If you’re here, we’re guessing you’ve heard something about Factor Analysis of Information Risk (or the FAIR model) and the quantification of cyber and operational risk.
And, as a chief risk officer (CRO), we’re also guessing you may have been told by your IT risk people that cyber risk can’t be quantified—the threats change so fast, the data is too hard to get, it’s fundamentally unlike other forms of risk.
We’re making one last guess that you’re hearing from your senior management or board of directors that, after so many high profile, costly data breaches and other cyber attacks, the urgency is on to inform them of cyber risk in the same sort of quantified hard money terms you use on other risks, not the squishy high-medium-low risk reporting you may be getting now from IT.
So we put together this collection of guides as a short-course introduction to FAIR (the model that drives the RiskLens application) and cyber risk quantification.
High level, FAIR is:
- A set of standard definitions for risk and the elements that make up risk, eliminating the rampant miscommunication in the information risk field
- A statistical, probabilistic method to understand risk, that eliminates subjectivity—by putting dollar values on risk
- Compatible with standards, frameworks, and regulatory regimes you know from other risk fields – COSO ERM, etc.
- A game-changer, moving risk management from a compliance-based, checklist approach to a risk-based approach
Start with this eBook…
by Jack Jones, the creator of FAIR.
Jack lays out, in non-technical terms, how FAIR works to identify and prioritize risk, and to point the way to the most cost-effective mitigation.
How organizations use FAIR to solve business problems
Read these case studies to see the practical value of risk quantification as a decision-support tool:
- RiskLens Prepares Financial Institution for GDPR Regulations
- Healthcare Company Evaluates Business Continuity Options
- Manufacturing Company Justifies IP Protection Project
How FAIR solves communication problems around risk-based decisions
Part of your job is likely riding herd on a risk committee tasked with defining...
- “What are our top risks?”
- “Are we doing enough? Or too much? In the right places?
...with representatives from around the business, each with a different perspective on “risk”. Similarly, your security and audit teams may be odds on prioritization of risks.
With FAIR and risk quantification, disparate teams and departments can look at risk in the financial terms that are the basis of all their other communication about the business. That makes prioritizing on top risks a whole lot easier.
In fact, FAIR analysis often exposes that what had been considered as risks by the organization aren’t really risks at all or at least don’t represent that much exposure to the organization.
- How to Ensure Your IT Risk Committee Speaks the Same Language
- When Internal Audit and Infosecurity Teams Play Nice Together
- In a Top-10 Risks Analysis, Get These 2 Factors Right
FAIR works with your ongoing compliance and reporting processes. In fact, it makes them better.
We get asked about this a lot. And we have a lot of answers:
- Standards Groups and Regulators Recognize FAIR
- How FAIR Can Ensure The Success of COSO Risk Management Programs
- Adding Dollars and Cents to Your NIST CSF Reporting
- How to Unscramble Your Risk Register with FAIR
- 4 Steps to a Smarter Heat Map
- Does Your Business Impact Analysis Leave You Wanting More?
Your people can do FAIR
No graduate degree required to be a FAIR risk analyst, just good critical thinking skills and a comfort level with numbers. RiskLens offers a thorough online, video-based course in FAIR analysis. And, of course, the RiskLens platform automates many of the steps associated with FAIR risk analysis, for both cyber and operational risk scenarios.
Schedule a RiskLens demo to see how risk quantification can serve your needs as a Chief Risk Officer