FAIR Example

(Sist oppdatert: $Date: 2011-09-22 10:29:43 +0200 (Thu, 22 Sep 2011) $)


FAIR analysis of laptop system

Only a single risk is discussed as an example. The analysis is not intended to be perfect, and has not been proof read. Therefore, there may be omissions, typoes, insufficient arguments, etc.

However, the expected structure, of doing the risk factors one at a time, with a bit of care, should be clear. As this is a rather commonplace loss event, it is worth doing the analsysis to this level of details.

Risk 1. Loss of mobile unit

The most obvious risk to a laptop system is loss of the mobile unit, one way or another.

TEF Threat Event Frequency

The mobile unit is in contact with potential threat agents several times a day, often for most of the day, as the user works out of his own office and home.

There are a number of related threats, including

The potential thiefs are not very likely to act; most people are honest after all. Unless the box is unattended, some skill and determination is required to act. The threat event frequency seems unlikely to exceed once in a century.

A typical student seems to leave the unit unattended most days for up to 1h, leaving a contact situation which requires little skill from a potential thief. An expected threat event frequency of once in 10--20 years seems reasonable.

The threat of dropping the unit (to destruction) or forgetting it in a public place, are other threat variations with a reasonable expected threat frequency of once in 10--20 years.

Control Strength

There are no effective controls to prevent someone from stealing an unattended unit; no locks or special software are installed. A name tag on the box gives a chance of recovering a box left behind, unless it is stolen first.

LEF Loss Event Frequency

With two separate threat events with a TEF of once in 10--20 years, and only one subcase with any significant control, the total LEF should be around once in 10 years.

Loss Magnitude

Asset Loss Factors

The laptop has a replacement cost of about 10000 NOK.

There is little criticality, as the user has an old, but still useable laptop with all essential data stored on a git server, allowing work to continue almost without interruption.

There are two potential sensitivity concerns. Firstly, there are some private photos could be embarrasing. Secondly, there are cached passwords for external services.

Threat Loss Factors

The fundamental threat action is Deny Access, meaning that the user can no longer use a lost computer. However, there are additional actions which the threat agent may take.

Some attackers may also decide to misuse cached passwords or disclose embarrasing photos. The impact of such actions are very hard to assess, as it depends on exactly which services are compromised and how the threat agents choses to disclose pictures.

In theory, data could be modified before the unit is returned.

It is hard to imagine any harm from simple unauthorised access, unless information is also disclosed, misuesed, or modified.

All threats are external as it is a single user system.

Competence is not an issue for the deny access action, nor does disclosure (of embarassing photos) require much. However, misuse does require considerable competence.

Organisational Loss Factors

Detection is unlikely to be an issue. The unit is in almost continuous use, and loss will be detected almost immediately.

There are good responsive controls, with a reserve computer and backup mechanisms. It will almost certainly cost a day to recover and reconfigure necessary data on the reserve system, and another one or two days on a new replacement system, for a total cost of 2--3 days of work.

In the event of disclusure or misuse, it is important to change passwords with all possible external services. This can be done quickly as detection is so quick, but it is uncertain if the awareness and routines to actually do it are in place.

Due diligence is not a concern since no liability is anticipated.

Timing may be a factor, if an incident occurs immediately before a deadline, as a day may be lost in order to recover data. However, such worst-case timing is unlikely.

External Loss Factors

External Loss Factors are not a concern with relation to the loss factors discussed above. None of the possible external factors have an interest in a simple student system.

Probable Loss Magnitude

Worst-case loss occurs if the loss compromises external services. Many things must go wrong for this to happen; the attacker must act quickly, before password is changed, and he must find the most valuable external services and recover the password. This requires a competent threat agent, where most agents would only want the hardware. The impact is potentially unlimited, but extremely unlikely. Maybe 1\% of attackers have the motivation and competence to disclose or misuse data, which would make this a once in a millenium event.

The probable loss magnitude is 10000 NOK to replace hardware plus 2--3 days of work to recover data.

Hans Georg Schaathun / hasc@hials.no
$Id: portfolio.php 3470 2011-09-22 08:29:43Z georg $