Wall St. Journal Says FAIR Helps Companies ‘Better Understand Cost of Cyber Threats’

August 13, 2019  Jeff B. Copeland

The Journal’s WSJ Pro Cybersecurity’s Cyber Daily newsletter took a look at Charles Schwab Corp.’s rollout of Factor Analysis of Information Risk, the FAIR model that powers the RiskLens platform – and liked what it saw.

In a post titled “Charles Schwab Looks to Risk-Based Model to Quantify Costs of Cyber Incidents” (subscription required to read), writer Catherine Stupp says Schwab sees FAIR as “as a way to explain to corporate leaders what the potential financial losses from cyber threats may be.”

The Journal calls FAIR “different from more traditional threat assessment methods because it calculates the cost of risk based on a business’ broader concerns such as reputational damage and how attacks might affect productivity…The risk-based system can help companies better understand the costs of cyber threats.”

Brandon Young, managing director for cybersecurity framework and risk assessment, tells The Journal that Schwab will use FAIR to help it triage among the 1,500 issues it covers in an annual risk assessment.  (Young was a speaker at the just concluded 2018 FAIR Conference, on a panel titled “How to Communicate the Value of FAIR to Internal and External Stakeholders.”)

“The key value that FAIR provides is a consistent way to communicate these risks and what we should be doing about them as a firm,” he tells The Journal. “That will allow us to get away from articulating our exposure from just a color coded heatmap perspective…It evolves the conversation at the board level around those metrics and gets it away from the technical security jargon sort of discussion.”

Nick Hayes, senior analyst at Forrester Research Inc. is quoted backing up Young’s views: FAIR eliminates the “cognitive bias” of qualitative risk measurement. As The Journal puts it, “Instead of ranking threats on a one-to-ten or one-to-five scale, FAIR puts a price tag on potential losses associated with them, and spells out what mitigation measures could cost.”

According to the Journal, Young thinks “the FAIR calculation helps security experts explain why vulnerabilities translate into loss, and it makes it easier for them to justify the price of mitigation measures to business leaders.” Schwab’s ongoing FAIR analyses will “start to show a quarterly trend up or down in terms of our controls’ effectiveness and the resulting annual loss expectancy associated with that,” Young says.

Forrester’s Nick Hayes believes that Schwab is part of a larger trend (in The Journal’s words) of “companies…moving to adopt risk assessment systems such as FAIR because risk-based results show business leaders the broader context of the kind of impact that cyber threats can have.”

As the only risk quantification platform purpose-built on FAIR, RiskLens is at the forefront of the trend that The Journal identifies. Our client base across industries — and including many Fortune 100 companies — have operationalized FAIR in their risk management functions, with the “conversation-changing” results that The Journal mentions: Financial-based risk reporting that shows a true picture of probable losses and return on investment for mitigation. Talk to us about bringing FAIR to your organization.

The article also mentions some recent FAIR milestones, quoting FAIR Institute membership director Luke Bader: Close to 4,000 members and 30% of Fortune 100 companies now using the FAIR model for quantitative risk analysis

The Journal is giving increased recognition to the movement for business-aligned cyber risk management. Last week, WSJ Pro Cybersecurity published an interview with James Lam, the corporate governance authority and member of the RiskLens board. “If CISOs push back on quantifying potential loss, I find that unacceptable as a director,” Lam told The Journal. Lam was also a speaker at the 2018 FAIR Conference, giving a keynote address, “A Risk Committee Chair’s View of ERM and Cybersecurity Oversight.”


Gartner Names Risk Quantification a Key Component for  Risk Management

SEC Tells Private Companies to Up Their Game in Cyber Risk Disclosure