Risk, Skydiving, Data & Secure Phone Calls

SERIES (PART 1):  Understanding and Applying the FAIR™ model as an Enterprise Cyber Risk Management Strategy

EXECUTIVE SUMMARY

This is the first in a series of posts that attempts to make sense of the multi-dimensional role of risk in business as seen through the lens of the FAIR™ modeling system. As an acronym for Factor Analysis of Information Risk, FAIR may sound esoteric, but in the end actually simplifies the task of information risk identification and mitigation. Each upcoming post in this series will focus on individual elements and the application of the FAIR model, with a specific focus on how it can be used to both uncover and evaluate the impact of otherwise anonymous negative forces finding their way into organizations’ telephone networks.

RISK

\ risk  \

1: possibility of loss or injury : PERIL

Such a simple word, “risk,” one that easily slips into everyday comments: “I’d risk my life for her” or “Don’t risk your savings on that” or “Smoking increases the risk of lung cancer.”

But the fact is, quantifying “risk” is not so easy. It can be viewed through different lenses, such as Physical Risk (possibility of personal injury), or Financial Risk (possibility of possession/monetary loss).  Even then, “possibility” is an entity of unclear edges. Simply walking outside has an element of risk that most rational humans never even consider.

Skydiving, in comparison, has a much more certain and measurable exposure to risk. We know this because skydiving deaths have been recorded and reported by the United States Parachute Association (USPA) every year since 1961, the most recent report from 2020 noting that .39 percent of every 10,000 jumps resulted in fatalities. Skydiving enthusiasts can judge for themselves whether those numbers are significant enough to abandon the sport, but at least they can make those decisions based on solid data with reasonably predictable outcomes. The factors that may contribute to an individual parachutist’s personal risk exposure are also relatively straight-forward: skill level, weather conditions, and equipment integrity. Gravity, of course, is a given. 

For business, making decisions around perceived risks gets trickier. Successful businesses, in fact, depend on the assumption of some risk. Risk is at the heart of innovation. It is assumed with every investment, budget decision, staff adjustment and ROI projection. It is also inherently amorphous, a possibility, but not a certainty, of loss vs. benefit based on both known and unknown influences, controllable and uncontrollable forces, predictable and unpredictable behaviors.

So how does one measure a possibility? More importantly, how do businesses, when evaluating the level of risk in their operations and strategy decisions, move from “possibility” to “probability” so that loss-mitigating actions can be taken with confidence?

In the words of Jack Jones, Chief Risk Scientist and Co-founder of RiskLens, “When we have a lot of good empirical data regarding the frequency and magnitude of loss events, it’s relatively straightforward to derive what our likely future loss experience is going to be. This is the insurance industry’s bread and butter. Unfortunately, measuring probable loss exposure becomes much more difficult when data is sparse and/or when historical data is of questionable value due to frequent changes in the risk landscape. In these instances, we’re forced to derive risk by making informed and calibrated estimates of the factors that contribute to loss event frequency and magnitude. But what are those factors and, of equal importance, what are their relationships to one another so that we can derive risk effectively?”

Clearly, having enough data gathered over time to be statistically relevant is an essential element of risk management. But the harder job is parsing that data into smaller, identifiable subsets that, themselves, reveal correlations and consistencies that are key to puzzling out the true source of risk threats and the areas of specific vulnerability for the organization.

For 35 years Mutare’s primary focus has been empowering businesses through innovative communication technologies that both grow and sustain our customer base. In the process, we have accumulated a trove of knowledge and data related to business-to-business, employee-to-employee, and business-to-customer communications that supports and directs our own development efforts. None of those advances would be possible without the break-through technology that ushered in the digital revolution which, as we all know, is behind so many positive advances in communications channel integration, mobility and efficiency.

But, as history has shown, with every great advance in technology comes a new set of challenges. The transition from hardware-heavy enterprise voice systems to today’s cloud-based digital Voice over Internet (VoIP) connectivity is no exception.

Because it was only a matter of time before opportunists and cybercriminals would start to leverage the ease and anonymity afforded them through cheap Internet-based communication pathways to not only flood phone systems with unwanted calls, phone solicitations, scam calls and robocalls, but also to gain access to a targeted organization’s data, employees, and financial assets. Hardly a week goes by when we don’t read about a scam, vishing or ransomware cyber-attack leveled on a prominent business or organization. And those are just the ones that are high-profile enough to make the News. Similar intrusions are targeting businesses across the globe on a daily basis. 

We now know there is a cost behind every unwanted call entering an organization’s voice network. And there is a risk, a possibility, of loss beyond the mere disruption caused by those calls. It’s just harder to measure because, unlike gravity, the anonymous forces that drive unwanted voice traffic are constantly changing, and there is no single defense, no physical parachute of protection, to blunt the impact.

What we also know is there are emerging strategies and methodologies that can now be used to more clearly identify the various hidden risks embedded in enterprise voice traffic and, more importantly, actually quantify an individual organization’s level of risk exposure, loss potential and resistance strength. In upcoming posts, we will delve more deeply into the revelations gleaned from our work with enterprise voice networks and network protection and examine the relevance of the FAIR™ (Factor Analysis of Information Risk) model, widely accepted as the premier Value at Risk (VaR) framework for information cybersecurity and operational risk analysis and management.

To be clear, we will be entering into a realm that is complex and dynamic, where certainty is not a guarantee.  However, the information contained here should serve as a trustworthy guide for organizations serious about replacing blind guesswork with a data-driven approach to cyber-risk mitigation.

After all, even the most confident skydiver knows not to take a chance on a bad pilot.

Janet O'Brien

Senior Writer

About the Author

Janet O’Brien joined the Mutare family in 2007 following 25+ years as a career writer, editor, photographer, and marketing specialist for an array of public and private organizations throughout the Chicago area. She has a passion for helping organizations tell their stories and has found in Mutare’s brilliant technology, caring people, and devoted fans, a virtual anthology of inspiration. Read more at mutare.com, or feel free to share your own stories on LinkedIn.