AI Risk Quantification Process with FAIR and NIST AI RMF

quantifying multi product security and privacy n.w
1 / 26
Embed
Share

Explore the methodology of quantifying AI-related risks using FAIR and NIST AI RMF frameworks. Learn how to assess, manage, and mitigate risks associated with multi-product security and privacy in the AI landscape.

  • AI Risk
  • Quantification
  • Security
  • Privacy
  • FAIR
rayaanacharya
josejuli Follow

Uploaded on | 1 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Quantifying Multi-Product Security and Privacy AI Risk with FAIR and NIST AI RMF Presented By: Tyler Britton | Security Engineer, Risk Nerd Taylor Maze | Risk & Governance Manager, Wine Enthusiast

  2. Agenda As s es s ment Scope & Backgr ound Assessment P r ocess Methodology NIST AI RMF FAIR Key Takeaways Practical Application: AI Risk Quantification Guide

  3. Assessment Scope: the Ask How does the usage and development of AI products impact our overall risk posture? and how can we best manage that new risk?

  4. The Challenge How do we quantify AI-related risks? Key lack of industry information and regulatory guidance about AI risks, as the emergence of AI is new.

  5. Assessment Process AI risk assessment process remains largely unchanged: - Initial scope ideation (using NIST AI RMF) - Review & refine scope into risk scenarios with SMEs - Data gathering / quantification - Reporting

  6. Step 1: AI-Risk Recon to Establish Scope

  7. NIST AI Risk Management Framework Goal: encompass risk related to AI trustworthiness to think outside the [cyber and privacy] risk box to Source: Characteristics of trustworthy AI Systems, NIST AI RMF (https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf)

  8. AI Risk Recon Topics AI Risk topics gathered from a variety of sources, including SMEs and online Membership Inference Hallucinations Model Inversion Biased Data/Outputs Model Theft Model Poisoning Harmful/Unlawful Outputs Prompt Injection Model Deterioration

  9. Step 2: Sanity Check & FAIRitization

  10. FAIR-itization example: Hallucination Concern to risk scenario translation process 1.Define the loss (i.e. risk scenario statement) 2.Identify the attack chain 3.Identify the point at which the loss event and secondary loss event happens 4.Identify the loss impacts

  11. FAIR-itization example: Hallucination Concern Identification / Risk Therapy 1.What is a hallucination? 2.How do hallucinations happen? 3.Why do we care if it happens? 4.What s the impact?

  12. FAIR-itization example: Hallucination Loss Event Defined: Quantifiable Risk Statement The quality foundational producing outputs. risk associated of the with an impact result to of the the and product model as hallucinating misleading, a inaccurate, or false

  13. Multi-Product Application How we assessed 60+ scenarios in <2 weeks - Map scope products - Remove those that do not apply (this will become obvious during data gathering) each identified risk scenario to the in-

  14. AI Risk Recon Topics 1.Product A immature model causes hallucination 2.Product A bad data leads to hallucination 3.Product B bad data leads to hallucination Hallucinations 1.Product A model theft by insider 2.Product A model theft by external actor 3.Product B model theft by insider Model Theft 1.Attacker performs P.I. on Product A 2.Attacker performs P.I. on Product B Prompt Injection

  15. Step 3: Data gathering & quantification

  16. AI Data Gathering: Hallucinations Loss Frequency Loss Chain How many AI-generated outputs does the product produce, per year? [Contact Frequency] Users use the product Output is a hallucination What is the hallucination rate of the product, i.e., what percentage of outputs may result in a hallucination? [Probability of Action] User notices hallucination What portion of hallucinations will users (1) be aware of and (2) adversely impacted by? [Susceptibility] User is adversely impacted by the hallucination

  17. AI Data Gathering: Hallucinations Loss Frequency Loss Chain How many AI-generated outputs does the product produce, per year? [Contact Frequency] Users use the product 1M Output is a hallucination 2% What is the hallucination rate of the product, i.e., what percentage of outputs may result in a hallucination? [Probability of Action] User notices hallucination 50% What portion of hallucinations will users (1) be aware of and (2) adversely impacted by? [Susceptibility] User is adversely impacted by the hallucination 1% 100 Loss Events per Year

  18. AI Data Gathering: Hallucinations Frequency - What factors impact the likelihood of customer adverse reactions? - Customer awareness - how likely are they to notice? - Customer impact - how harmful is the hallucination? - Customer sensitivity - how much is too much? Estimation Considerations - What service is the product providing? - What does a hallucination look like for the given product? - Does the output inform a material outcome?

