How to Prepare Your Team for a Successful Quantitative Risk Management Journey

November 19, 2020  Brad Agee

A window of opportunity opens after you, as a CISO, CIRO or other security and risk management leader realize you must transition away from qualitative risk measurement techniques towards quantitative. The next big step will be setting your team up to start the journey.

You can prepare the way by establishing a foundational mindset and a culture in your team based on Factor Analysis of Information Risk (FAIR™), the international standard for quantification of cyber and technology risk in financial terms. This blog post provides team-building strategies and curated content toward that goal.

To quote Omar Khawaja, the CISO who is pioneering FAIR at Highmark Health:

“The goal for us isn’t to use the FAIR methodology to deliver a particular risk assessment report. The goal is to create a culture that is risk-based, that isn’t always thinking there’s a gap, there’s a vulnerability, there’s a security control we haven’t purchased.” Read an interview with Omar.

So, where to begin? Invite others to discover the published FAIR material referenced below. I have found that an effective way to learn new information that challenges old assumptions is via a book club format for shared reading and discussion. This format establishes a clear roadmap of knowledge that ultimately will lead to program implementation.

Let's explore a couple of general topics and corresponding FAIR content that your team can discuss and absorb.

Brad Agee is a RiskLens Risk Consultant

Terminology Level Set

The essential domain to study and build consensus within your team is risk terminology. Successful FAIR shops understand that a standard set of risk terms, definitions, and relationships brings clarity to discussions about risk that is one of the great benefits of FAIR. You might focus first on the FAIR book and use the other references as supporting content.

FAIR Content:   

Chapters 1-4 of Measuring and Managing Information Risk: A FAIR Approach by Jack Jones and Jack Freund

  • The book is a must-read for all FAIR practitioners. Focus on these chapters for a terminology level set.
  • Note: Download group study guides for the FAIR book from the FAIR Institute Summer Book Club.

Jack Jones's white paper, A Clarification of ‘Risks’?

  • This 11-page white paper provides a practical discussion of (a) the frequent use of the term' risk,' (b) the components of the risk landscape, and (c) what it means to identify and measure the frequency and magnitude of potential loss events.

Blog post Key Terms in Cyber Risk Analysis – Test Your Knowledge

  • This post provides a collated set of posts that put some common risk analysis terms into a FAIR context.

Blog post Using the FAIR Model to Measure Inherent Risk

  • Addresses how FAIR can be used to deal with inherent risk effectively.

Give your team a deeper FAIR education with the FAIR Analysis Fundamentals training course from RiskLens Academy, available with live and video instruction.

Scenario Building - Scoping Process

Experienced quantitative risk analysts will tell you the most critical phase in performing a risk assessment is scoping. The following content will help you understanding the elements of a risk assessment from a FAIR perspective and why the scoping process is so important. Again, I recommend you focus on the book first.

FAIR Content:   

Chapters 5-6 of Measuring and Managing Information Risk: A FAIR Approach cover measurement and scoping.

Blog post Risk Analysis or Risk Assessment? Know the Difference

  • Clarifies how scoping a risk scenario and performing a risk analysis relates to the broader concept of a risk assessment.

Blog post  How To Scope A Risk Analysis Using FAIR

  • This post provides further examples and details to Jack's book concerning scoping.

A follow-up post, Assumptions in Risk Analysis Are a Powerful Thing shows how assumptions play a crucial role (for better or worse) in scoping an analysis.

Blog post How to Explain FAIR to Auditors

  • How the FAIR methodology expands beyond the questions posed by auditors to assess the organization's expected loss exposure.
Blog post  3 Key Values of FAIR™ Risk Analysis (and 3 Reasons Your Organization Should Use It)

  • An excellent summary of all the references above.

Next Steps

CISOs who have successfully launched FAIR programs started with use cases to apply cyber risk quantification that yielded high value to the business in cost/benefit terms that were clear to business stakeholders. (See this blog post: 12 Bits of Advice from FAIR Veterans to New FAIR Evangelists). RiskLens can help: We offer customized proof of value engagements led by our services team that can tackle a high -value use case or identify the top cyber risks your organization faces, in dollar terms, using the Rapid Risk Assessment capability of the platform.

Let us show you the value and flexibility of the RiskLens platform - Schedule a Demo