5 Critical Skills You'll Learn in FAIR Training

January 30, 2020  Jeff B. Copeland

Get trained in Factor Analysis of Information Risk (FAIR), the international standard model for cyber risk quantification, and the basis of the RiskLens platform and you’re joining a growing worldwide movement to put cyber risk analysis on the same solid, mathematical, repeatable basis that underly other forms of risk management.

The RiskLens Academy offers on-site and online training, the SANS Institute has also offered courses and CyberVista runs a FAIR program for boards and senior executives.

Wherever you gain the knowledge, you’ll be boosting your career as demand from corporate boards and regulators leans more heavily on cybersecurity teams to explain and justify what they do in quantified, financial terms.

Here’s what you’ll add to your skill-set:

1. How to speak a common language of risk you can share with your organization

Risk, Threat, Vulnerability, etc., the basic vocabulary of cyber risk analysis and risk management can have differing definitions throughout one organization (and the risk profession), scrambling communication.  FAIR is built upon a logical, consistent set of terms in a relation to each other that’s easy to visualize in the FAIR model.

Take Threat – “a person, group of people, force of nature, etc. that can act against an asset in a way that results in loss”. A data breach is not a threat; it may be the outcome when threat actors attack your asset. Ransomware is not a threat; it’s a method that threat actors may use.

FAIR clears the confusion and focusses everybody on the risk problem at hand. Introducing FAIR vocabulary is the first step in making the change to a risk-based organization.

 2. How to spot the flaws of conventional, qualitative risk analysis

Subjective opinions and broken models – that’s the norm in many cyber risk analysis shops. An education in FAIR exposes those flaws.  FAIR is different from traditional/qualitative risk analysis methods in two critical ways: correctly modeling risk and using valid inputs.

In the FAIR model, Risk = Frequency of Loss Events x Magnitude of Impact, a formula that’s built for quantitative inputs, and generates results as a range of probable outcomes in dollar terms. Compare that to one well-used formula, Likelihood x Impact in a 5×5 table – but the numbers can’t really be used for math, they’re just subjecting groupings. We don’t know if the difference between a 1 and a 2 is the same as between a 3 and a 4, for instance. Or take heat maps, which place risks on a grid based on single ratings for each, when realistic outcomes could span multiple ratings. FAIR produces useful, logical, simple risk analysis – learn it and the flaws of qualitative methods become obvious.

From the FAIR Institute: Download ‘Understanding Cyber Risk Quantification: The Buyer’s Guide’ by Jack Jones

 3. How to understand the FAIR model and the principles of quantitative risk analysis

FAIR analysis begins with critical thinking about risk and FAIR training arms you with the conceptual tools to be a critical thinker. Among the fundamental concepts you’ll learn are Accuracy vs. Precision: An overly precise value is likely to be inaccurate. FAIR analysis strives for an accurate range that informs while expressing uncertainty. Or Prediction vs. Possibility vs. Probability: FAIR analysis focusses on the probable over the possible (too wide a focus) and prediction (too specific).

Another key concept and skill is calibrated estimation, how to arrive at data for input to analysis at a 90% confidence level, because measuring risk involves making good estimates.  And Monte Carlo simulation, the mathematical process behind the FAIR model that approximates the probabilities of uncertain outcomes by running multiple trial runs using random variables.

4. How to construct and run a FAIR analysis

FAIR training covers in detail the phases of the risk analysis process:

 5. How to present the results of FAIR analysis to your organization.

Results of FAIR analysis are always presented in terms of annualized loss exposure (ALE), a range of probable outcomes in dollar values with markers showing the minimum, maximum, most likely, 10thpercentile and 90thpercentile of results – critical for giving decision-makers a clear picture of the risk facing the organization so they can respond in a proportionate way based on risk tolerance and expected rate of return on security investments.

What’s missing here? No techno-speak about patching counts or maturity scores and no FUD (fear, uncertainty and doubt) based on scare headlines. FAIR analysis puts cyber risk on the same businesslike level as the rest of enterprise risk management. If it helps, you can even arrange most likely ALE ranges on a color-coded grid, confident that you’re presenting results of a defensible analysis, not qualitative guesswork.