Posted October 16, 2018 by Rachel SlabotskyEstablishing a well-defined risk appetite has long been a moving target in cyber risk management. The conventional red-amber-green approach to cyber risk has influenced the treatment of risk appetite and led to some common pitfalls that become obvious when RiskLens consultants apply the principles of the FAIR model. Here are some of the problem areas we see:
Posted October 9, 2018 by Jeff B. CopelandCorporate governance expert and RiskLens board member James Lam tells the Wall Street Journal’s Cyber Daily (subscription required) that CISOs and CIOs should stop reporting on cyber risk with “silly” metrics like attempted malware attacks
Posted October 8, 2018 by Taylor MazeThere are few things in life that are less fun than exception mitigation due to audit findings. In fact, I have compiled a list: root canals, a weekend trip with your mother in law (here’s hoping she doesn’t read my blogs), and 4:30 p.m. Friday meetings.
Posted October 5, 2018 by Jeff B. CopelandIn a new article for Homeland Security Today, Accurately Scoring Cybersecurity Threat in a Maze of Vulnerabilities, FAIR model creator Jack Jones finds a parallel in the Mad Hatter from Alice in Wonderland--whose conversation had “no sort of meaning in it, and yet it was certainly English”—with communication styles of many infosecurity teams.
Posted October 4, 2018 by Jeff B. CopelandIn a new article for FinTech Weekly, A Value-at-Risk Model for Cyber? Yes, It Exists. And Watch Out for Fakes, RiskLens CEO Nick Sanna writes that the FAIR model brings to cyber risk the same value-at-risk discipline that banks and other financial institutions apply to capital requirements for credit, operational and market risk.
Posted October 3, 2018 by David MusselwhiteQuantitative cyber risk analytics using FAIR is an inherently mathematical endeavor. Estimates for the factors of risk (like loss event frequency and loss magnitude) are expressed using probability distributions
Posted September 28, 2018 by Isaiah McGowanAs an industry we have a history of focusing on things around risk but not explicitly addressing risk; when we do that we are NOT doing “risk-based” anything.
Posted September 25, 2018 by Jeff B. CopelandWhat’s the risk from spear-phishing, accidental emailing of customer data or other results of the vulnerabilities caused by humans on your systems? Cybersecurity professionals are often stumped on how to answer
Posted September 21, 2018 by Teresa SuarezBias. Discrimination. Unfairness. What do all three words have in common? I’ll give you some hints, they all: Have negative connotations Exhibit prejudices Could be attributed to heat maps
Posted September 20, 2018 by Jeff B. CopelandA study by Kaspersky Lab on data protection for personally identifiable information, uncovered a new insight into the cost of data breaches: In almost one-third of the breaches studied, someone lost a job in the aftermath.