Legacy Approaches Fall Short

Put simply, qualitative cyber risk assessments aren’t risk assessments at all – as they fail to inform the business as to the financial risk it faces from cyber events. Moreover, standards-based checklists – while outlining best cybersecurity practices – don’t provide a roadmap to true cyber risk identification.

Qualitative ratings systems and standards-based checklists can’t answer today’s critical business questions, such as "How much risk do we have?" and "Which control is most effective in reducing risk?"

Risk Ratings on Shaky Ground

Qualitative assessments based on "high-medium-low" are directional at best and pit one analyst’s word against another. And risk scores 1-10 or 300-850 still can't tell you how much risk you have.

Compliant Is Not Risk-Aware

Most risk frameworks identify best cybersecurity practices but more boxes checked do not automatically mean less risk.

Total Protection Is Impossible

Dynamic threat environments demand prioritized responses—and that starts with a focus on the highest business risks.

"Controls and procedures should enable companies to identify cybersecurity risks and incidents [and] assess and analyze their impact on a company’s business.”

SEC Cybersecurity Disclosure Guidance

FAIR is "different from more traditional threat assessment methods because it calculates the cost of risk based on a business' broader concerns...the risk based system can help companies better understand the costs of cyber threats."

The Wall Street Journal's WSJ Pro Cybersecurity Newsletter

Risk Frameworks are About Compliance

Compliance is not Enough

Organizations will always have gaps in their compliance with cybersecurity frameworks and standards, such as the popular NIST-CSF and ISO27005.

The problem is, that while frameworks are a list of best practices, they don’t assist in actually measuring risk. Organizations are left to their own devices to evaluate what level of compliance is sufficient.

This is where the FAIR model for risk quantification comes in. A FAIR analysis with the RiskLens Platform enables organizations to evaluate and measure the significance of compliance gaps and make well-informed choices on which ones to address.

Risk Frameworks Tell You to Quantify Risk

But Not How to Do It

Frameworks have been developed by institutions such as NIST, ISO, PCI, ISACA, etc. with the purpose of providing a means for organizations to better manage risk.

While these frameworks can be useful for identifying basic risk management program elements that are missing or deficient, they are less useful in helping the practitioners determine the explicit significance of those deficiencies, for the following reasons:

  • Limited or no focus on risk quantification
    • Risk frameworks are being used as reference checklists of best cybersecurity or risk management practices
  • Reliance on qualitative scales
    • For instance, NIST 800-30 attempts to provide a risk measurement method but falls short of setting standards for a true risk quantification model. The approach relies on qualitative or semi-quantitative scales to measure and combine information related to likelihood and impact of events
  • Flawed definitions
    • The definitions of key factors of the NIST 800-30 model such as threat event likelihood are flawed, based on qualitative scales that are problematic: they don’t rely on time-scales, which leaves data open to interpretation and makes it potentially meaningless. Scales are upper-bound so that there is no way to distinguish whether events are occurring once or multiple times

In summary, most of these risk frameworks are less methods for risk analysis and more processes for assessing risk practices. Some are notably silent on the subject of how to compute risk, some are open in the allowance of 3rd party methods, while other are explicitly synergistic.

For organizations now relying on frameworks and/or qualitative risk analysis, the FAIR Model, applied through the RiskLens platform, adds a quantitative, economic dimension that gives rigor and direction to any cyber risk management program.

"FAIR is a quantifiable, repeatable methodology that has a proven model behind it that is actually relevant to our business...we can actually articulate risk and threat likelihood and consequences, it gets us in a good position as a trusted adviser to the board."

Grant Bourzikas, CISO at McAfee

"I think that FAIR is just a phenomenal program for being able to develop a consistent and rigorous methodology to reason about and measure and mitigate your cyber risk."

Zulfikar Ramzan, CTO at RSA

"If CISOs push back on quantifying potential loss, I find that unacceptable as a board director. CISOs need to advance."

James Lam, Director, E*Trade

eBook: An Executive’s Guide to Cyber Risk Economics

Jack Jones's high-level introduction to managing cyber risk from a business perspective. You'll learn how the FAIR model powers cost-benefit analysis for security initiatives on a par with other forms of enterprise risk management. Read this eBook and never be satisfied again with simple red-green-yellow risk ratings.

Download Now

Going Beyond Existing Frameworks

Jack Jones and an expert panel talk better cyber risk management at the RSA Archer Summit.

Going Beyond Existing Frameworks

Jack Jones and an expert panel talk better cyber risk management at the RSA Archer Summit.

True Cyber Risk Management

Let us help you measure your risk in financial terms.

RiskLens offers solutions that measure and analyze cybersecurity risk with the international FAIR standard.

Schedule a Demo!