On the road to risk management maturity, most organizations start with some kind of maturity framework, most likely the NIST Cybersecurity Framework (CSF). Frameworks are relatively easy to implement, and carry industry acceptance. But at this early stage of development, there is a misconception that maturity frameworks are either the same thing as, or close enough to a well-vetted and defensible risk analysis model.
Over time though, organizations begin to learn the differences between the two. Then they may feel that the two are diametrically opposed and one approach has to be chosen over the other.
In this post, I’m going to outline the differences between the NIST Cybersecurity Framework (CSF) and Factor Analysis of Information Risk (FAIR), the risk analysis model that powers the RiskLens platform, and show how to the two can be used in a complementary way.
Desired Outcomes from NIST CSF and FAIR
To make sure that expectations match desired outcomes, it’s important to understand what each is intended to achieve, along with the differences of both.
- A framework to help organizations understand their controls environment, broken down by their areas of greatest strength, as well as areas of greatest potential improvement.
- Organizations assess themselves using a 1 – 4 scale (Partial, Risk Informed, Repeatable and Adaptive) through 108 sub categories.
- The outcome is an average score for each of the Five Functions of the framework (Identify, Protect, Detect, Respond, and Recover)
- A quantitative risk analysis model that helps organizations understand their risks in financial terms. (FAIR is also an international standard model maintained by the Open Group.)
- Organizations define their concerns in terms of a structured scoping format (Assets, Threats, Effects and Loss Event) by which a frequency of occurrence and a probable financial impact can be estimated.
- The outcome: seeing risks in financial terms. With the help of Monte Carlo simulation and the RiskLens platform, we can see these results in a variety of different ways, from histograms, to loss exceedance curves, to per-event frequencies and magnitudes.
Using NIST CSF and FAIR Together
Now that we understand what each is meant to achieve, let’s walk through how we can leverage one where the other leaves off.
A common problem with NIST CSF assessments are that they pull a risk team's focus down in to the weeds, then leaves them there, so to speak. So you're at Risk Informed status in the Data Security category, and could move up a notch to Repeatable status – but should you?
Organizations really want to know "How much risk do we have?" and "Which of the NIST CSF activities reduces risk the most?" The CSF alone can't answer those questions. This is where FAIR and seeing risks in financial terms plays a role.
The chart below shows how FAIR analysis picks up where the NIST CSF assessment leaves off. Based on the NIST CSF areas of concern on the left, I defined two measurable events on the right for which we can figure a likely frequency of occurrence and a dollar-cost magnitude of impact.
This practice in FAIR analysis is known as scoping, and is actually the first step in the risk analysis process.
To recap, both NIST CSF and FAIR serve a purpose and are complementary to one another. The NIST CSF helps organizations understand more broadly areas of control deficiencies within their environment. Through the use of FAIR and quantitative risk analysis, organizations can understand how to prioritize the risk management efforts suggested by NIST CSF, based on estimation of risk in financial terms.
The FAIR model that powers the RiskLens application is the only international standard quantitative model for cyber security and operational risk. Unlike risk assessment standards that focus their output on qualitative color charts or numerical weighted scales, the FAIR model specializes in financially derived results tailored for enterprise risk management. The FAIR Institute has over 4,000 members sharing information on use of the FAIR approach to risk. Recently, leading technology analyst firm Gartner identified risk quantification as a critical capability for any effective cyber risk management program.