We know you’re doing the best you can with the risk assessment tools you have: risk maturity models and ordinal or color-coded scales for qualitative cyber risk analysis. But you know the limits of what you’ve got vs. the questions you need to answer.
- Maturity models are necessary baselines but can’t say how much risk the organization faces
- Qualitative scales rank risks based on guesswork, with no transparent way to explain the results
As a result, your organization often doesn’t know where to even begin with cyber risk analysis. The problem seems overwhelming, and the risks loom larger than they probably should.
Worse, the organization has no way to settle differing opinions among analysts (red vs. yellow vs. redder), with no standard way to assess the impact of the risk.
But there is a way to jump up and out of the dead end of qualitative risk analysis: cyber risk quantification and the critical thinking skills of the FAIR model (that’s Factor Analysis of Information Risk) which is now trusted by more than 3,000 leading thinkers in risk and security.
With FAIR, you can deconstruct a risk question into bite-sized chunks that you can measure and think through. The FAIR model (see it here) has two sides, Frequency and Magnitude to organize your data and, as importantly, to think through how a cyber threat could come at you, starting with the likely actors and going through their likely attacks.
To fill out the Frequency side, for instance, sends you on a hunt for solid data on the historic record for attacks on your organization.
For Magnitude, FAIR suggests six buckets for forms of loss, both primary and secondary, that again, give a structure for data collection on, for instance, primary response costs for a data breach or secondary costs of defending against lawsuits.
With the right data in hand, the FAIR model plugs into a Monte Carlo engine to run through a vast number of probable outcomes to arrive at a distribution of results for annual loss exposure in dollars, including the most likely and the average but also, for more risk averse organizations, the 90thpercentile.
The RiskLens application automates the whole process from data collection to results generation.
With FAIR training and RiskLens, you’re in position to answer, with confidence, and in financial terms, whatever questions management can throw at you:
- What are our top risks?
- How much risk do we have?
- What’s the ROI of our security investments?
- Are we doing enough to minimize risks?
You are now much more valuable to the organization, a cost-saver, a strategic adviser, a critical thinker – and all-around Risk Ninja.
Need more validation?
3,000 IT risk analysts and cybersecurity managers have joined the FAIR Institute, which promotes education on the FAIR model.
Gartner endorses risk quantification as one of the five pillars of cybersecurity risk management.
The SEC and other regulators are directing companies to disclose probable cyber risk in financial terms.