In the previous post, I provided examples of some controls-related data that can’t be used to support automated cyber risk quantification (CRQ). But the news isn’t all bad. There are some data that can be used to support CRQ.
Jack Jones

Recent Posts
Jack Jones: Automating Cyber Risk Quantification (Part 5 of 5)
[fa icon="calendar'] May 10, 2022 7:45:00 AM / by Jack Jones posted in Jack Jones, Jack Jones on Automating CRQ
Jack Jones: Automating Cyber Risk Quantification (Part 4 of 5)
[fa icon="calendar'] May 3, 2022 1:50:19 PM / by Jack Jones posted in Jack Jones, Jack Jones on Automating CRQ
I covered a lot of ground in the previous posts, and rather than summarize them here I’ll assume you’ve read those posts already. So, let’s dive into the last analytic dimension…
Jack Jones: Automating Cyber Risk Quantification (Part 3 of 5)
[fa icon="calendar'] Apr 25, 2022 11:45:38 AM / by Jack Jones posted in Jack Jones, Jack Jones on Automating CRQ
In the previous two posts, I briefly discussed that:
- The CRQ market is rapidly growing, and there’s a strong desire to automate CRQ analysis...
Jack Jones: Automating Cyber Risk Quantification (Part 2 of 5)
[fa icon="calendar'] Apr 18, 2022 12:05:26 PM / by Jack Jones posted in Jack Jones, Jack Jones on Automating CRQ
In Part 1 of this series, I discussed that the market for cyber risk quantification (particularly automated CRQ) is growing rapidly, but that automation, done poorly, can to more harm than good. In this post, I’ll begin to discuss what it takes to automate CRQ responsibly.
Jack Jones: Automating Cyber Risk Quantification (Part 1 of 5)
[fa icon="calendar'] Apr 12, 2022 7:45:00 AM / by Jack Jones posted in Jack Jones, Jack Jones on Automating CRQ
Until recently, it’s mostly been organizations with visionary and early adopter tendencies who have embraced cyber risk quantification (CRQ). They understood the value and were willing to deal with the challenges.
A Solution for Measuring Inherent Risk
[fa icon="calendar'] Feb 22, 2022 2:32:43 PM / by Jack Jones posted in Risk Management, FAIR-CAM
If you search the FAIR Institute blog, you will find several posts about Inherent Risk, each highlighting fundamental problems with the standard definition for Inherent Risk and offering insights and advice regarding how to better define and use it. To save you the trouble of finding and reading old posts, I’ll boil them down:
Study Finds Employees Will Violate Security Policy to Get Their Work Done – FAIR-CAM Helps to Solve the Problem
[fa icon="calendar'] Jan 31, 2022 7:15:00 AM / by Jack Jones posted in FAIR-CAM
A study sponsored by the National Science Foundation and reported in the Harvard Business Review, Research: Why Employees Violate Cybersecurity Policies, identified a wide disconnect between the demands of cybersecurity and the reality of day-to-day work for employees – one of the key gaps that the new FAIR Controls Analytics Model™ (FAIR-CAM™) is intended to help close.
How Cyber Risk Management Is Like Buying a Bike for Your Daughter – Understanding the FAIR Controls Analytics Model (FAIR-CAM)
[fa icon="calendar'] Jan 12, 2022 2:04:27 PM / by Jack Jones posted in Jack Jones, FAIR-CAM
In writing the FAIR-CAM™ white paper, I took a short detour from the complex landscape of cybersecurity to explain the new FAIR Controls Analytics Model™ with an analogy that almost anyone can relate to.
Jack Jones: In 2022, the New FAIR Controls Analytics Model (FAIR-CAM) Begins to Redefine Risk Management Maturity
[fa icon="calendar'] Jan 4, 2022 7:00:00 AM / by Jack Jones posted in FAIR-CAM
Introduced at the October, 2021, FAIR Conference, the FAIR Controls Analytics Model™ (FAIR-CAM™) will begin to have an impact in 2022. Although eventually it should benefit the risk management profession in many ways, both large and small, its effects are likely to be gradual as people and the industry as a whole begins to wrap their minds around its implications.
Jack Jones on Log4j: Take these Steps to Prepare for the Next Zero-Day Exploit
[fa icon="calendar'] Dec 22, 2021 8:40:24 AM / by Jack Jones posted in Jack Jones, Guides & Tips
The Apache Log4j security vulnerability uncovered recently is every cybersecurity defender’s nightmare - a zero-day exploited in a practically ubiquitous software library. Because zero-day exploits aren’t going away anytime soon, it’s important for organizations to increase their resilience to this type of change in the risk landscape.