The most important step in conducting a quantitative cyber risk analysis is scoping - identifying the asset, threat, and effect related to the scenario at hand. But what happens if you are so excited to get into your FAIR analysis that you skip this crucial step?
Cary Wise

Recent Posts
How a Risk Analysis Scope Gets Off Track (and How to Fix It)
[fa icon="calendar'] Jun 4, 2019 11:34:09 AM / by Cary Wise posted in Risk Management
3 Ways to Game the System with Qualitative Cyber Risk Analysis (Don’t Do It)
[fa icon="calendar'] Mar 25, 2019 8:30:00 AM / by Cary Wise posted in Risk Management
As an advocate for FAIR, I spend a great amount of time preaching the benefits of quantitative risk analysis over the qualitative approach. Ranking of risks 1-5 or red-yellow-green based on subjective judgments doesn’t measure up (literally) to a standard model like FAIR that produces consistent results expressed as probabilities.
When Every Risk Is “Medium”
[fa icon="calendar'] Aug 13, 2018 12:40:07 PM / by Cary Wise posted in FAIR, Risk Management
When analysts don’t use a rigorous risk quantification model like FAIR to rate risks, and instead rely on the mental models in their heads they’ve developed from years of habit – odd things happen.
In a FAIR Risk Analysis, Don't Collect Data till You Scope
[fa icon="calendar'] May 24, 2018 10:16:43 AM / by Cary Wise posted in FAIR
New to FAIR quantitative analysis for cyber risk? I want to warn you about a newbie mistake I see that’s sure to make you waste time: Putting data collection ahead of scoping in a risk analysis.
The 3 Most Confusing Risk Analysis Terms
[fa icon="calendar'] Jan 23, 2018 9:00:00 AM / by Cary Wise posted in FAIR
Careful, risk analysts – it’s easy to miss the difference between these sound-alike pairs of terms when you scope a FAIR risk analysis:
- Probability vs. Possibility
- Loss Event vs. Threat Event
- Contact vs. Threat Event