The most important step in conducting a quantitative cyber risk analysis is scoping - identifying the asset, threat, and effect related to the scenario at hand. But what happens if you are so excited to get into your FAIR analysis that you skip this crucial step?
As an advocate for FAIR, I spend a great amount of time preaching the benefits of quantitative risk analysis over the qualitative approach. Ranking of risks 1-5 or red-yellow-green based on subjective judgments doesn’t measure up (literally) to a standard model like FAIR that produces consistent results expressed as probabilities.
When analysts don’t use a rigorous risk quantification model like FAIR to rate risks, and instead rely on the mental models in their heads they’ve developed from years of habit – odd things happen.
New to FAIR quantitative analysis for cyber risk? I want to warn you about a newbie mistake I see that’s sure to make you waste time: Putting data collection ahead of scoping in a risk analysis.
Careful, risk analysts – it’s easy to miss the difference between these sound-alike pairs of terms when you scope a FAIR risk analysis:
- Probability vs. Possibility
- Loss Event vs. Threat Event
- Contact vs. Threat Event