Generally speaking, the major challenge organizations have with adopting FAIR™ is changing to a new way of managing risk. And make no mistake, FAIR will require a different way of thinking about risk and a different way of performing risk management. The primary cybersecurity paradigm change FAIR offers is that it normalizes cyber risk and integrates it into the business unit.
For those of you unfamiliar with FAIR here are the salient points:
- It is a system of quantitative risk analysis
- It is comprised of a model, a taxonomy, and an analysis process
- Each analysis focuses on an asset, threat actor, effect, and (usually) method
FAIR is remarkably practical, yet the same time also a remarkable departure from the existing way of practicing risk management. These differences, which we discuss in detail in this article, are:
- FAIR is something you use/do, rather than a collection of states you achieve
- FAIR increases community by centralizing many elements of cyber risk management at the community level
- FAIR expresses risk exposure in quantitative ranges rather than a qualitative symbol
- FAIR is integrated into the business process rather than stuck in its own silo
- FAIR is a remarkably straightforward, simple, and powerful system of risk management, rather than extensive and obtuse
Let’s take a closer look.
Paradigm 1 – “Doing” vs “Seeking to Attain”
FAIR’s approach to cyber risk management changes the practice paradigm in that FAIR is something you do; the current approach to risk management are various states to achieve.
The current approach to managing cyber risk today is encompassed as adhering to:
- Control frameworks (e.g. HIPPA Security Rule)
- Compliance standards (e.g. GDPR, Privacy Shield)
- Maturity frameworks (e.g. NIST CSF)
What all of the above approaches to risk management have in common is that they outline risk management requirements that organizations should seek to attain. In contrast, FAIR outlines a risk management approach to use when assessing organizational risk exposure – it is a way of talking about risk, organizing risk, and performing risk assessments rather than a goal to accomplish.
This difference is both practical and philosophical. Practically, FAIR is a system you use in actual practice – the current approach to cyber risk management is not useful in the same way. Philosophically, it treats cyber risk as a business function rather than a (separate) state to achieve.
Paradigm 2 – Increased Community vs Fractured Community
Importantly, FAIR centralizes many elements of cyber risk management at the community level and thus offers numerous community benefits, which is a major paradigm shift from existing practices. What this means is that:
- Critical risk management terms are defined and agreed upon among organizations that use FAIR
- The FAIR risk analysis process and components are built into every analysis, and this process is consistent across organizations that use FAIR
- FAIR expresses exposure in financial terms, which is common among all organizations
The current approach is on the whole rather fractured in that cybersecurity terms, processes, and analysis can different vastly in different organizations.
Consider checklists, maturity frameworks, etc. which outline an end-practice that your organization should be following. With approaches like checklists, maturity frameworks, and compliance standards, any or all of the following can differ from organization to organization:
- Analysis processes that are used might be whatever an organization prefers, and are likely to differ greatly in both the scope and analysis steps from organization to organization
- Unit of exposure can be any number of things - High/Moderate/Low, A-E/1-5, etc.
- Definition of critical terms (threat, risk, loss event, etc.) may differ from organization to organization – NOTE: this is a serious issue across industry in general
The increased community that FAIR offers also has important benefits for organizations:
- Share a common practice, philosophy, and goal of cyber risk management among organizations
- Baseline your organization’s exposure against industry
- Share lessons learned at the community level for cyber program implementation
To put FAIR into action, you’ll need an analytics tool and an associated risk management program based on risk quantification. Read a guide by FAIR model creator and FAIR Institute Chair Jack Jones to move forward:
Download 'Understanding Cyber Risk Quantification: The Buyer’s Guide' by Jack Jones
Paradigm 3 – Accurate/Precise Ranges vs. Symbolic/Qualitative Outputs
One of the obvious paradigm shifts that FAIR offers to the cyber risk industry is that it treats exposure quantitatively (in financial terms) and in ranges.
FAIR outputs are a specific type each time (financial units) – the major theme being accurate with a useful level of precision. Ranges are represented with:
- Minimum – best probable outcome for financial loss given an incident
- Maximum – worst probable outcome for financial loss
- Most Likely – near which value in the range do we expect most situations to actualize
Current approaches to representing exposure are qualitative, using words or codes to represent risk. Current approach also represents exposure precisely – that is, the risk of X scenario is precisely Low, or precisely 5E. These qualifiers symbolize and abstract exposure, rather than explicitly stating the exposure - the important point here being that such approaches don’t hold substantive value.
This shift, though obvious, is dramatic in the increase in decision making power that quantitative outputs offer organizations over the current approach.
Paradigm 4 – Integrated Into Business vs. Cybersecurity Silo
FAIR integrates cyber risk management into the business process. This is scary for many cyber risk managers.
Expressing exposure in financial terms means that as cybersecurity professionals we no longer get to:
- Operate in some ethereal silo of the organization
- Use cryptic terms to define risk
- Perform duties that most people don’t understand but seem necessary
- Ensure our professional survival by remaining obscure
The existing approach to risk management has essentially perpetuated the struggles of both private sector and government to integrate cyber operations into regular business operations. The existing approach has also perpetuated communication struggles with cyber risk - how many cyber professionals have heard the question after a presentation, “So what does that actually mean?”
FAIR closes the business-cyber operations and communication gaps by expressing risk exposure in financial terms. This demystifies and normalizes cyber risk in ways that are easily communicated to all levels of an organization.
It also allows decision makers to make practical decisions about cyber operations based on financial exposure, solves the major problem (and frustration of many executives) of how to communicate risk in common language.
Paradigm 5 – Streamlined Model vs. Extensive Cybersecurity Frameworks
A subtle but important paradigm shift FAIR offers to the cyber industry is the move from extensive, highly specialized frameworks to a relatively simple, very straightforward model that is easy to represent in visual terms.
FAIR documentation can be read and digested in an extremely short amount of time. Current frameworks like NIST, HIPPA, and GDPR require extensive time, expertise, and acumen to adequately understand their scope. While their scope is admirable and are excellent long-term compliance goals, they are simply not practical for day to day cyber risk management efforts across an organization.
This last point is especially true in newer organizations and cyber risk programs: using the FAIR model/process is something that an organization can start doing in a very short amount of time, while current frameworks/standards (NIST, HIPAA, etc.) take years to implement.
FAIR changes cybersecurity industry paradigms in a way that integrates cyber operations into the business unit, and greatly enables decision making power. These changes can be challenging because it requires cyber operations in organizations to:
- Adopt a different way of thinking about cyber risk and the place of cyber operations in the business unit
- Adopt a different way of representing cyber risk, in financial terms
- Adapting FAIR to existing legal/compliance cybersecurity requirements
FAIR is straightforward, practical, and remarkably flexible in aiding business make better decisions within existing constraints.