In a new article for Homeland Security Today, Accurately Scoring Cybersecurity Threat in a Maze of Vulnerabilities, FAIR model creator Jack Jones finds a parallel in the Mad Hatter from Alice in Wonderland--whose conversation had “no sort of meaning in it, and yet it was certainly English”—with communication styles of many infosecurity teams.
“We just toss vulnerability data over the wall and expect decision-makers to somehow intuitively understand their significance,” Jack writes. Cybersecurity is a highly technical field but that doesn’t mean its outcomes have to be communicated in highly technical terms, he argues.
“The truth of the matter is, if we want to be effective in communicating relevance to leaders so they can be effective in their decision-making, then a different level of effort is required than is commonly being applied today. There is no ‘easy button’ for this.”
A main focus on vulnerabilities in particular is a distraction from a focus on cyber risk as loss event scenarios, measurable in terms of probable frequency of occurrence and probable impact in costs that an IT risk team can communicate to the rest of the business in terms they understand, Jack writes.
For more on Jack Jones’ thoughts on vulnerability counts, severity scores and other common approaches to risk analysis – and why a quantitative risk model like FAIR is a better way – read Accurately Scoring Cybersecurity Threat in a Maze of Vulnerabilities in Homeland Security Today.