If you’re here, we’re guessing you’ve heard something about Factor Analysis of Information Risk (or FAIR™) and the quantification of cyber and operational risk.
And, as a chief risk officer (CRO), we’re also guessing you may have been told by your IT risk people that cyber risk can’t be quantified—the threats change so fast, the data is too hard to get, it’s fundamentally unlike other forms of risk.
We’re making one last guess that you’re hearing from your senior management or board of directors that, after so many high profile, costly data breaches and other cyber attacks, the urgency is on to inform them of cyber risk in the same sort of quantified hard money terms you use on other risks, not the squishy high-medium-low risk reporting you may be getting now from IT.
So we put together this collection of guides as a short-course introduction to FAIR (the model that drives the RiskLens platform) and cyber risk quantification.
High level, FAIR is:
- A set of standard definitions for risk and the elements that make up risk, eliminating the rampant miscommunication in the information risk field
- A statistical, probabilistic method to understand risk, that eliminates subjectivity—by putting dollar values on risk
- Compatible with standards, frameworks, and regulatory regimes you know from other risk fields – COSO ERM, etc.
- A game-changer, moving risk management from a compliance-based, checklist approach to a risk-based approach
Start with this eBook…
An Executive’s Guide to Cyber Risk Economics by Jack Jones, the creator of FAIR.
Jack lays out, in non-technical terms, how FAIR works to identify and prioritize risk, and to point the way to the most cost-effective mitigation.
How organizations use FAIR to solve business problems
Read these RiskLens case studies to see the practical value of risk quantification as a decision-support tool:- Finance Company Assesses Risk of Data Breach from Shared Storage
- Operational Risk from Outage of a Manufacturer's Order Fulfillment System
- Evaluating ROI of Data Loss Prevention Controls
RiskLens Risk Report
How FAIR solves communication problems around risk-based decisions
Part of your job is likely riding herd on a risk committee tasked with defining...
- “What are our top risks?”
- “Are we doing enough? Or too much? In the right places?
...with representatives from around the business, each with a different perspective on “risk”. Similarly, your security and audit teams may be odds on prioritization of risks.
With FAIR and risk quantification, disparate teams and departments can look at risk in the financial terms that are the basis of all their other communication about the business. That makes prioritizing on top risks a whole lot easier.
In fact, FAIR analysis often exposes that what had been considered as risks by the organization aren’t really risks at all or at least don’t represent that much exposure to the organization.
Relevant guides:
- How to Ensure Your IT Risk Committee Speaks the Same Language
- When Internal Audit and Infosecurity Teams Play Nice Together
- In a Top-10 Risks Analysis, Get These 2 Factors Right
FAIR works with your ongoing compliance and reporting processes. In fact, it makes them better.
We get asked about this a lot. And we have a lot of answers:- How to Assess Risk Quantitatively for PCI-DSS, NIST CSF, HITRUST, GDPR and More Standards
- 10 Ways RiskLens Can Help Implement COSO’s Cyber Guidance
- NIST Maps FAIR to the NIST CSF, Major Recognition of the Power of Cyber Risk Quantification
Your people can do FAIR
No graduate degree required to be a FAIR risk analyst, just good critical thinking skills and a comfort level with numbers. RiskLens offers a thorough online, video-based course in FAIR analysis. And, of course, the RiskLens platform automates many of the steps associated with FAIR risk analysis , for both cyber and operational risk scenarios.
Relevant guides:
RiskLens Makes FAIR a Support Tool for Business Decision-Making
RiskLens is the analytics platform built by the creators of FAIR and road-tested by Fortune 1000 companies around the world as a foundation of their cyber, technology and operational risk management.
RiskLens automates the entire FAIR analysis process for rapid results delivered in a business-friendly, non-technical format showing loss exposure in dollars.
Benefits of using RiskLens for FAIR analysis include:
- Guided workflow to create risk scenarios and enter data from your organization or leverage data specific to your industry curated by the RiskLens data science team.
- Rapid risk assessment: Within minutes, identify top risks for the enterprise or a business unit
- Detailed risk analysis to drill down into the root causes of risk for any risk scenario
- Risk treatment analysis: Compare alternate risk mitigations against a baseline loss exposure for cost/benefit analysis
- Integration with leading GRC platforms via API