The FMEA and the analysis of cyber risk

The FMEA method is qualitative and plays a vital role in risk analysis. It is useful in order to draw up a mapping of cyber risks, based on subjective ordinal and nominal scales. Justifying and prioritizing corrective actions is far more effective when done through a quantitative analysis.

The FMEA method involves a task force which is designed to identify business risks and to search for means of prevention and correction. This method of assessing failures was developed for the industrial sector but sometimes applies to information systems. Indeed, through FMEA, you can rank cyber risks from insignificant to unacceptable and then take all the necessary preventive measures. Yet, is this collaborative risk assessment method enough to build an IT security strategy?

Christophe Forêt
President and co-founder of C-Risk
FMEA cyber security - C-Risk

Definition of the FMEA method?

FMEA was first created by the U.S Army in the 1940s. It was later theorised, in the 1960s, by the American company McDonnell Douglas. FMEA focuses on the list of components of an item in order to collect data on its failures, as well as on frequency and consequences of those failures. It has been used by NASA, by the US arms industry, and by car manufacturers such as Toyota, Ford, Nissan, Peugeot, and BMW.

What is FMEA?

FMEA stands for “Failure Mode and Effect Analysis” (FMECA, “Failure Mode Effects and Criticality Analysis”, may sometimes be used to include criticality analysis). This process is used to obtain a predictive analysis of the reliability of a system. It is based on:

  • Identifying the potential “failure modes” of a product / system / process, the consequences of which are likely to affect its proper functioning;
  • Assessing the risks associated with the appearance of failures, according to a criticality index;
  • Conceptualizing preventive measures and corrective actions to be carried out either during the design of the system or during its operation.

Like the HAZOP analysis, FMEA advantageously offers an exhaustive functional analysis as part of a comprehensive quality approach aimed at reaching maximum operating safety. It is also carried out by task forces which bring together different skills.

FMEA easily applies to IT systems as part of the risk management of cybersecurity breaches. Its main objective is indeed to detect security or reliability deficiencies of a system.

What is FMEA?

Different types of Failure Mode and Effect Analysis

The theory generally differentiates between two types of FMEA:

  • Design FMEA seeks to measure the reliability and safety of a product upstream of its design;
  • This same analysis, when applied to processes, is called Process FMEA. It must ensure the quality of the product during its production.

Some analysts add to these two traditional types of FMEA, Machinery FMEA which focuses on the production chain, FMEA-MSR which purpose is to analyze failures that occurred when the product was used by the customer.

More generally, FMEA applies to systems, in some instances, it applies to information systems.

Whom is FMEA addressed to?

In general, FMEA meets the expectations of companies who want to ensure the reliability, maintainability and security of a system or product. It is also a process which qualifies your organization for certifications, and it ensures compliance with certain documents. Here are a few fields of application:

  • Design FMEA is used in the manufacturing industry to create construction plans and schematics for the purpose of obtaining patents;
  • Process FMEA helps to calibrate quality control;
  • Machinery FMEA is useful for establishing production line maintenance guides;
  • Analyzing the risks associated with flows helps to design inventory management plans.

What are the benefits from Failure Mode and Effect Analysis?

The main objective of FMEA is to design preventive or corrective actions. This is an approach based on deduction. It systematizes failure modes in the operation of a product or a system, by analyzing the causes and effects of those failures. It helps reduce the potential risks linked to a system – cyber risks related to your information systems, for instance.

Companies that use FMEA to ensure their computer security aim to continuously improve their information system in order to limit failure occurrences. They examine the consequences of cyber security failures by performing tests. Then, they rank the various cyber risks they identified, by examining their frequency, severity and detectability. This is why it works well with cyber risk mapping methods.

FMEA, a collaborative analysis

When should you carry out a FMEA?

FMEA is either used before the launch of a system so as to avoid failures or after having identified real failures in order to consider corrective measures.

Why should you apply FMEA to cybersecurity?

FMEA makes it possible to detect risks of failure and, by extension, to detect and qualitatively assess given malicious threats. It can then be used to formulate a first remedial action plan. Justifying and prioritising investments will however call for a quantitative approach.

The FMEA and the analysis of cyber risk

FMEA originally was a support method to a quality approach in the industrial sector. It is based on the detection of failure modes which correspond to a level of criticality calculated taking into account the occurrence, the possibilities of detection and the severity of the risk. Conversely, it is not a suitable tool for a quantitative forecast of potential financial losses associated with a given cyber risk.