The Institute behind the FAIR model (that’s Factor Analysis of Information Risk) that RiskLens supports as a Technical Advisor recently passed two milestones that confirm the growing movement to quantitative risk analysis and FAIR, the only international standard for quantification of information security and operational risk.
Membership in the FAIR Institute passed 3,000, about double level of a year ago
The FAIR Institute is a non-profit professional organization dedicated to advancing the discipline of measuring and managing information risk. The 3,200 members have access to a lively blog, discussion board, online workgroups, local chapter meetings and the annual gathering, the FAIR Conference (this year at Carnegie Mellon University, Pittsburgh, PA, October 16-17). Membership is free.
An estimated 30% of the Fortune 100 companies now use FAIR for cyber risk analysis
Significantly, the FAIR movement has found a strong foothold among the most sophisticated risk management shops, at the biggest US companies. Some of the organizations that have adopted FAIR and that are active in the FAIR Institute include Bank of America, Cisco and ADP.
What’s the appeal of FAIR?
- FAIR translates the impact of cyber risk into money terms for the first time: no more heat maps or other qualitative risk “measurements” that just add up to guesswork.
- It’s a transparent model, not a black box: anyone in an organization can see the inputs that go into an analysis.
- The analysis output is always in a range of probable outcomes, so decision makers can choose their level of acceptable risk.
- Running the analysis, particularly through the RiskLens platform that automates FAIR modeling, requires no special knowledge of statistics.
Major push and pull forces in business and government are driving toward quantitative risk analysis
- Influential technology consultancy Gartner is advocating that inforisk professionals move to an Integrated Risk Management (IRM) approach, and away from a standards-compliance mindset. Gartner calls risk quantification analysis one of the five must-haves to run an IRM program. The leading GRC solutions vendor, RSA Archer, this year began offering the RiskLens FAIR platform as part of their Archer offering. An RSA executive speaking at the organization’s recent user conference called FAIR “the Rosetta Stone that ensures we are all speaking the same language” on risk.
- Regulators of publicly traded and financial companies are increasingly demanding disclosure in financial terms of cyber risk. This year, the Securities and Exchange Commission (SEC) expanded it guidance on cyber risk disclosure beyond a focus on reporting attacks and into new territory: ongoing, material cyber risks, reported in financial terms. The powerful New York Department of Financial Services (DFS) recently required licensed companies to show regulators that they are implementing a comprehensive cybersecurity program based on a risk assessment. And the European Union implemented data privacy regulations (the GDPR) that are pushing many companies to get serious about risk/reward estimations in order to practically comply with the sweeping new requirements.
3 ways to get started building a FAIR risk quantification program in your organization
1. Read the e-book An Executive’s Guide to Cyber Risk Economics by Jack Jones, creator of the FAIR model, to prepare the way in your organization for a quantitative analytical approach – it’s a mindset change, first of all, not simply a new application to buy.
2. Schedule a RiskLens demo to see a FAIR analysis in action and learn how to apply FAIR to your specific enterprise needs.
3. Attend the 2018 FAIR Conference in October; hear from FAIR experts and just as important, meet FAIR practitioners for a hands-on look at how they introduced risk quantification to their organizations. See some highlights from last year's conference in this video...