Yes, this is Cyber Risk 101, but risk analysis vs risk assessment is common confusion, so let Jack Jones explain it in an excerpt from his book Measuring and Managing Information Risk: A FAIR Approach:
Annualized Loss Exposure (ALE) is a key output from a FAIR quantitative risk analysis. ALE is computed as:
ALE = Event Frequency x Single Loss Magnitude
How much risk is associated with a bald tire? It depends...
In this video, Jack Jones walks you through the classic scenario (from his book Measuring and Managing Information Risk: a FAIR Approach) with a lesson about making assumptions and how that affects risk analysis and communication about risk.
by Jeff B. Copeland
The FAIR Institute, in partnership with ISA, RiskLens and RSA, is sponsoring the 2017 Risk Management Maturity Survey, an opportunity for cyber and information risk professionals to rate their risk management practices and benchmark their organizations against their peers.
Some of you may recall a series of posts I wrote on this topic last year. In the third post of that series I said I’d write another post that lays the foundation for dealing with risk appetite more effectively. Well, here we are a year later and I’m finally going to fulfill that promise. Hopefully, you’ll find the wait worthwhile.
In November, 2016, a Boeing employee emailed his spouse a spreadsheet from work because he needed help with formatting. In the spreadsheet: names, ID numbers, dates of birth and Social Security numbers for 36,000 Boeing employees.
“I don’t know.”
“I have no idea.”
“Where would I get that information?”
“I have no way of getting that information.”These are just a couple of the common responses we see when someone first attempts an analysis.
You might say this article, “Bank Cyber Chiefs at Odds Over Risk Models” (registration required) by Steve Marlin, just out on Risk.net, takes a snapshot of the current stage of evolution of banking information security executives, progressing towards a bank cyber risk model that’s as rigorous as the industry's models for market and credit risk.
Jack Jones recently walked the FAIR Institute’s Data Integration Workgroup monthly call-in through a thinking exercise: Assume you’re the CISO of a mid-sized hospital – how do you understand the risk of ransomware?