Cyber Risk Quantification Models: FAIR? vs. GRAACE?

INTRODUCTION

This article (updated on April 5, 2024) picks up where I left off in, Modeling Cybersecurity . In that article I defined modeling, the reason for building models, the difficulties of using Excel for modeling cybersecurity, why modeling cybersecurity is important, and alternative cybersecurity models.

I then discussed the two high-level types of cybersecurity risk analysis models - qualitative and quantitative. This included a comparison of the Risk Matrix (heatmap) to the Loss Exceedance Curve which is especially relevant to publicly traded companies who must adhere to the SEC cybersecurity rule.

In this article I discuss the similarities and differences of two cyber risk quantification models – FAIR? and GRAACE?.

While FAIR is the best-known approach to cyber risk quantification, it has not fulfilled its promise due to the lack of a useful model for "Loss Event Frequency," i.e., the probability of a loss event occurring within a specified time period. This limits FAIR's ability to support decision-making for prioritizing and justifying alternative control investments.?

GRAACE directly addresses the Loss Event Frequency issue using Monaco Risk’s patented Cyber Defense Graph? which factors control efficacy in the context of attack surfaces, threats, and the path distribution of threats.

At the same time, GRAACE retains traditional risk management concepts such as:

• Risk being a function of the probability of a loss event occurring and its impact.
• Decomposition, i.e., breaking down a complex system into simpler components whose factors can be more accurately estimated
• Monte Carlo simulation to understand the impact of uncertainty in predicting future events.
• Loss Exceedance Curves to show the full range of probable losses resulting from cyber incidents.

Given the recent regulatory changes and aggressive prosecution by the SEC and other Federal agencies, CISOs need a more credible model and a simpler process to defend their cybersecurity investment decisions and collaborate with business leaders who must treat cyber risk as business risk.

FAIR vs GRAACE

FAIR stands for Factor Analysis of Information Risk. FAIR brought traditional risk concepts and techniques to the cybersecurity domain. These include (a) defining risk as the probability and impact of a loss event, (b) decomposition, (c) applying ranges to capture the uncertainty of estimating risk factors, and (d) using Monte Carlo simulation to calculate outputs.

The figure below shows the first level of the risk ontology shared between FAIR and GRAACE.

GRAACE stands for Graph-based Risk Analysis of Aggregate Control Effectiveness. It’s pronounced grace. Here is a description of the key terms:

• Risk: Risk is a function of the probability (frequency or likelihood) and financial impact (magnitude) of loss events that result from a series of tactics and techniques exploiting vulnerabilities, weakness, and/or control deficiencies.
• Control: We use Control to include any people, process, or technology that is, or could be, deployed to reduce the risk of a loss event. Controls are integral to the GRAACE model. In other words, controls are factors modeled in simulation software. This enables GRAACE to compare alternative control investments, including budget reductions and the impact of exceptions, and other CRQ use cases, more credibly, to the status quo in dollars.
• Graphical: Attack surfaces, threats, and the attack paths the threats take into and through an organization are visually represented using Monaco Risk’s patented Cyber Defense Graph? software. Rather than consider controls simply as a list of safeguards or requirements, they are mapped to the graph. Each control’s efficacy is analyzed in the context of the strength and volume of threats to reveal Critical Path Weaknesses.
• Aggregate Control Effectiveness: The Cyber Defense Graph software calculates each control’s contribution to risk reduction and how an organization’s portfolio of controls works together, i.e., the Aggregate Control Effectiveness, to reduce the risk of loss events.

GRAACE addresses FAIR’s major limitation, which is on the Loss Event Frequency (LEF) side. FAIR does NOT analyze control efficacy. In fact, attack surfaces, threats, attack paths, and controls are not actually factors in FAIR. It uses the notions of Threat Capability and Resistance Strength to calculate Vulnerability (now called Susceptibility by Jack Jones to avoid the confusion between the FAIR definition of Vulnerability and the security industry standard definition of vulnerability) which are not actual measures of any real-world factors. In other words, FAIR provides no defensible way of correlating threats with controls.

GRAACE's Aggregate Control Effectiveness is in fact the inverse of Susceptibility, i.e., (1 - Susceptibility.)

On the Loss Magnitude side, GRAACE uses Loss Exceedance Curves to show the full range of probabilistic financial losses of loss event scenarios. But getting there is simpler with GRAACE because it avoids the complications and potential confusion surrounding FAIR’s Primary Losses and Secondary Risk with a more straightforward set of Financial Loss Components.

