If you’re here, we’re guessing you’ve heard something about Factor Analysis of Information Risk (or the FAIR model) and the quantification of cyber and operational risk.
And, as a chief risk officer (CRO), we’re also guessing you may have been told by your IT risk people that cyber risk can’t be quantified—the threats change so fast, the data is too hard to get, it’s fundamentally unlike other forms of risk.
We’re making one last guess that you’re hearing from your senior management or board of directors that, after so many high profile, costly data breaches and other cyber attacks, the urgency is on to inform them of cyber risk in the same sort of quantified hard money terms you use on other risks, not the squishy high-medium-low risk reporting you may be getting now from IT.
So we put together this collection of guides as a short-course introduction to FAIR (the model that drives the RiskLens application) and cyber risk quantification.
High level, FAIR is:
An Executive’s Guide to Cyber Risk Economics by Jack Jones, the creator of FAIR.
Jack lays out, in non-technical terms, how FAIR works to identify and prioritize risk, and to point the way to the most cost-effective mitigation.
Read these case studies to see the practical value of risk quantification as a decision-support tool:
Part of your job is likely riding herd on a risk committee tasked with defining…
…with representatives from around the business, each with a different perspective on “risk”. Similarly, your security and audit teams may be odds on prioritization of risks.
With FAIR and risk quantification, disparate teams and departments can look at risk in the financial terms that are the basis of all their other communication about the business. That makes prioritizing on top risks a whole lot easier.
In fact, FAIR analysis often exposes that what had been considered as risks by the organization aren’t really risks at all or at least don’t represent that much exposure to the organization.
We get asked about this a lot. And we have a lot of answers:
No graduate degree required to be a FAIR risk analyst, just good critical thinking skills and a comfort level with numbers. RiskLens offers a thorough online, video-based course in FAIR analysis. And, of course, the RiskLens platform automates many of the steps associated with FAIR risk analysis, for both cyber and operational risk scenarios.
Schedule a RiskLens demo to see how risk quantification can serve your needs as a Chief Risk Officer