FAIR Institute Blog

Jack Jones

Jack Jones

Recent Posts

Is Cyber Risk Measurement Just Guessing? -- Part 2

[fa icon="calendar'] Feb 6, 2018 2:17:28 PM / by Jack Jones posted in FAIR

[fa icon="comment"] 6 Comments

In the first post of this series, I focused on answering a commonly expressed concern about the reliability of cyber risk measurement. At the end of that post, I mentioned that some readers might draw a distinction between an example I gave and the real world of cyber risk measurement. 

Read More [fa icon="long-arrow-right"]

Ponemon Report on the True Cost of Compliance -- A Missed Opportunity

[fa icon="calendar'] Jan 3, 2018 9:00:00 AM / by Jack Jones posted in Risk Management, Jack Jones

[fa icon="comment"] 7 Comments

The Wall Street Journal recently referenced a research report published by Ponemon Institute entitled The True Cost of Compliance With Data Protection Regulations.  After reading the report I’ve come to the conclusion that although the research objective was admirable, it completely missed the target. 

Read More [fa icon="long-arrow-right"]

Jack Jones Looks Forward into 2018 for Cyber and Technology Risk

[fa icon="calendar'] Dec 29, 2017 1:20:00 PM / by Jack Jones posted in FAIR, Jack Jones

[fa icon="comment"] 4 Comments

When I was recently asked to write a blog post making cyber and technology risk predictions for 2018, I balked.  If you’ve read (and you should read)  Superforecasting: The Art and Science of Prediction  (Dan Gardner and Philip Tetlock), you’ll understand why. 

Read More [fa icon="long-arrow-right"]

Is Cyber Risk Measurement Just "Guessing"?

[fa icon="calendar'] Sep 12, 2017 12:36:29 PM / by Jack Jones posted in FAIR, Risk Management

[fa icon="comment"] 0 Comments

I regularly read blog posts or encounter people in our profession who dismiss quantitative cyber risk measurement as “guessing”, or “nothing more than feelings” (cue the Morris Albert song).  Since this is such a common concern, I thought it would be worthwhile to examine this issue of what's subjective, what's objective and what falls between. 

Read More [fa icon="long-arrow-right"]

A FAIR View of Risk Appetite - Part 4 (finally!)

[fa icon="calendar'] Aug 1, 2017 8:00:00 AM / by Jack Jones posted in FAIR

[fa icon="comment"] 0 Comments

Some of you may recall a series of posts I wrote on this topic last year. In the third post of that series I said I’d write another post that lays the foundation for dealing with risk appetite more effectively.  Well, here we are a year later and I’m finally going to fulfill that promise.  Hopefully, you’ll find the wait worthwhile.

Read More [fa icon="long-arrow-right"]

Measuring Reputation Damage in Cyber Risk Analysis - Part 1

[fa icon="calendar'] Jul 10, 2017 9:47:23 AM / by Jack Jones

[fa icon="comment"] 4 Comments

In a recent survey, information security professionals identified reputational damage as the most costly form of loss from cyber events.  But is it really?  In this first post in a series I’ll lay some groundwork that should help us evaluate the potential impact of cyber event-related loss of reputation.

Read More [fa icon="long-arrow-right"]

Cyber Economics: Smarter (vs. More Expensive) Cybersecurity

[fa icon="calendar'] May 30, 2017 11:19:02 AM / by Jack Jones posted in FAIR

[fa icon="comment"] 2 Comments

Recently, the Wall Street Journal (WSJ.com) published two charts from Juniper Research that paint a disheartening picture of the state of cybersecurity.  One chart shows a projection of cybersecurity spending increasing (more or less linearly) over the coming five years, while the other chart projects a more exponential-looking growth in cybersecurity losses over that same timespan. 

Read More [fa icon="long-arrow-right"]

Measuring Cyber Risk Requires Two Models, Not One

[fa icon="calendar'] May 10, 2017 5:00:08 PM / by Jack Jones posted in FAIR

[fa icon="comment"] 1 Comment

There are a lot of reasons why some people believe measuring cyber risk isn’t possible — from misperceptions about data shortage, to the fallacy about intelligent adversaries, to the inconsistencies that commonly occur when two different people get two different answers when measuring the same risk. 

Read More [fa icon="long-arrow-right"]

How to Deal with "Data Challenged" Risk Analyses

[fa icon="calendar'] May 2, 2017 10:36:38 AM / by Jack Jones posted in FAIR

[fa icon="comment"] 3 Comments

In the first two posts of this series, I discussed questions regarding how to make estimates when data is sparse or missing altogether, and how to account for the fact that historical data may not perfectly reflect the future.  In this post, I’ll walk through an example risk analysis that is challenged in both of those respects.

Read More [fa icon="long-arrow-right"]

Using Historical Data

[fa icon="calendar'] Apr 25, 2017 10:44:11 AM / by Jack Jones posted in FAIR, Risk Management

[fa icon="comment"] 1 Comment

In my previous post (No Data? No Problem) I discussed the question, “How do you make estimates when you have no data?”  This post focuses on a related question – whether historical data can be relied upon to reflect the future.  

Read More [fa icon="long-arrow-right"]
LEARN MORE

Subscribe to Email Updates

417NjDVYgtL._SX404_BO1204203200_.jpg
Learn How FAIR Can Help You
Make Better Business Decisions

Recent Posts