User talk:Nicksanna

Hi Brianhe, I just found your note in my spam folder after realizing that my article was deleted. In regards to the possible conflict of interest, here are some data points: Factor Analysis of Information Risk (FAIR) is an international standard by the Open Group. I do work for RiskLens, who has built a solution leveraging the standard, but FAIR is an open standard that many other companies have adopted, mostly NOT in conjunction of our product. I can eliminate the reference to rislklens if that avoids any possible conflict of interest. In light of this, can you please re=establish my draft that I will resubmit to you for review with the above mentioned edit? Thank you. Nick

Welcome!

Hello, Nicksanna, and welcome to Wikipedia! Thank you for your contributions.

I noticed that one of the first articles you edited was Factor analysis of information risk, which appears to be dealing with a topic with which you may have a conflict of interest. In other words, you may find it difficult to write about that topic in a neutral and objective way, because you are, work for, or represent, the subject of that article. Your recent contributions may have already been undone for this very reason.

To reduce the chances of your contributions being undone, you might like to draft your revised article before submission, and then ask me or another editor to proofread it. See our help page on userspace drafts for more details. If the page you created has already been deleted from Wikipedia, but you want to save the content from it to use for that draft, don't hesitate to ask anyone from this list and they will copy it to your user page.

One rule we do have in connection with conflicts of interest is that accounts used by more than one person will unfortunately be blocked from editing. Wikipedia generally does not allow editors to have usernames which imply that the account belongs to a company or corporation. If you have a username like this, you should request a change of username or create a new account. (A name that identifies the user as an individual within a given organization may be OK.)

Here are some pages that you might find helpful:

• The plain and simple conflict of interest guide
• The five pillars of Wikipedia
• Contributing to Wikipedia
• Tutorial
• How to edit a page and How to develop articles
• How to create your first article (using the Article Wizard if you wish)
• Simplified Manual of Style

I hope you enjoy editing here and being a Wikipedian! Please sign your messages on talk pages using four tildes (~~~~); this will automatically insert your username and the date. If you need help, check out Wikipedia:Questions, ask me on my talk page, or ask your question on this page and then place {{Help me}} before the question. Again, welcome!

September 2015

Hello Nicksanna. The nature of your edits gives the impression you have a financial stake in promoting a topic, such as the edit you made to Factor analysis of information risk,. Paid advocacy is a category of conflict of interest (COI) editing that involves being compensated by a person, group, company or organization to use Wikipedia to promote their interests. Paid advocacy is prohibited by our policies on neutral point of view and what Wikipedia is not, and is an especially egregious type of COI; the Wikimedia Foundation regards it as a black hat practice.

Paid advocates are very strongly discouraged from direct article editing, and should instead propose changes on the talk page of the article in question if an article exists, and if it does not, from attempting to write an article at all. At best, any proposed article creation should be submitted through the articles for creation process, rather than directly.

Regardless, if you are receiving or expect to receive compensation for your edits, you are required by the Wikimedia Terms of Use to disclose your employer, client and affiliation. You can post such a mandatory disclosure to your user page at User:Nicksanna. The template {{Paid}} can be used for this purpose – e.g. in the form: {{paid|user=Nicksanna|employer=InsertName|client=InsertName}}. If I am mistaken – you are not being directly or indirectly compensated for your edits – please state that in response to this message. If you are being compensated, please provide the required disclosure. In either case, please do not edit further until you answer this message. Brianhe (talk) 00:19, 26 September 2015 (UTC)

Request for undeletion

In response to your query on my talkpage. I am not an administrator and don't have the system privileges either to delete or to undelete articles. Brianhe (talk) 19:20, 17 October 2015 (UTC)

Draft article edit: Factor Analysis of Information Risk (FAIR)

Factor Analysis of Information Risk (FAIR) is the only international standard Value-at-Risk (VaR) model[1] for information security and operational risks.[citation needed] It is both a taxonomy and an ontology of the factors that contribute to risk. It is primarily concerned with quantifying information and operational risk in financial terms and facilitate effective decision-making.