FAIR vs. GRAACE Functionality Summary Comparison

Here is a chart summarizing the functional similarities and differences between FAIR and GRAACE:

CYBER RISK MODELING USE CASES

After showing the functional similarities and differences between FAIR and GRAACE, we can now evaluate the two models for “fitness of purpose.” Here is a list of the problems we look to solve with Cyber Risk Quantification:

Use Case #1: Collaborating with business leaders to justify control investments. This includes justifying increases in budget or limiting decreases in budget during an uncertain economic environment. A credible discussion with business leaders requires modeling the controls for which budget requests are made. ?GRAACE – Yes. FAIR – No.

Use Case #2: Fostering cooperation between the cybersecurity team and IT, networking, and software development teams by enabling them to take credit, in dollars, for reducing cyber-related business risk. Since the IT, networking and software development teams are implementing controls or remediating control deficiencies, it would be helpful to model controls to show risk reduction in dollars. GRAACE – Yes. FAIR – No.

Use Case #3: Prioritizing control investments when designing/updating the organization’s defense-in-depth architecture. This is primarily a decision-making process within the security team. Therefore, to be useful, control effectiveness should be modeled against the organization’s attack surfaces, threats, and attack paths. GRAACE – Yes. FAIR – No.

Use Case #4: Moving from Compliance-based Risk to Risk-based Compliance. Rather than treating risk analysis as just another compliance requirement, use risk analysis to drive the overall security program including meeting compliance requirements. This requires modeling the complexity of cybersecurity in a meaningful way which requires controls, attack surfaces, threats, and attack paths to be specific factors in the model. GRAACE – Yes. FAIR – No.

Use Case #5: Analyzing exception requests. Business process owners regularly request exceptions to security policies. These include delaying patch implementations, exceptions to firewall rules, and onboarding vendors who do not meet third party vendor policies. While business leaders understand the business values of their requests, they also need to understand the increased risks associated with their exception requests. Since these requests revolve around controls, security teams need a model that includes controls. GRAACE – Yes. FAIR – No.

The table below summarizes the fitness of purpose of GRAACE vs FAIR for the five use cases:

GRAACE ONTOLOGY EXPLAINED

The figure below shows the GRAACE ontology:

What follows is a brief description of each of the key elements of the GRAACE Ontology.

Risk: Loss Event Taxonomy

A problem that often arises when performing cybersecurity risk assessments is determining whether you have addressed all of the possible loss event types. For the last four years, Monaco Risk has been maintaining and updating a Loss Event Taxonomy that exhaustively covers all cyber loss event types.

During this period, the number of loss event types has grown from the initial 11 to 16. They are categorized as follows: (1) Exposure of Sensitive Information, (2) Business Disruption, (3) Direct Monetary, Business, or Resource attack, and (4) Non-compliance, audit, or liability.

We’ve made the Loss Event Taxonomy available at no charge under a Creative Commons license. Please contact me and I will send you the document.

Loss Event Frequency: Cyber Defense Graph?

The Cyber Defense Graph? simulation software is Monaco Risk’s approach to decomposing Loss Event Frequency that is useful to cybersecurity teams and credible to business leaders.

The Cyber Defense Graph decomposes what FAIR calls Vulnerability (now called Susceptibility by Jack Jones) into identifiable Attack Surfaces and Paths through the organization and specific measurable factors that affect Loss Event Frequency: Threat Strength, Threat Path Distribution, Controls Effectiveness, and SOC Strength.

GRAACE replaces FAIR's Threat Event Frequency with third-party loss data categorized by industry and organization size as starting point to calculate an organization's Loss Event Frequency Data.

The Cyber Defense Graph statistically simulates controls' abilities to detect and block threats entering and moving along attack paths through the organization.

The Cyber Defense Graph is based on MITRE ATT&CK?. Therefore it can use the outputs of automated Governance Controls like Attack Simulation, Risk-based Vulnerability Management, Security Control Posture Management, Process Mining, and automated Compliance solutions, to improve the accuracy of its inputs.

The figure below is a partial example of a Cyber Defense Graph. Each graph models a specific loss event scenario such as business disruption due to ransomware. It visualizes the relationships among the controls, threats, attack paths and the distribution of threats along the attack paths.

The threats enter at the left edge and move along the arrows. Each control along a path, based on its specific capabilities, can block, or at least detect, some percentage of threats that traverse that path. Threats that controls do not block arrive at the far right of the graph and represent successful attacks, i.e., loss events.

Critical path weaknesses are shown by each control’s shade of red. The darker the shade, the weaker the path. This provides the security team with indicators of where improvements could be made.

Sensitivity (Tornado) Chart. In addition to the Critical Path Weakness graph shown above, the Cyber Defense Graph software generates a Sensitivity Chart which shows the relative importance of individual controls. It’s commonly referred to as a tornado chart due to the overall pattern of the bars.

