There are many reasons why cyber risk quantification utilizing the FAIR™ model has been adopted by 30% of the Fortune 1000. Regardless of the overwhelming support for the international cyber risk quantification standard, you might be hesitant whether or not the benefits are worth the change to your existing risk management process.
While the pun material is reason enough to earn my vote (it’s almost unFAIR how easy it is…), outlined below are three key values of FAIR - and key reasons why your organization should be using FAIR.
1. Common Vocabulary
During your next meeting, ask your team to define the word “risk.” You are likely going to be met with equal parts awkward silence and long-winded answers. This is because, as an industry, we have not done a good enough job in defining our vocabulary. If you take a minute to think about the actual purpose of risk management – why you’re reading this blog post in the first place – it’s all about gaining a better understanding of the environment and effectively prioritizing resources in order to limit future losses as cost-effectively as possible. That’s what risk is – those probable future losses we are hoping to limit based on the choices we make.
>>>The reason why you’re struggling to understand and manage in your environment is because those items that have floated to the top of your risk register are actually not risks at all.
They’re likely assets, threats, effects, and probably even a few methods thrown in. It is impossible to understand and evaluate what we have not clearly defined.
Using FAIR, risk as well as all relevant components of risk are clearly defined in a way that allows for effective communication across the organization – business and tech alike.
2. Cleary Defined Loss Statements
The benefit of having a common vocabulary is that once those terms are mutually agreed upon and understood, they can be used to provide clarity to the way in which you are defining and evaluating cyber risk in your environment.
>>>You are having trouble confidently assigning a rating to “insiders” because you have no possible way of understanding what the probable future loss of insiders is because you haven’t properly defined the scenario.
In order to know how much risk is associated with something, we need to be able to estimate how often that thing might occur, and how much it will cost each time it does. Only events have frequencies and magnitudes – therefore we need to clearly define the event we are concerned about. A properly scoped event has an asset, threat, effect, and optional method.
A couple examples of a properly scoped loss statement related to “insiders” would be:
· Analyze the risk associated with malicious privileged insiders (threat) inappropriately exfiltrating and sharing customer PII contained in the customer database (asset), resulting in confidentiality loss (effect).
· Analyze the risk associated with non-malicious privileged insiders (threat) misdelivering (method) emails containing sensitive customer information (asset), resulting in confidentiality loss (effect).
· Analyze the risk associated with non-malicious privileged insiders (threat) implementing unapproved changes (method) to the e-commerce platform (asset), resulting in an impact to availability (effect).
As you can imagine, the probable future loss of those events likely differs greatly, which is why clearly defining the loss statement is so imperative to accurate risk analysis.
3. Meaningful Measurements
If I haven’t swayed you yet – let’s go back to the purpose or goal of risk management. We can hopefully agree it is something along the lines of gaining a better understanding of the environment and effectively prioritizing resources in order to limit future losses as cost-effectively as possible. Due to the inherent subjectivity of existing qualitative methods (high, medium, low / red, yellow, green), it cannot be effectively used to provide clarity around probable future loss or effectively prioritize those future losses.
In order to effectively inform economic decisions, economic values must be used. We need to be able to determine which remediation strategy has the greatest return on investment, which requires that we understand how much risk we face today, how much less risk we will face if the control were implemented, and the cost of that investment.
>>>While utilizing qualitative methods may provide some prioritization capability (we assume a red is some degree worse than a yellow), we cannot know the “bang for our buck” because we have no way of economically evaluating the difference between a red and yellow.
FAIR utilizes economic values – dollars and cents – in order to understand the actual financial impact of a loss event occurring. This meaningful measurement enables the ability to make defensible, risk-based decisions and elevate your conversations from “which red is the reddest red?” to prioritizing concerns and initiatives based on how they impact the bottom line.