In the first two posts of this series I talked about how most organizations seem to characterize themselves as having a “Medium-Low” risk appetite,
In Part 1 of this series I shared that most organizations seem to, almost by default, characterize themselves as having a “Medium-Low” risk appetite.
People regularly ask questions regarding FAIR’s difficulty and the difficulty of quantitative risk analysis in general.
As with so many other terms in the risk management profession, there seems to be a fair amount of squishiness and inconsistency in how risk appetite (and its close cousin, risk tolerance) are defined and used.
I’m often asked, “How does FAIR account for, or deal with, inherent risk?” This particular question doubles as one of my most favorite and least favorite, for different reasons.
Adding the “So What?”
It’s easy to understand that higher levels of maturity in various controls or risk management functions should equate to less risk. The challenge comes in measuring how much risk will be reduced by certain improvements.
A round peg in a round hole
As I mentioned in Part 2 of this series, frameworks like NIST CSF (and PCI DSS, ISO 27xxx, FFIEC CAT, etc.) have inherent limitations regarding their ability to help organizations measure risk, prioritize their concerns, or communicate the true value proposition of cyber security improvements.The good news is that these missing capabilities are where FAIR shines. That said, there are challenges…
Ever wonder how the FAIR standard risk model was started?
In this video, the author of FAIR, Jack Jones, explains his personal journey through cyber security and how that led him to create the FAIR ontology.
Last week, I had the privilege of leading a full-day risk summit on information security (cyber) risk in Orlando at the 2016 Infosec World conference.
Over 50 professionals attended the summit, representing a wide variety of industries and roles.
A Review of NIST CSF
Giving credit where credit is due
The people who designed and contributed to the NIST Cybersecurity Framework (CSF) clearly put a lot of thought into it, and this is demonstrated through some important positive aspects: