A window of opportunity opens after you, as a CISO, CIRO or other security and risk management leader realize you must transition away from qualitative risk measurement techniques towards quantitative. The next big step will be setting your team up to start the journey.
You can prepare the way by establishing a foundational mindset and a culture in your team based on Factor Analysis of Information Risk (FAIR™), the international standard for quantification of cyber and technology risk in financial terms. This blog post provides team-building strategies and curated content toward that goal.
To quote Omar Khawaja, the CISO who is pioneering FAIR at Highmark Health:
“The goal for us isn’t to use the FAIR methodology to deliver a particular risk assessment report. The goal is to create a culture that is risk-based, that isn’t always thinking there’s a gap, there’s a vulnerability, there’s a security control we haven’t purchased.” Read an interview with Omar.
So, where to begin? Invite others to discover the published FAIR material referenced below. I have found that an effective way to learn new information that challenges old assumptions is via a book club format for shared reading and discussion. This format establishes a clear roadmap of knowledge that ultimately will lead to program implementation.
Let's explore a couple of general topics and corresponding FAIR content that your team can discuss and absorb.
Brad Agee is a RiskLens Risk Consultant
Terminology Level Set
The essential domain to study and build consensus within your team is risk terminology. Successful FAIR shops understand that a standard set of risk terms, definitions, and relationships brings clarity to discussions about risk that is one of the great benefits of FAIR. You might focus first on the FAIR book and use the other references as supporting content.
Chapters 1-4 of Measuring and Managing Information Risk: A FAIR Approach by Jack Jones and Jack Freund
- The book is a must-read for all FAIR practitioners. Focus on these chapters for a terminology level set.
- Note: Download group study guides for the FAIR book from the FAIR Institute Summer Book Club.
Jack Jones's white paper, A Clarification of ‘Risks’?
- This 11-page white paper provides a practical discussion of (a) the frequent use of the term' risk,' (b) the components of the risk landscape, and (c) what it means to identify and measure the frequency and magnitude of potential loss events.
- This post provides a collated set of posts that put some common risk analysis terms into a FAIR context.
- Addresses how FAIR can be used to deal with inherent risk effectively.
Give your team a deeper FAIR education with the FAIR Analysis Fundamentals training course from RiskLens Academy, available with live and video instruction.
Scenario Building - Scoping Process
Experienced quantitative risk analysts will tell you the most critical phase in performing a risk assessment is scoping. The following content will help you understanding the elements of a risk assessment from a FAIR perspective and why the scoping process is so important. Again, I recommend you focus on the book first.
Chapters 5-6 of Measuring and Managing Information Risk: A FAIR Approach cover measurement and scoping.
- Clarifies how scoping a risk scenario and performing a risk analysis relates to the broader concept of a risk assessment.
Blog post How To Scope A Risk Analysis Using FAIR
- This post provides further examples and details to Jack's book concerning scoping.
A follow-up post, Assumptions in Risk Analysis Are a Powerful Thing shows how assumptions play a crucial role (for better or worse) in scoping an analysis.
Blog post How to Explain FAIR to Auditors
- How the FAIR methodology expands beyond the questions posed by auditors to assess the organization's expected loss exposure.
- An excellent summary of all the references above.
CISOs who have successfully launched FAIR programs started with use cases to apply cyber risk quantification that yielded high value to the business in cost/benefit terms that were clear to business stakeholders. (See this blog post: 12 Bits of Advice from FAIR Veterans to New FAIR Evangelists). RiskLens can help: We offer customized proof of value engagements led by our services team that can tackle a high -value use case or identify the top cyber risks your organization faces, in dollar terms, using the Rapid Risk Assessment capability of the platform.
Let us show you the value and flexibility of the RiskLens platform - Schedule a Demo