So, I said I would do a “Risk Analysis” of Trump’s executive order using an actual risk framework to prove the order was dumb and where/why/how it was dumb. Here it is! I used FAIR! (Note: I used a single data point here, because that’s all this analysis needed – I just go through control relationships and impact types mostly – but despite the snarky tone, the analysis is legit and if someone runs with this and fills in all the factors with actual numbers, that would likely be a fun exercise – I’d love to see what the actual estimated ALE is.)
In FAIR (Factor Analysis of Information Risk), the expression of risk is in the form of the “Probable frequency and magnitude of loss” due to a weakness. It is a useful model for many things, including identifying whether a perceived weakness is actually a weakness in terms of your own appetites and, interestingly, what effect controls have on your risk and how they affect each other.
I’m not going to introduce the whole model here and lot of this is paraphrased, so a quick overview is probably helpful. If you’re not familiar with FAIR, start with Risk Lens’ “FAIR on a Page” (it’s also an open standard, which you can read about at the Open Group’s website).
Moving on: In the model (an ontology, see above), you have a “Loss Frequency” measure and a “Loss Magnitude” measure. Each of those measures is determined by a number of factors. These factors include things like “Threat Event Frequency” and “Vulnerability”. Each of these factors are themselves composed of other factors (e.g. “Contact Frequency” and “Probability of Action” combine to estimate “Threat Event Frequency”).
On the right side of the ontology, “Loss Magnitude” is split into “Primary Loss” (costs that happen every time a threat event is successful) and “Secondary Loss” (costs which could occur for a subset of Loss Events and which come from impacts to other stakeholders not accounted for in Primary Loss). Think: A bank loses customer data and has to do incident response (primary loss) and sometimes must also provide free credit monitoring to those customers (secondary loss).
While this model is clearly geared for “information security”, it’s actually pretty useable for reasoning through other “risk” scenarios.
For instance, why is the Trump executive order on banning immigrants….dumb? Can we express this clearly and show the interplay between factors that gets us to “dumb” in a rational way? Yes! Ill walk you through it! Refer back to Risk Lens’ “FAIR on a Page” if you need to:
The first thing we need to do is determine threat event, threat community, loss events, and assets. Based on the executive order, we can say this:
- Asset: US interests inside its borders
- Threat Community: Anyone from one of the 7 countries
- Threat Event: Attempted Terrorist Attack inside US borders
- Loss Event: Successful Terrorist Attack inside US borders
- Secondary Loss: The consequences and responses to a successful terrorist attack inside US borders (this is important)
So, with that said, let’s run through the ontology:
1. Loss Event Frequency: None. We have never experienced any successful attacks inside US borders from this threat community here and there’s no evidence to think it will soon. “0 Loss Events” x “Any magnitude of loss” = “No Loss, No Risk”. Normally, if we just wanted to know the immediate and probably future risk, we could stop here: We know how often loss occurs and we know that an executive order cant reduce “0” any further. But we also want to examine what could change and if the executive order will help manage THAT totally speculative future problem, so we will look below the surface to…
2. Threat Events (Loss Event SubFactor 1): Because Loss Event Frequency is so low, it doesn’t really matter how often folks TRY to cause loss if theyre rarely successful (NO control can keep the level at “Never successful”). But perhaps of Threat Events go up enough, we will experience a noticeable increase in Loss Events? This makes sense…but to understand whether this will happen and whether the executive order will help, we have to understand the two Threat Event Factors:
A. Contact Frequency (Threat Event Subfactor 1): How often is the threat community in contact with US assets in the border? Pretty often! We have lots of folks from all over the world in this country. Trump’s Executive order keys in on this factor in particular. If we reduce contact frequency, we will reduce the number of threat events, which will reduce the number of loss events! (From..again… “0” to…less than 0?)
B. Probability of Action (Threat Event SubFactor 2): We do have a Threat Community that comes in FREQUENT contact, but they rarely, if ever take action. In fact, given how high the contact frequency is vs successful threat events (ie, loss events), we can say the Probability of Action is VERY low (if it weren’t low, we’d be seeing more successful attacks) – so low that, unless something changes to increase probability of action, we are at very low risk from this threat community (remember this for later: What could change the probability of action?)
3. Vulnerability (Loss Event SubFactor 2): Ok, so…that’s Threat Event Frequency…. What about our Vulnerability in the face of Threat Events? Maybe theyre trying a lot and just not successful? If that’s the case, then Trump’s executive order STILL doesn’t have an impact, because it attempts to control for “Contact Frequency” and does not affect either of “Vulnerability”’s two factors: Required “Threat Capability” and “Resistance Strength”. The Executive order doesn’t increase the tools/skills needed by bad guys and it doesn’t make our Assets (people, infrastructure) particularly more resistant to attacks in the fact of someone who chooses to take action. We MAY be able to improve this, but Trump’s order doesn’t speak to it and given the low Loss Event Frequency it probably isn’t necessary for this Threat Community
There we have it: Loss Event Frequency – very low and Trump’s order doesn’t really speak to it anyway. What about Loss MAGNITUDE? Here is gets interesting:
1. Primary Loss Magnitude: This is what the immediate aftermath of an attack would be for the US. If anyone gets in and does damage, Trump’s order does nothing to minimize that magnitude or impact. Once it happens, it happens. Having a smaller Threat Community doesn’t make the pain or cost less later. So this is a null factor.
2. Secondary Loss Frequency and Magnitude: Woah! :) Here we have a problem. Because it turns out Trump’s Order IS A SECONDARY LOSS in FAIR terms. It is a RESPONSE to prior terrorist attacks. Because we were attacked, someone used FEAR (not rationality) to justify keeping folks out of the country. Families. Children. Scientists. Injured. It was insensitive to entire nations of people who were Not already likely to take action (based on the Loss Event Frequency analysis). But, what happens if you find your son or daughter couldn’t get medical treatment because of this? What happens if you find your family split up over this? What happens if your radical organization can turn to you and say “Look, we were right, these people are assholes and don’t want you”? What happens is THE PROBABILITY OF ACTION INCREASES FROM NOT ONLY THE ORIGINAL THREAT COMMUNITY, BUT OTHERS. In other words, people otherwise unlikely to take action before are angrier as a result of trumps actions and are now more likely to act against the US, thereby increasing future primary and secondary losses.
Summary (in case it wasn’t clear):
- Trump’s order does not minimize our vulnerability
- Trump’s order reduces the “Contact Frequency” of a threat community who has never been a demonstrated source of losses to the US internally
- The only significant impact on US risk that Trump’s order actually has is that it likely INCREASES the probable future frequency and magnitude of loss to the united states (it’s risk) by increasing the probability of action factor without affecting the others either way
Conclusion: After a FAIR Risk Analysis of Trump’s order, it turns out it was indeed DUMB.