Identifying your critical risk scenarios is one of the most important and difficult elements of assessing risk. Companies are often not properly prioritizing the risk they face and are unable to express a range of outcomes that could result.
With a clear idea of your risks you can:
- Define your risk appetite in dollars and cents
- Break through the communication barrier between IT security and the rest of the business
- Enable reporting you can take to the board with confidence
- Prioritize your cyber risk mitigation based on the business impact
- Calculate the ROI of security initiatives
But if you’re new to measuring risk, where do you start? At RiskLens, we use the FAIR model, a disciplined way of applying critical thinking to risk measurement that yields quantified results much like a financial analysis. It’s not just a model, it’s also a mindset.
To start your thinking about risk in a new way, we put together this mini-guide of blog posts by RiskLens staff members and other FAIR experts:
It’s kind of a fad: Many businesses these days are writing Top 10 Lists of critical risks. Ask them how they derived their lists, and they typically can’t explain the system behind their choices. But that’s OK, writes Chad Weinman, RiskLens VP of Professional Services, who explains how to take even a confused list and start your analysis process.
In this five-part series, Jack Jones, the author of FAIR, walks you through the initial steps to understanding and sorting your top cyber risks. Jack starts with a critical distinction that most organizations miss in understanding risk: the difference between an event that causes a loss and a deficiency in the organization’s risk management practices.
FAIR expert Evan Wheeler introduces a simple version of the FAIR “ontology”, the map you can use to think through risk scenarios, and shows how to start your analysis with a simple spreadsheet. And, good news, Evan tells you that your risk problems to solve aren’t unique – and you have enough data for a good analysis, even if you think you don’t.
In a clear, step by step list, RiskLens Risk Consultant Cody Whelan runs through each of the components you need to understand to set up a risk analysis: your objectives, the assets you are trying to protect, the threats and potential losses.
Here’s where FAIR becomes a communications tool in addition to an analytical tool, helping risk managers and information security officers present to business executives a range of possible risk outcomes, in the language of dollars and cents. In a one-hour video, Chad Weinman and RiskLens Senior Risk Consultant Isaiah McGowan explain how to break down complex problems in risk management, build a common language around risk in a company, and express risk in financial terms. (Note: To view the entire video, you need to become a member of the FAIR Institute – it’s free and takes a minute.)
RiskLens can easily help you get started identifying the list of your top cyber security risks. A risk management consultant can lead an on-site workshop with the purpose of defining risk scenarios that use a consistent structure and terminology and are aligned with FAIR. This enables future analyses by you and is a simple first step towards understanding the benefits a quantitative risk analysis approach can offer your company.