Three Reasons NOT to Build a FAIR Spreadsheet

June 18, 2019  Chris Bryant

Ever since the FAIR model was selected by The Open Group in 2013 as their standard model for quantifying information risk, risk professionals have been looking for ways to apply it practically. Users cherish the principles upon which FAIR is based:

  • Expressing risk in financial terms and enabling clear communication
  • Fueling effective and economical business decision-making around risk
  • Taking the “guesswork” out of the risk management equation

It’s no surprise then, that some risk analysts instinctively turn to spreadsheets to test the FAIR concepts and conduct basic risk analyses. After all, the FAIR model breaks down the various factors of a risk analysis in such logical and practical terms.

We encountered several analysts who tried to hack their way into developing a spreadsheet-based risk analysis solution that can be used as part of their risk management program. Their assumption was that they might be able to develop a viable and possibly cost-effective alternative to commercially available applications.

Before you go ahead with your own spreadsheet solution for FAIR analysis, consider these three important cautions.

1.  Many Have Tried Before without Success

Over the past several years, we’ve had the privilege of working with some of the largest and most influential companies in the world. No surprise that many, including top financial institutions with tremendous resources decided to try this on their own.

Successes have been limited at best and most efforts have been abandoned, once they realized the scope of risk analysis requirements. There was much more at play than just modeling a single analysis with discrete data inputs.

2.  Spreadsheets Have Significant Inherent Limitations

You might try to create your own spreadsheet on the tail end of busy workdays. What you will soon discover is that spreadsheets are static and labor-intensive. Turning a general purpose-tool into specialized enterprise cyber risk analysis and quantification solutions is a hugely expensive endeavor:

  • Thousands of rows, hundreds of formulas and worksheets to maintain
  • Manual data collection and normalization
  • Copy and paste mistakes introduce formula errors

Also, there are certain objectives you simply cannot achieve. For instance:

  • Are you looking to aggregate risk across multiple facets of your business? How easy is that to do in a spreadsheet and is it even possible?
  • Is it critical the spreadsheet be fully grounded and in alignment with the FAIR model? Going through certification is quite a cumbersome process, so it's anyone's guess.
  • Do you need to make an important risk mitigation decision supported by what-if analysis? Again, very difficult if not impossible to complete using a spreadsheet.

3.   We’ve Built the Right Tools for You

OK, so you’ve weighed all the pros and cons of a spreadsheet and have still decided to build your own solution to educate yourself on FAIR or do actual risk analyses... STOP. We’ve already done the work for you!

  • At FAIRCON17, RiskLens will be releasing the new version of FAIR-U, a risk analysis training app, for the benefit of the FAIR community. The tool will be better than any learning tool we’ve encountered, backed by RiskLens, technical advisor to the FAIR Institute… completely free of charge.
  • If you are ready for enterprise-grade risk analyses, then consider RiskLens, the only risk quantification platform purpose-built on FAIR.

So, whether you are just starting with FAIR, or have enterprise risk analysis needs, consider both FAIR-U or RiskLens, before building your own spreadsheet.

Here is a chart comparing spreadsheet-based approaches to FAIR analyses, to FAIR-U and RiskLens.







Where to Go from Here

Whatever path you decide to take, we’re very glad you have an interest in FAIR. We strongly believe this model will continue to change our profession for the better and help many cyber risk professionals manage cybersecurity from the business perspective.

If you’re interested in learning more about FAIR, the FAIR Institute will be hosting the second annual FAIR Conference in Dallas this October 16-17 th, back to back with RSA Charge. This will be a fantastic event and you can still take advantage of discounted pricing if you’re a member of the  FAIR Institute.


Cyber Risk Quantification: Ditch the Spreadsheet and Take a Seat at the Business Table