As an advocate for FAIR, I spend a great amount of time preaching the benefits of quantitative risk analysis over the qualitative approach. Ranking of risks 1-5 or red-yellow-green based on subjective judgments doesn’t measure up (literally) to a standard model like FAIR that produces consistent results expressed as probabilities.
When analysts don’t use a rigorous risk quantification model like FAIR to rate risks, and instead rely on the mental models in their heads they’ve developed from years of habit – odd things happen.
New to FAIR quantitative analysis for cyber risk? I want to warn you about a newbie mistake I see that’s sure to make you waste time: Putting data collection ahead of scoping in a risk analysis.
Careful, risk analysts – it’s easy to miss the difference between these sound-alike pairs of terms when you scope a FAIR risk analysis:
- Probability vs. Possibility
- Loss Event vs. Threat Event
- Contact vs. Threat Event