Factor Analysis of Information Risk (FAIR™) quantifies cyber and technology risk in financial terms and lifts communication about cyber risk up from technical “maturity” ratings or subjective red-yellow-green rankings to the financial language that business leadership can understand. Here are some real-world examples about risk quantification with FAIR supporting business decisions.
1. Understand Top Risks and Prioritize Risk Mitigation
Ask some organizations to identify their top risks and they may answer “the cloud", “ransomware” or other general topics that are concerns but not truly risks. The first benefit from FAIR is clarity of thinking: A risk is a loss event scenario that includes a threat actor impacting an asset with a quantifiable frequency of occurrence and magnitude of cost.
FAIR analysis of loss events based on frequency and magnitude data puts suspected top risks on an equal, quantitative footing so they can be ranked. For instance, a high impact event may have low frequency (or adequate protective controls) and, despite first appearances, may not belong at the top.
FAIR analysis generates results in ranges that can be plotted on a loss curve to rank risks, as well as show how any risk compares to the organization’s risk tolerance. As a result, decision-makers get clear direction on prioritization.
Learn more in a webinar Common Uses Cases of FAIR Analysis - Beginner Chapter Meeting led by Tony Martin-Vegue of Netflix, now on our LINK discussion board. A (free) FAIR Institute membership is required. Sign up for membership now.
FAIR Analysis Report by Tony Martin-Vegue
2. Estimate Return on Investment for Security Projects
Start with the baseline analysis you’ve generated for a top risk, then run what-if scenarios to game out the reduction in risk (in other words, the effect on frequency and magnitude of loss) in dollar terms that alternate security projects would provide. Compare those figures to the cost of the new controls or processes.
Cost/benefit analysis, again plotted against risk tolerance, gives executives a credible means to choose among projects.
Learn from this webinar with Jack Jones, creator of FAIR:
3. Make a Smart Purchase of Cyber Insurance
Cyber insurance premiums are going up and so are coverage exclusions. There’s no better investment in FAIR than running analysis of your top risks so you understand your maximum loss exposure. FAIR analysis is also a great tool for going line by line through the sub-limits in your policy and determining where you could add or reduce coverage or even self-insure, with an eye on risk tolerance. The data gathering you do for FAIR, such as your probable costs for fines and judgements or productivity loss, will serve you well here. FAIR’s Six Forms of Loss provide a structure for digging through the fine print.
4. Cyber Due Diligence for Mergers and Acquisitions
Just as you do for your own organization, you can run FAIR analysis on an M&A target company, using estimates based on the target’s data disclosures or industry standard data to get as good a picture as possible of their top risks and critical assets. It puts context around a first-line-of-defense investigation (as in, how significant are any vulnerabilities discovered?). FAIR provides a structured way to figure cyber loss exposure for valuation of a merger candidate, and possibly a warning sign tell you to walk from the deal.