For those of you unfamiliar with FAIR here are the salient points:
FAIR is remarkably practical, yet the same time also a remarkable departure from the existing way of practicing risk management. These differences, which we discuss in detail in this article, are:
Let’s take a closer look.
FAIR’s approach to cyber risk management changes the practice paradigm in that FAIR is something you do; the current approach to risk management are various states to achieve.
The current approach to managing cyber risk today is encompassed as adhering to:
What all of the above approaches to risk management have in common is that they outline risk management requirements that organizations should seek to attain. In contrast, FAIR outlines a risk management approach to use when assessing organizational risk exposure – it is a way of talking about risk, organizing risk, and performing risk assessments rather than a goal to accomplish.
This difference is both practical and philosophical. Practically, FAIR is a system you use in actual practice – the current approach to cyber risk management is not useful in the same way. Philosophically, it treats cyber risk as a business function rather than a (separate) state to achieve.
Importantly, FAIR centralizes many elements of cyber risk management at the community level and thus offers numerous community benefits, which is a major paradigm shift from existing practices. What this means is that:
The current approach is on the whole rather fractured in that cybersecurity terms, processes, and analysis can different vastly in different organizations.
Consider checklists, maturity frameworks, etc. which outline an end-practice that your organization should be following. With approaches like checklists, maturity frameworks, and compliance standards, any or all of the following can differ from organization to organization:
The increased community that FAIR offers also has important benefits for organizations:
Download 'Understanding Cyber Risk Quantification: The Buyer’s Guide' by Jack Jones
One of the obvious paradigm shifts that FAIR offers to the cyber risk industry is that it treats exposure quantitatively (in financial terms) and in ranges.
FAIR outputs are a specific type each time (financial units) – the major theme being accurate with a useful level of precision. Ranges are represented with:
Current approaches to representing exposure are qualitative, using words or codes to represent risk. Current approach also represents exposure precisely – that is, the risk of X scenario is precisely Low, or precisely 5E. These qualifiers symbolize and abstract exposure, rather than explicitly stating the exposure - the important point here being that such approaches don’t hold substantive value.
This shift, though obvious, is dramatic in the increase in decision making power that quantitative outputs offer organizations over the current approach.
FAIR integrates cyber risk management into the business process. This is scary for many cyber risk managers.
Expressing exposure in financial terms means that as cybersecurity professionals we no longer get to:
The existing approach to risk management has essentially perpetuated the struggles of both private sector and government to integrate cyber operations into regular business operations. The existing approach has also perpetuated communication struggles with cyber risk - how many cyber professionals have heard the question after a presentation, “So what does that actually mean?”
FAIR closes the business-cyber operations and communication gaps by expressing risk exposure in financial terms. This demystifies and normalizes cyber risk in ways that are easily communicated to all levels of an organization.
It also allows decision makers to make practical decisions about cyber operations based on financial exposure, solves the major problem (and frustration of many executives) of how to communicate risk in common language.
A subtle but important paradigm shift FAIR offers to the cyber industry is the move from extensive, highly specialized frameworks to a relatively simple, very straightforward model that is easy to represent in visual terms.
FAIR documentation can be read and digested in an extremely short amount of time. Current frameworks like NIST, HIPPA, and GDPR require extensive time, expertise, and acumen to adequately understand their scope. While their scope is admirable and are excellent long-term compliance goals, they are simply not practical for day to day cyber risk management efforts across an organization.
This last point is especially true in newer organizations and cyber risk programs: using the FAIR model/process is something that an organization can start doing in a very short amount of time, while current frameworks/standards (NIST, HIPAA, etc.) take years to implement.
Conclusion
FAIR changes cybersecurity industry paradigms in a way that integrates cyber operations into the business unit, and greatly enables decision making power. These changes can be challenging because it requires cyber operations in organizations to:
FAIR is straightforward, practical, and remarkably flexible in aiding business make better decisions within existing constraints.