The FAIR Institute community is a generous group when it comes to sharing techniques for success at risk analysis and risk management program building with FAIR cyber risk quantification – in the FAIR conferences, on the Institute blog, at local chapter meetings and in the new Slack channel for members. The best way to join the community is to sign up for a FAIR Institute Contributing Membership.
Here's a sampling of FAIR Institute member contributions to the community in 2022:
Try this FAIR Program Success Metric: Decisions Influenced
“You have to get the business addicted to what you are doing and demanding that…What you really should be measuring is the number of decisions influenced. Now you are talking about a program that can survive a change” of a champion or an entire executive leadership.
David Severski, Senior Security Data Scientist, Cyentia Institute, speaking on FAIRCON22 panel discussion Scaling a Quantitative Risk Management Program.
End Mindless Cyber Insurance Decisions
“In a lot of the conversation I’ve seen over the years is, there really wasn’t any rhyme or reason for how much cyber insurance we had. Someone just made a decision, likely the CISO, maybe someone in finance.”
“Now, with the FAIR standard, we can model specific scenarios and manage those risks in different ways. We can keep investing to add more controls and keep that risk down, or in some cases, move that bar up and get more transfer coverage with insurance.”
Jeff Norem, Deputy CISO, Freddie Mac, Meet a Member Interview.
Avoid Data Collection Burnout
Robust data leads to better analysis and better decision support. Here’s the catch: subject-matter expert (SME) exhaustion…Data requests that are too repetitive or too frequent will result in burnout.A key part of FAIR development in your organization must be data independence. Network with the cybersecurity disciplines across your organization and use your goodwill to gain access to the troves of existing data on dashboards, logs, and SharePoint repositories.
Additionally, being included on various automated distribution lists and alerts can also position your team to gather important data without mucking up stakeholder calendars.
Caleb Juhnke, Senior Information Security Engineer (Cyber Risk Quantification), Equinix writing in the blog post 3 Quick Steps for FAIR Program Maturity.
Join the community is to sign up for a FAIR Institute Contributing Membership.
Loss Event Chain of Events from the FAIR Controls Analytics Model (FAIR-CAM™). For more detail, click to see the entire chart.
Clarify Risk Scenarios with Diagrams
The third step [in identifying risk scenarios] and the one I consider to be the most important is to understand how loss will unfold for the possible scenarios at hand. A loss flow diagram is a high-level visual that considers the threat actor, type, asset, and loss effect, and shows how loss can materialize at every step, while also considering the controls that are in place or lack thereof that may change the frequency/impact of the risk scenario. Raksha Shenoy, Information Security Engineer (Cyber Risk Quantification) at Equinix writing in the blog post Identifying the Right Risk Scenarios to Measure with FAIR
The New FAIR Controls Analytics Model (FAIR-CAM) Will Radically Change Compliance
“Compliance is going to radically change. An assessor comes in and asks does the control exist and is it functioning the way it’s supposed to? Now we know. We can actively measure and document if that control is doing what it supposed to do. Now when we get that audit finding we can answer if it is really a big deal or something we can work on in the next fiscal year”
Drew Brown, Information System Security Developer, FAA, at the FAIRCON22 Panel Mapping Leading Control Frameworks to FAIR-CAM.
