This is the most common “sin” we run into within the industry. Analysts, often not specifically trained on risk, focus almost solely on controls and their effectiveness.
Annualized Loss Exposure (ALE) is a key output from a FAIR quantitative risk analysis. ALE is computed as:
ALE = Event Frequency x Single Loss Magnitude
When working on the Loss Magnitude side of the FAIR risk model–and filling out lists for the standard six Forms of Loss-- there are some types of loss easy to overlook or too hard to get data for. In this post my aim is to share tips on some of these “less obvious losses” associated with 4 of the 6 standard forms on the model.
FAIR specialist Chad Weinman from RiskLens recently shared his thoughts about the draft update 1.1 to the NIST Cybersecurity Framework in a RiskLens blog post. We are re-posting the most salient parts of his article for the benefit of FAIR Institute members.
Using qualitative and quantitative methods to assess risk
A 2015 Open Group survey collected data about information risk programs from over 100 organizations. One important insight was that more than half of all surveyed organizations used a combination of both qualitative and quantitative methods for their risk analyses.
You may remember the management adage that says "You can't manage what you don't measure". I will happily add a sibling: "You can't measure what you haven't defined."
When it comes to risk analysis, getting off on the right step is foundational. Very often when we see individuals struggling with risk analysis, our first instinct is to review their scoping.