I posed these questions recently to several CISO's in an effort to validate and quantify the FAIR value proposition. Translating features and benefits into business impact or economic impact is the challenge. For instance, "FAIR enables CISO to efficiently allocate resources on top priority projects through comparative analysis on risk reduction benefit in economic terms of various investments of people, process and technology". When this benefit is realized by the business, there is an economic impact that can be measured. You may choose a compensating control vs a best practice and "save" the company $100k in the process. If an organization is currently employing best practices and prioritizing projects based on a 3rd party risk assessment using a qualitative model, and they have an annual budget of $5M, how much of that budget is likely to be misspent?
The CXOWARE Blog
Welcome to the CXOWARE blog. We hope you’ll join us for lively and good natured discussion about risk and risk issues! We’re risk geeks, plain and simple. We’re big advocates of the Factor Analysis of Information Risk (FAIR) framework for quantifying risk.