3 Ways FAIR Cyber Risk Analysis Programs Can Go Wrong (and 3 Simple Fixes)

May 24, 2022  Chad Weinman

Skid MarksThe goal of the RiskLens professional services team is to start up FAIR™ quantitative risk management programs and hand the keys over to our customers. Once in a while, we are asked to make a house call for a program that’s gone off track. One thing we’ve learned about these situations is: Small Process Changes Can Have a Big Impact.

Let me explain with three challenges:

Challenge #1 Inconsistent Risk Analysis Techniques 

A risk analyst team fell into a practice of customizing the process for every analysis. They meant well but were complicating their work. For instance, each analysis would start at a different level of the FAIR model (see the FAIR model here). The problem was, when every way is unique and nothing is consistent, the process can’t be efficient.

Solution: The team defined a consistent, streamlined analysis process – for instance, always starting at the same FAIR level – and only adjusted their mode of operation when needed.

Chad Weinman is Vice President, Professional Services, for RiskLens. Learn more about our professional services.

Challenge # 2 Not Adopting New Best Practices

FAIR quantitative analysis improves over time as the community of practitioners shares, and the RiskLens product, data science, and professional services teams refine our software and solutions. A case in point at one customer: They conducted data gathering by interviewing dozens of subject matter experts for every analysis, slowing their whole program down to a crawl. RiskLens had already solved their problem with the rollout of Data Helpers, a data selection capability on the RiskLens platform, that comes with 5+ industry- and research-based Data Helpers out of the box.

Solution: We demonstrated Data Helpers and – after a bit of habit and process change – the customers have now made the new, much more efficient process a foundation to their program. The lesson: Be ready to embrace new best practices. The other lesson: Data Helpers are a major efficiency advance – use them at every opportunity! 

Challenge #3 Risk Analysis Reporting Not Adapted to the Audience

We worked with a team that was reporting to their CISO in a standardized format that works for many organizations – but just wasn’t what the CISO wanted to effectively tell their story. For instance, the probable frequency of a risk materializing is often expressed in the number if times per year. But for the CISO, this wasn’t ideal for those much more rare but material cyber events (with a five- or 10-year horizon).

Solution: With help from the RiskLens team, minor tweaks to the reporting template shifted this to communicating the probability of occurrence within the next year (ex. 5%). This instantly made the customer more comfortable and better supported effective communication with their stakeholders.