In a new blog post, Phil Venables, a 3x CISO (Goldman Sachs, Deutsche Bank, Standard Chartered Bank) and current board member for Goldman Sachs Bank and many professional organizations (CIS, NIST), has added his respected voice to the recognition for FAIR™, the international standard for cyber risk quantification that’s operationalized by the RiskLens platform.
Risk quantification “exists to compel some action,” Phil writes, and FAIR analysis generates a “loss distribution to then make more formal risk tolerance decisions” with “the added advantage of a well-worked ontology and supporting practice to aid in analytical rigor.”
Phil goes on to give some insightful cautions about effective use of quantitative analytics:
“Risk quantification and risk communication are two different disciplines”
Phil writes that “most criticism of risk quantification is actually criticism of risk communication techniques that have been dressed up or misinterpreted as risk quantification,” such as ordinal scales based on qualitative ratings or simplistic equations such as Risk = Threat x Vulnerability.
“Risk is managed by experienced people with judgement using data, not by the data alone”
“Mature uses of risk quantification build decision making processes that are informed by multiple streams of data” so risk managers can look for contradictions that bring the data into question or “common themes across the data that increase the confidence level for a subset of potential courses of action.” The RiskLens platform enables “mature use”, with structured data collection based on FAIR. That feeds into a Monte Carlo engine that yields results in a range of probable impact at varying confidence levels (10%, Most Likely, 90%, etc.). The platform also enables “what-if” analysis to compare the effects of various security steps on risk scenarios.
“All risk quantification is wrong, but some is useful (paraphrased)”
Phil makes this statement:
“When you do need more advanced methods, because to use basic counts would be too complex and insufficiently forward looking, then be careful how you use them. Methods like FAIR are good, but they are best used in a macro way to influence broad decisions of resource allocation or prioritization vs. being used for every micro decision you might make - if the cost of doing the risk analysis exceeds the cost of implementing the control then just implement the damn control” (his underlining).
We’d like to invite Phil to take a look at new solutions offerings from RiskLens – and reconsider this limited view of what a FAIR cyber risk management program can do.
We introduced the RiskLens FAIR Enterprise Model™ (RF-EM™),built to operate through the RiskLens platform on an enterprise level, with a focus on solving the common challenges that risk analysts face every day: audit findings prioritization, policy exception request reviews, cost-benefit analysis, risk portfolio analysis, board reporting and many more. We also introduced Rapid Risk Assessment to the RiskLens platform that enables risk analyses in 15 minutes to identify top risks across multiple parameters so decision-makers can make quick judgments on which should be prioritized for deeper analysis or faster mitigation.
At RiskLens, we think organizations should have ongoing, cost-effective decision support of FAIR risk quantification for broad decisions and “micro decisions”. Please contact us to learn more. Read Phil Venables’ blog post: Cyber Risk Quantification.