One thing we learn from Factor Analysis of Information Risk(that’s the FAIR model that powers the RiskLens cyber risk analytics platform) is to take a disciplined approach to our thinking and language about risk. A good example: “risk analysis” vs. “risk assessment,” two terms commonly thrown around as interchangeable — but there is an important difference.
FAIR practitioners know that a risk analysis is part of the larger risk assessment process.
A risk assessment should include:
In other words, scoping. The end result is a scenario, a clearly defined problem statement that stakeholders agree is the risk to be analyzed.
As part of scoping, the team identifies:
Read more: How to Scope a Risk Analysis with FAIR
Perform a quantitative analysis of the risk identified during the scoping phase. In other words, using FAIR, measure the probable frequency and probable magnitude of future loss: the FAIR definition of “risk”.
Will decision-makers accept the risk and move on or would they like to mitigate this risk? If we’re leaning towards the latter, take these steps:
|The FAIR model for cyber risk analysis is in use at about 30% of Fortune 100 companies. Gartner recently called cyber risk quantification a must-have for forward-looking companies practicing Integrated Risk Management (IRM).|
4. Determining which option is likely to be the best fit – use FAIR here, too.
Within the RiskLens tool you are able to use the reporting to gain an understanding of where each solution could give you the best ROI. See this report from RiskLens on potential solutions for risk around phishing:
Report on your results and provide your stakeholders with the various investment options. Using the FAIR model and the RiskLens tool, you are able to confidently present a complete risk assessment based on a defensible risk analysis of the significance of the risk and a comparison of the options to mitigate it.