FAIR Institute Blog

Cary Wise


Recent Posts

How a Risk Analysis Scope Gets Off Track (and How to Fix It)

[fa icon="calendar'] Jun 4, 2019 11:34:09 AM / by Cary Wise posted in Risk Management

[fa icon="comment"] 0 Comments

The most important step in conducting a quantitative cyber risk analysis is scoping - identifying the asset, threat, and effect related to the scenario at hand. But what happens if you are so excited to get into your FAIR analysis that you skip this crucial step?

Read More [fa icon="long-arrow-right"]

3 Ways to Game the System with Qualitative Cyber Risk Analysis (Don’t Do It)

[fa icon="calendar'] Mar 25, 2019 8:30:00 AM / by Cary Wise posted in Risk Management

[fa icon="comment"] 0 Comments

As an advocate for FAIR, I spend a great amount of time preaching the benefits of quantitative risk analysis over the qualitative approach. Ranking of risks 1-5 or red-yellow-green based on subjective judgments doesn’t measure up (literally) to a standard model like FAIR that produces consistent results expressed as probabilities.  

Read More [fa icon="long-arrow-right"]

When Every Risk Is “Medium”

[fa icon="calendar'] Aug 13, 2018 12:40:07 PM / by Cary Wise posted in FAIR, Risk Management

[fa icon="comment"] 1 Comment

When analysts don’t use a rigorous risk quantification model like FAIR to rate risks, and instead rely on the mental models in their heads they’ve developed from years of habit – odd things happen.

Read More [fa icon="long-arrow-right"]

In a FAIR Risk Analysis, Don't Collect Data till You Scope

[fa icon="calendar'] May 24, 2018 10:16:43 AM / by Cary Wise posted in FAIR

[fa icon="comment"] 0 Comments

New to FAIR quantitative analysis for cyber risk? I want to warn you about a newbie mistake I see that’s sure to make you waste time: Putting data collection ahead of scoping in a risk analysis.

Read More [fa icon="long-arrow-right"]

The 3 Most Confusing Risk Analysis Terms

[fa icon="calendar'] Jan 23, 2018 9:00:00 AM / by Cary Wise posted in FAIR

[fa icon="comment"] 1 Comment

Careful, risk analysts – it’s easy to miss the difference between these sound-alike pairs of terms when you scope a FAIR risk analysis:

  • Probability vs. Possibility
  • Loss Event vs. Threat Event
  • Contact vs. Threat Event
Read More [fa icon="long-arrow-right"]
LEARN MORE

Subscribe to Email Updates

417NjDVYgtL._SX404_BO1204203200_.jpg
Learn How FAIR Can Help You
Make Better Business Decisions

Recent Posts