Big news if you’re a student of FAIR, an organization evaluating FAIR before taking the plunge on a paid risk analysis solution, a do-it-yourselfer who’s been running FAIR on a spreadsheet, or just curious about the buzz around the quantitative model that’s shaking up the risk-analysis profession. The FAIR Institute has just released FAIR-U, the first officially sanctioned training app for FAIR. The tool is offered free of charge by RiskLens, Technical Advisor to the FAIR Institute.
In the FAIR model for risk analysis, Loss Magnitude—i.e. the monetary impact of a loss event—is bucketed in six Forms of Loss: Productivity, Response, Replacement, Competitive Advantage, Fines & Judgements, and Reputation.
Jack Jones…creator of the FAIR model (that’s Factor Analysis of Information Risk)…author of the FAIR book Measuring and Managing Information Risk: A FAIR Approach…chairman of the FAIR Institute…and the leading evangelist for effective risk measurement based on critical thinking. For a quick education on Jack’s thinking and the FAIR approach to risk, check out this reading list of Jack’s 10 most popular writings on the FAIR Institute blog.
After a short summer break, the FAIR Institute Operational Risk workgroup met again in August to continue our project using the FAIR methodology to revise a typical list of “top operational risks” (we found our list on Risk.net).
Look for thousands of job listings next year for “data protection officer” to meet a requirement of the European Union’s General Data Protection Regulation, the privacy law that goes into effect May 18, 2018. Here’s a quick rundown to see if you need to start shopping for a DPO, as well.
Sensitive documents from the US National Geospatial-Intelligence Agency…data on 14 million Verizon customers…voter information on 198 million Americans…Just a few of the reports this year on data breaches—or open data discovered by security researchers before a breach occurred—on Amazon S3 “buckets”.
Donald Freese, Deputy Assistant Director of the FBI in the information technology branch, gave the opening keynote talk last week to the (ISC)² Security Congress in Austin, and hit some themes inspired by FAIR.
The new NIST 800-63-3 Digital Identity Guidelines and FAIR were “made for each other”, writes Chip Block, VP at Evolver, Inc., (the operator of large-scale security operations centers for government and business) in an article just published on The Security Ledger website -- the guidelines establish levels of security based on risk, and FAIR sets monetary values for the risk, enabling organizations to prioritize spending.
UPDATE: The FAIR-U training app is now available. Get access to the web app now.
At the FAIR Conference in mid-October, the FAIR Institute will introduce FAIR-U, our first officially sanctioned training application for running FAIR risk analysis, guaranteed to correctly leverage the FAIR model.
Precise definitions of the factors that go into an accurate risk analysis – that may be the bottom line advantage of the FAIR approach. For a great example, take Vulnerability, loosely defined as "weakness" most often, but FAIR gives it a focussed and more useful meaning: “the probability that a threat event will become a loss event.”