FAIR is complementary to existing information risk frameworks such as NIST CSF, ISO and Octave. These frameworks provide guidance on building risk management programs, but do not include methodologies for the actual quantification of information risk. FAIR can be used to strengthen, rather than replace these frameworks.

FAIR was developed by Jack Jones, a 3x CISO and Risk Officer and the foremost authority in information risk management, following requests by business management and boards to understand their risk exposure in financial versus technical terms and help drive decisions concerning prioritization of risk mitigation efforts, security budgeting and cyber insurance coverage.

An International Standard FAIR is recognized and promoted as an international standard by The Open Group, an international consortium and standards body, that has published the Open FAIR Body of Knowledge and the related certification process.[2]

The FAIR book The most comprehensive guide[citation needed] to FAIR is a book, authored by Jack Jones and Jack Freund, and that published in late 2014 under the name of ″Measuring and Managing Information Risk: A FAIR Approach" [3]

Although the basic taxonomy and methods have been made available for non-commercial use under a creative commons license, FAIR itself is proprietary. Using FAIR to analyze someone else’s risk for commercial gain (e.g. through consulting or as part of a software application) requires a license from RiskLens, Inc. .[4]

FAIR Software FAIR has been adopted by organizations to conduct risk analyses, via proprietary self-developed spreadsheets or via commercially available software.

Main concepts FAIR [6] underlines that risk is an uncertain event and one should not focus on what is possible, but on how probable is a given event. This probabilistic approach is applied to every factor that is analysed. The risk is the probability of a loss tied to an asset.

Asset An asset’s loss potential stems from the value it represents and/or the liability it introduces to an organization.[6] For example, customer information provides value through its role in generating revenue for a commercial organization. That same information also can introduce liability to the organization if a legal duty exists to protect it, or if customers have an expectation that the information about them will be appropriately protected.

FAIR defines six kind of loss:[6]

Productivity – a reduction of the organization to effectively produce goods or services in order to generate value Response – the resources spent while acting following an adverse event Replacement – the expense to substitute/repair an affected asset Fines and judgements (F/J) – the cost of the overall legal procedure deriving from the adverse event Competitive advantage (CA)- missed opportunities due to the security incident Reputation – missed opportunities or sales due to the diminishing corporate image following the event

FAIR defines value/liability as:[6]

Criticality – the impact on the organization productivity Cost – the bare cost of the asset, the cost of replacing a compromised asset Sensitivity – the cost associated to the disclosure of the information, further divided into: Embarrassment – the disclosure states the inappropriate behaviour of the management of the company Competitive advantage – the loss of competitive advantage tied to the disclosure Legal/regulatory – the cost associated with the possible law violations General – other losses tied to the sensitivity of data Threat Threat agents can be grouped by Threat Communities, subsets of the overall threat agent population that share key characteristics. It’s important to precisely define threat communities in order to effectively evaluate impact (loss magnitude).

Threat agents can act differently on an asset:[6]

Access – read the data without proper authorization Misuse – use the asset without authorization and or differently form the intended usage Disclose – the agent let other people to access the data Modify – change the asset (data or configuration modification) Deny access – the threat agent do not let the legitimate intended users to access the asset These actions can affect different assets in different ways: the impact varies in relationship with the characteristics of the asset and its usage. Some assets have high criticality but low sensitivity: denial of access has a much higher impact than disclosure on such assets. On the other hand an asset with highly sensitive data can have a low productivity impact if not available, but huge embarrassment and legal impact if that data is disclosed: for example the availability of former patient health data does not affect a healthcare organization's productivity but can cost millions of dollars if disclosed. [7] A single event can involve different assets: a [laptop theft] has an impact on the availability of the laptop itself but can lead to the potential disclosure of the information stored on it.

The key point is that it is the combination of an asset's characteristics and the type of action against that asset that determines the fundamental nature and degree of loss.

Important aspects to be considered are the agent motive and the affected asset characteristics.