  19. AI Data Gathering: Hallucinations Frequency - What factors impact the hallucination rate? - Temperature (model creativity) - Other Controls: - Few shot - Chain of reasoning - Delimiting - Constraints on model response Estimation Considerations - What is the control s intended efficacy? - What is the degree of variance from the intended efficacy?

  20. AI Data Gathering: Hallucinations Magnitude Costs to consider: - Incident response effort - customer complaints, investigation - Legal impact - Torts, Privacy laws, litigation - Customer churn Estimation Considerations - Level of effort to respond to customer complaint - Limitations of liability, required effort to pursue damages - Normal customer churn, degree of harm

  21. Step 4: Reporting

  22. Example Reporting: NIST AI RMF Mapping

  23. Example Reporting: Scenario Themes

  24. Lessons Learned & Key Takeaways

  25. Key Takeaways The use of AI is not i nher ent l y high- risk There s nothing special about AI- risk, it s just a new attack surface How you develop/deploy AI, and what you use it for determines it s risk Different types of AI risks will be wildly different in different companies Considerations - How are we building AI products? - How are we deploying AI products? - How are we using AI 3rd Party Services?

  26. Thank you! Inquire for Quant Risk AI Assessment Framework Questions? Taylor Maze Taylor Maze | tmaze@dropbox.com Tyler Britton Tyler Britton | tbritton@dropbox.com

Related


TSA Security Guidelines and Risk Reduction Strategies

TSA Security Guidelines and Risk Reduction Strategies

flint
National Industrial Security Program (NISP) Risk Management Framework (RMF): Cybersecurity Overview

National Industrial Security Program (NISP) Risk Management Framework (RMF): Cybersecurity Overview

fredrick
Risk Mitigation Functions in Vehicle Control Systems

Risk Mitigation Functions in Vehicle Control Systems

deva
Privacy in Information Security Training

Privacy in Information Security Training

lillia
NCVHS Subcommittee on Privacy Comments on HIPAA Privacy Rule for Reproductive Health Care

NCVHS Subcommittee on Privacy Comments on HIPAA Privacy Rule for Reproductive Health Care

haley
Privacy-Preserving Analysis of Graph Structures

Privacy-Preserving Analysis of Graph Structures

bilal
Continuous Monitoring in Risk Management Framework (RMF)

Continuous Monitoring in Risk Management Framework (RMF)

persephone
Data Privacy Laws and Regulations in Saudi Arabia

Data Privacy Laws and Regulations in Saudi Arabia

twyla
Powering the Digital Economy: Regulatory Approaches to Securing Consumer Privacy, Trust, and Security

Powering the Digital Economy: Regulatory Approaches to Securing Consumer Privacy, Trust, and Security

arkady
The Privacy Paradox: Attitudes vs. Behaviors

The Privacy Paradox: Attitudes vs. Behaviors

clai_evi
Risk Concepts and Management Strategies in Finance

Risk Concepts and Management Strategies in Finance

ybre
Risk Management and Security Controls in Research Computing

Risk Management and Security Controls in Research Computing

aima_39
Indian Actuarial Seminar on Product Line Profitability and Risk Management

Indian Actuarial Seminar on Product Line Profitability and Risk Management

dcour
Enhancing Usability and Accessibility in Next-Generation Elections: NIST Workshop Insights

Enhancing Usability and Accessibility in Next-Generation Elections: NIST Workshop Insights

armi_798
Privacy Rights in Europe: A Comprehensive Overview

Privacy Rights in Europe: A Comprehensive Overview

jesu_26
Core-Stateless Fair Queueing: Past, Present, and Future

Core-Stateless Fair Queueing: Past, Present, and Future

agbayani_j
ProTech Contracts: Fair Opportunity and Guidance

ProTech Contracts: Fair Opportunity and Guidance

mckissick_a
Breach of Confidence and Privacy Rights in Legal Context

Breach of Confidence and Privacy Rights in Legal Context

harmo
Data Privacy Best Practices Training for Libraries

Data Privacy Best Practices Training for Libraries

teo_nah
Enhancing Online Patron Privacy in Library Websites

Enhancing Online Patron Privacy in Library Websites

weld852
Quantifying Risk in a Changing Climate with Design Life Level

Quantifying Risk in a Changing Climate with Design Life Level

haggerty_e
Student Privacy Laws and Best Practices in Education Sector

Student Privacy Laws and Best Practices in Education Sector

nam_e

More Related Content