The bars to the left of the center line show the percentage decrease in Aggregate Control Effectiveness if the control was removed. The bars to the right show the percentage increase in Aggregate Control Effectiveness if the control was implemented with complete Coverage and a high level of Governance.

Loss Magnitude – Financial Loss Components

Monaco Risk’s Loss Event Taxonomy provides four categories of Financial Loss Components which relate directly to the loss event types: (1) Direct Monetary Loss, (2) Lost Revenue, (3) Increased Costs, and (4) Liability & Regulatory. The full list of ten Financial Loss Components is available with the Loss Event Taxonomy under a Creative Commons license. Glad to send upon request.

HOW TO USE GRAACE

GRAACE is more than a quantitative cybersecurity risk model. It's also a process which consists of three phases: (1) Identify the loss events of concern to business leaders, (2) Baseline current cyber posture using the Cyber Defense Graph, and (3) Run what-if scenarios on control changes to show financial impact in support of the use cases itemized above.

The GRAACE 3-Phase Process Explained

Phase 1: Identify Loss Event Scenarios of concern to business leadership. Security teams can initiate risk assessments by focusing on assets, threats, vulnerabilities, or risks. However, to bridge the Security Metrics - Business Risk Gap, CISOs and business leaders must establish a mutual understanding of business goals and the critical cyber-related risks that can impede or prevent the organization from meeting those objectives.

The top two risks are typically disruption of revenue-generating business processes and the exfiltration of sensitive data. While there are more Business Email Compromise (BEC) loss events, the financial impact is manageable.

Monaco Risk has developed a Loss Event Taxonomy to assure that all potential loss event types are reviewed. It’s available to anyone under a Creative Commons license.

Here's how using Risks (loss events) of concern to business leaders bridges the gap:

1. Business leaders concentrate on discovering opportunities for revenue and profit growth, while taking into account the potential risks that could hinder or delay their attainment. Given that cyber risk is inherently tied to business risk, CISOs can establish meaningful collaboration with business executives by framing cyber risks in the context of their organizations' business initiatives.
2. The business leaders of publicly traded companies are now compelled to discuss cyber risks in 10-K filings due to the SEC security rule (S7-09-22) released in July 2023. Furthermore, the lawsuit filed against SolarWinds and their CISO Tim Brown puts more pressure on CISOs to collaborate with business leaders to think about cybersecurity in terms of risks to the business.
3. CISOs can enhance their credibility by connecting their security teams' achievements, such as improvements in controls and the remediation of control deficiencies, to reductions in the specific risks of concern to business leaders, expressed in financial terms.
4. CISOs are more likely to secure budget approvals when they tie their requests to reductions in risk, quantified in dollars, associated with the loss events of concern to business leaders.

Phase 2: Generate Baseline Cyber Posture.? As mentioned above, our internally developed and patented Cyber Defense Graph software runs a statistical simulation that captures the complex interaction of 1) attack surfaces, (2) threats of different strengths and capabilities using MITRE ATT&CK? as a guide, (3) overlapping attack paths to assets, (4) the distribution of threats along attack paths, and (5) controls deployed at different levels of efficacy, coverage, and governance.

Issues (weaknesses, vulnerabilities, control deficiencies) are surfaced for remediation prioritization and cost justification in Phase 3.

To simplify and reduce the effort needed to generate the baseline cyber posture, Monaco Risk provides templates and default values for controls, attack paths, threat strength, and threat path distribution.

Phase 3: Run What-If Scenarios to support use cases. The simulation software runs what-if scenarios representing alternative options to support decision-making for the five use cases discussed above. We anticipate clients having additional use cases we have not thought of.

The software generates visualizations that display alternatives compared to the baseline (status quo) in dollars using Loss Exceedance Curves. LEC charts show business leaders the long-tail aspect of cybersecurity loss events.

For more information on Loss Exceedance Curves please refer to my previous LinkedIn article entitled, Cybersecurity Models .

CONCLUSION

GRAACE represents the next generation of cybersecurity risk quantification modeling by addressing the key limitation of FAIR - how Susceptibility is decomposed and calculated.

GRAACE provides a more realistic model of cybersecurity by factoring attack surfaces, threats, attack paths, the path distribution of threats, and controls, while retaining traditional risk analysis factors including probability, impact, Monte Carlo simulation, and Loss Exceedance Curves.

GRAACE provides an exhaustive list of loss event types and a straightforward set of financial loss components.

GRAACE provides a simplified 3-phase process for conducting quantified cyber risk analysis.