I was recently re-reading ISO 31000 because that's what one does for fun (don't you?). Surprisingly I noticed on a few occasions that using heat maps (or qualitative RM) appears to not align with the guidelines.
When analysts don’t use a rigorous risk quantification model like FAIR to rate risks, and instead rely on the mental models in their heads they’ve developed from years of habit – odd things happen.
Another strong signal that FAIR and cyber risk quantification is emerging as the way that inforisk gets reported up to the board and senior management: CyberVista, the leading cybersecurity education and workforce development company known for its board director education work has aligned the curriculum of its popular Resolve cybersecurity training with FAIR
In a new column for Homeland Security Today, Define, Measure Risk Accurately to Avoid False Sense of Security, FAIR Institute Chairman Jack Jones applauds the Department of Homeland Security and other Federal agencies for taking a risk-based approach to cybersecurity in their new strategic plans – but questions whether they can truly identify and prioritize their risks.
Skeptics about the FAIR model love to scoff at quantitative risk analysis and dismiss it as mere “guesswork.” I have encountered this assertion several times while conducting analyses and I welcome the challenge each time; I view it as an invitation to a discussion.
Our professional team here at RiskLens has been steadily growing for the past two years. Our risk consultants come from a variety backgrounds; with and without direct prior experience in risk management.
In a previous blog post, I wrote about how the FAIR quantitative risk model can be used to meet various regulatory and compliance requirements (specifically those that indicate the need for a formal risk assessment).
Prior to adopting FAIR to define and quantify risks as loss events, most organizations grapple with the all too common misconception that control deficiencies are the same things as risks. This confusion not only alters the way organizations think about risk, but also the way they discuss and communicate risk
With all the news about Russian hackers targeting US utility plant networks, we're bringing back into view this blog post about cyber risk quantification for utility operators, by Industrial Control System (ICS) authority Michael Radigan of Leidos Cyber, Inc.
Managing risk professionally means managing our own cognitive biases to effectively represent the risk facing our organizations. Overcoming the biases that each one of us brings to an analysis is a challenge and the only way to effectively manage this is by being actively aware of our own limitations in our perception of reality.