As a risk consultant, I run a lot of meetings for project scoping or data gathering that bring together people from around a company, usually with different perspectives and agendas. Often these meetings require that everyone come together and agree on a direction for a risk analysis project.
I regularly read blog posts or encounter people in our profession who dismiss quantitative cyber risk measurement as “guessing”, or “nothing more than feelings” (cue the Morris Albert song). Since this is such a common concern, I thought it would be worthwhile to examine this issue of what's subjective, what's objective and what falls between.
With over 100 responses already, we would like to extend the opportunity to participate in the 2017 Risk Management Maturity Survey to all risk management professionals.
The first big step in a risk analysis is scoping. Each part of the analysis process builds on the other so if you get scoping wrong, the rest of your analysis is on shaky ground at best. Remember, scoping is where you clearly:
With the massive flooding in Houston from Hurricane Harvey, we're re-publishing this very relevant post from 2016 by Steve Poppe about how local governments can apply FAIR modeling to plan for megastorms.
This is the most common “sin” we run into within the industry. Analysts, often not specifically trained on risk, focus almost solely on controls and their effectiveness.
This may not come as a shock, but a big part of what a risk analyst does is analyzing the issues that an organization is concerned with occurring.
The analysis part of the job spans an entire process, but a critical part involves first finding those things that are worth conducting a risk analysis over.
“I don’t know.”
“I have no idea.”
“Where would I get that information?”
“I have no way of getting that information.”These are just a couple of the common responses we see when someone first attempts an analysis.
Hats off to (FAIR Institute Board Member) Wade Baker and partner Jay Jacobs of Cyentia Institute for plowing through all the available public data sources on ransomware and writing two blog posts that are essential reading for anyone serious about estimating ransomware risk from a solid foundation.
In his post for the FAIR Institute Blog, How to Delegate Risk, Steve Poppe gives readers a great sense of how risks, expenses and budget decisions roll up. We're going to follow that to consider how risk treatment decisions are appropriated. Let’s look at it through the lens of the CISO.