FAIR Institute Blog

Intel revealed a new speculative execution vulnerability named ZombieLoad and it is yet another processor execution bug in the style of Spectre and Meltdown that were made public in January of 2018.

The FAIR Institute is proud to announce the newest addition to the FAIR Institute Board of Advisors, Donna Gallaher, President and CEO, New Oceans Enterprises.

To provide a more convenient way to train your organization on risk quantification and assess the maturity of your risk management program...

The Enterprise Membership Program has been designed and created to provide group benefits to Institute member organizations.

Looking for a Quantitative Cyber Risk Specialist, a Risk Quantification Analyst or even a Senior Factor Analysis of Information Risk (FAIR) Analyst?  It’s a sign of the rapid adoption of FAIR that organizations have recently been advertising for new hires with those titles

It’s an issue that comes up again and again at FAIR conferences, chapter meetings, webcasts or discussion boards: “I get the value of FAIR quantitative risk analysis – but I don’t know how or where I could start implementing it.”

I’ve observed an epidemic that is endemic to perfectionists and newer practitioners of quantitative cyber risk analysis: analysis paralysis. Here are some of the symptoms:

You’ve tried your hand at running one-off scenarios with FAIR, say to identify your top risks – now learn an ongoing use for FAIR to monitor your key risk indicators (KRIs).

‘Low’ loss exposure scenarios are often cause for celebration, or at least an exhausted sigh of relief from the CISO who is already juggling the remediation plans of countless other higher risk scenarios.

In basic terms, a company’s “risk appetite” is the level of risk the organization sees as acceptable.  Not surprisingly, some use the phrase “risk tolerance” interchangeably with “risk appetite” (there is an important difference: "tolerance" is how far off "appetite" the organization will go).