few changes occurred in the Loss Magnitude section beyond clarification and refinement.
The definition and description of Loss Magnitude was strengthened: Loss Magnitude is the probable magnitude of economic loss resulting from a Loss Event (measured in units of currency). Additional clarification was added to state that Loss Magnitude is expressed as a distribution of losses, not a single value for loss, and is always evaluated from the perspective of the Primary Stakeholder, the party that bears the economic loss from the Loss Event. This emphasis on evaluating from the perspective of the Primary Stakeholder is now also a key trend in O-RA.
The Forms of Loss were somewhat restructured, though the terms and definitions remain the same: the definitions for the Forms of Loss are now given first, and then examples are provided—previously, examples and definitions had been intermixed. A similar approach was also taken in refining the Loss Factors. Terms are now consistently defined before examples are provided.
Although little was altered for the Asset Loss Factors beyond improvements to readability, the Threat Loss Factors saw a simplification: The Threat Loss Factor “Accomplish Assigned Mission” was removed. The Open FAIR BoK Update Working Group acknowledged that any of the other Threat Loss Factors (access, misuse, disclose, modify, deny access) could be the assigned mission of a Threat Agent. The Threat Loss Factors are now tied to the confidentiality, integrity, or availability breach caused by the Threat Agent.
|Observed Information Asset Breach||Threat Agent Exploitation Post-Breach|
|Confidentiality||Access – the Threat Agent gains unauthorized access but takes no further action beyond “having” the data. Misuse – the Threat Agent makes unauthorized use of the Asset in committing consequential losses to the Primary or Secondary Stakeholders, such as committing identity theft, setting up a pornographic distribution service on a compromised server, etc. Disclose – the Threat Agent illicit disclosure of sensitive information distributes information to other unauthorized parties.|
|Integrity||Modify – the Threat Agent creates or modifies information that makes that information or information processing inaccurate or otherwise unreliable or untrustworthy. The stakeholder bears consequential losses from using inaccurate (unauthorized) information in its business processes.|
|Availability||Deny Access – the Threat Agent prevents or denies authorized access to the Asset. This includes deleting information, taking systems offline, and ransomware style events.|
Table 2: Threat Agent Actions following a Successful Breach
There is also now clarification that unobserved Loss Events should be considered Threat Events until the loss is observed. Additionally, this subsection on Threat Loss Factors provides better distinction between threat competence (the amount of damage a Threat Agent is capable of inflicting once the information Asset compromise occurs to the Primary or Secondary Stakeholders; affects Loss Magnitude) and Threat Capability (the relative ranking of a Threat Agent’s skill, resources, and time within a Threat Community; affects Loss Event Frequency).
The Organizational Loss Factors also saw a change, albeit a minor one: The Organizational Loss Factor “due diligence” was renamed to “reasonable care” based on feedback from industry and to avoid term confusion. The concept itself did not change substantively beyond the name change.
The External Loss Factors saw a naming change, too: The External Loss Factors “detection” was renamed to “external party detection” to ensure it is not confused with the Organizational Loss Factor “detection.” Again, the concept itself did not change beyond the renaming.
Finally, after presenting and defining all of the Loss Magnitude factors, a summary table is included.
|Loss Magnitude Factor||Description||Unit of Measure|
|Total Loss Magnitude||Sum of Primary and Secondary Loss Magnitude; an economic loss||Money, currency|
|Primary Loss Magnitude||Direct economic losses associated with a confidentiality, integrity or availability loss of information Assets||Money, currency|
|Secondary Loss Magnitude||Indirect, conditional losses associated with Secondary Stakeholders affected by the Primary Loss becoming Threat Agents and trying to cause a loss to the Primary Stakeholder||Money, currency|
|Secondary Loss Event Frequency||Conditional probability that a Primary Loss will result in a Secondary Loss||Probability (between 0-1 or measured as a percentage, between 0 and 100 percent)|
|Forms of Loss||Six Forms of Loss that completely describe possible losses and can occur as a Primary or Secondary Loss: Productivity, Response, Replacement, Reputation, Competitive Advantage, and Fines and Judgments.||Money, Currency|
|Loss Factors||Four Loss Factors that affect magnitude of loss: Asset, Threat, Organizational, External||Dimensionless Scalars, Multipliers|
Table 3: Loss Magnitude Factors
The final substantial change to the body of O-RT was the removal of the section containing the quantitative example that utilized a qualitative scale—this example described the hypothetical scenario of a cleaning crew finding and using login credentials to access and misuse customer information. This example utilized qualitative scales and risk matrices to attempt a quantitative, Open FAIR risk analysis. The Open FAIR BoK Update Working Group agreed this section did not make sense in a taxonomy standard, and as stated in a previous post, the example is being reused, expanded on, and better explained in a new Open FAIR™ Risk Analysis Example Guide, which is currently being developed.
With the updates to the Open FAIR™ Body of Knowledge, The Open Group will now ensure that the Open FAIR™ Conformance Requirements and Configuration Document are up to date before updating the Open FAIR Certification Program and Exam.
John Linford is Forum Director of The Open Group Security Forum, known for the Open FAIR™ Risk Analysis Standard and work around Security and Zero Trust Architecture. He is also The Open Group Open Trusted Technology Forum (OTTF), known for the Open Trusted Technology Provider™ Standard (O-TTPS) and the Open Certified Trusted Technology Practitioner Profession (Open CTTP). John holds Master’s and Bachelor’s degrees from San Jose State University, and is based in the US.