NIST Recommends FAIR for Integrating Cybersecurity with Enterprise Risk Management

October 22, 2020  Jeff B. Copeland

In a new standard, Integrating Cybersecurity and Enterprise Risk Management (ERM) (NISTIR 8286), the National Institute of Standards and Technology (NIST) recommends risk quantification and the FAIR™ standard specifically, for organizations to “better identify, assess, and manage their cybersecurity risks in the context of their broader mission and business objectives,” as the document’s mission statement says.

The RiskLens platform is the only enterprise-scale SaaS application for quantitative cyber and technology risk analysis with FAIR (Factor Analysis of Information Risk) – and many of the best practices recommended in NISTIR 8286, such as risk prioritization, analysis with risk scenarios, Monte Carlo simulations, and, of course, risk quantification, are accomplished with the capabilities of the platform.

NIST had already included FAIR as one of the recommended resources for risk management and risk analysis in its Cybersecurity Framework (NIST CSF), the most widely used framework in security operations of US businesses.  This new standard effectively scales up the scope of use for FAIR, recognizing that quantification puts cyber risk analysis on a par with the other risk management disciplines that make up ERM.

The NISTIR 8286 document makes a critique of cyber risk management that’s familiar to FAIR practitioners – from their past lives. “Risk analysis tends to be inconsistent for [cybersecurity risk management] compared to many other forms of risk… Foundational inputs for likelihood and impact calculations generally lack a standardized methodology or are left to the discretion of vendors who provide a scoring system. Decisions are often made based on an individual’s instinct and knowledge of conventional wisdom and typical practices…

“While qualitative methods are commonplace, the practitioner may benefit from considering a quantitative methodology with a more scientific approach to estimating likelihood and the impact of consequences where the data is available for this type of analysis. This may help to better prioritize risks or prepare more accurate risk exposure forecasts.”

The document goes on to name the FAIR standard (maintained by the Open Group) “to aid in more accurate estimation.”

The recognition from NIST follows another prestigious endorsement earlier this year: The COSO Enterprise Risk Management Framework issued a new guidance document, Managing Cyber Risk in a Digital Age, that introduces cyber risk quantification to the most widely used ERM framework. The document specifically mentions FAIR for quantifying risk and setting risk tolerance.


RiskLens can help your organization cost effectively comply with NIST guidance. Learn more - then contact us for advice from one of our risk management experts.