We frequently get asked by clients how long they should expect it to take till they can launch a quantitative risk management program based on Factor Analysis of Information Risk (FAIR™). At RiskLens, we go by the following principles:
"Cooking is like painting or writing a song. Just as there are only so many notes or colors, there are only so many flavors - it's how you combine them that sets you apart." - Wolfgang Puck
I like this quote as I think it actually can draw comparisons to talented risk analysts.
Our professional team here at RiskLens has been steadily growing for the past two years. Our risk consultants come from a variety backgrounds; with and without direct prior experience in risk management.
What an exciting time for FAIR! In the last few months, over 250 people have been through the online and in-person FAIR analyst training course taught by the experienced FAIR consultants of RiskLens. Many of those participants desire to obtain the Open FAIR certification.
This is the most common “sin” we run into within the industry. Analysts, often not specifically trained on risk, focus almost solely on controls and their effectiveness.
Annualized Loss Exposure (ALE) is a key output from a FAIR quantitative risk analysis. ALE is computed as:
ALE = Event Frequency x Single Loss Magnitude
When working on the Loss Magnitude side of the FAIR risk model–and filling out lists for the standard six Forms of Loss-- there are some types of loss easy to overlook or too hard to get data for. In this post my aim is to share tips on some of these “less obvious losses” associated with 4 of the 6 standard forms on the model.
FAIR specialist Chad Weinman from RiskLens recently shared his thoughts about the draft update 1.1 to the NIST Cybersecurity Framework in a RiskLens blog post. We are re-posting the most salient parts of his article for the benefit of FAIR Institute members.
Using qualitative and quantitative methods to assess risk
A 2015 Open Group survey collected data about information risk programs from over 100 organizations. One important insight was that more than half of all surveyed organizations used a combination of both qualitative and quantitative methods for their risk analyses.