FAIR Institute Blog

FAIR Is Banks 'Most Commonly Used Approach to Quantifying Cyber Threats', says Risk.net

[fa icon="calendar'] Aug 7, 2017 8:00:00 AM / by Jeff B. Copeland posted in FAIR

[fa icon="comment"] 0 Comments

by Jeff B. Copeland 

Read More [fa icon="long-arrow-right"]

Take the 2017 Risk Management Maturity Survey

[fa icon="calendar'] Aug 1, 2017 10:14:28 AM / by Luke Bader posted in FAIR, Fair Conference 2017

[fa icon="comment"] 0 Comments

The FAIR Institute, in partnership with ISARiskLens and RSA, is sponsoring the 2017 Risk Management Maturity Survey, an opportunity for cyber and information risk professionals to rate their risk management practices and benchmark their organizations against their peers. 

Read More [fa icon="long-arrow-right"]

A FAIR View of Risk Appetite - Part 4 (finally!)

[fa icon="calendar'] Aug 1, 2017 8:00:00 AM / by Jack Jones posted in FAIR

[fa icon="comment"] 0 Comments

Some of you may recall a series of posts I wrote on this topic last year. In the third post of that series I said I’d write another post that lays the foundation for dealing with risk appetite more effectively.  Well, here we are a year later and I’m finally going to fulfill that promise.  Hopefully, you’ll find the wait worthwhile.

Read More [fa icon="long-arrow-right"]

Anatomy of a FAIR Risk Analysis: Confidential Data in Email

[fa icon="calendar'] Jul 30, 2017 8:00:00 PM / by Rebecca Merritt posted in FAIR

[fa icon="comment"] 1 Comment

In November, 2016, a Boeing employee emailed his spouse a spreadsheet from work because he needed help with formatting. In the spreadsheet: names, ID numbers, dates of birth and Social Security numbers for 36,000 Boeing employees. 

Read More [fa icon="long-arrow-right"]

Secrets to Gathering Good Data for a Risk Analysis

[fa icon="calendar'] Jul 27, 2017 3:04:34 PM / by Tyanna Smith posted in FAIR, Risk Management

[fa icon="comment"] 0 Comments

“I don’t know.”

“I have no idea.”

“Where would I get that information?”

“I have no way of getting that information.”

These are just a couple of the common responses we see when someone first attempts an analysis.
Read More [fa icon="long-arrow-right"]

Bank CISOs Debate FAIR in Risk.net Article

[fa icon="calendar'] Jul 21, 2017 10:36:48 AM / by Jeff B. Copeland posted in FAIR

[fa icon="comment"] 0 Comments

You might say this article, “Bank Cyber Chiefs at Odds Over Risk Models” (registration required) by Steve Marlin, just out on Risk.net, takes a snapshot of the current stage of evolution of banking information security executives, progressing towards a bank cyber risk model that’s as rigorous as the industry's models for market and credit risk. 

Read More [fa icon="long-arrow-right"]

Ransomware Risk: Setting Up a FAIR Analysis

[fa icon="calendar'] Jul 20, 2017 4:08:12 PM / by Jeff B. Copeland posted in FAIR

[fa icon="comment"] 2 Comments

Jack Jones recently walked the FAIR Institute’s Data Integration Workgroup monthly call-in through a thinking exercise: Assume you’re the CISO of a mid-sized hospital – how do you understand the risk of ransomware?

Read More [fa icon="long-arrow-right"]

New Studies on FAIR for Threat Intelligence, Patient Information from The Open Group

[fa icon="calendar'] Jul 12, 2017 8:00:00 AM / by Jim Hietala posted in FAIR

[fa icon="comment"] 0 Comments

The Open Group’s Security Forum recently published two white papers of interest to FAIR practitioners, on applying FAIR to threat intelligence and to patient information risk.

The first is a white paper describing how to relate and use Open FAIR and the Risk Taxonomy Standard with STIX, a popular threat intelligence expression language. 

Read More [fa icon="long-arrow-right"]

Toward a FAIR Notion of Criticality

[fa icon="calendar'] Jul 5, 2017 3:19:58 PM / by Steve Poppe posted in FAIR

[fa icon="comment"] 1 Comment

The idea of the “criticality” of an asset or resource appears in many cyber security standards, including NIST, ISO 27001, and the AICPA’s SSAE 16 criteria. 

Of the standards that define criticality, the best is in NIST SP800-53r4: “A measure of the degree to which an organization depends on the information or information system for the success of a mission or business function.” 

Read More [fa icon="long-arrow-right"]

How Are Risk Treatment Decisions Delegated?

[fa icon="calendar'] Jun 30, 2017 10:55:55 AM / by Isaiah McGowan posted in FAIR, Risk Management

[fa icon="comment"] 0 Comments

In his post for the FAIR Institute Blog, How to Delegate Risk, Steve Poppe gives readers a great sense of how risks, expenses and budget decisions roll up. We're going to follow that to consider how risk treatment decisions are appropriated. Let’s look at it through the lens of the CISO.

Read More [fa icon="long-arrow-right"]
LEARN MORE

Subscribe to Email Updates

417NjDVYgtL._SX404_BO1204203200_.jpg
Learn How FAIR Can Help You
Make Better Business Decisions

Recent Posts