FAIR Institute Blog

Jack Jones

Jack Jones

Recent Posts

Measuring Cyber Risk Requires Two Models, Not One

[fa icon="calendar'] May 10, 2017 5:00:08 PM / by Jack Jones posted in FAIR

[fa icon="comment"] 1 Comment

There are a lot of reasons why some people believe measuring cyber risk isn’t possible — from misperceptions about data shortage, to the fallacy about intelligent adversaries, to the inconsistencies that commonly occur when two different people get two different answers when measuring the same risk. 

Read More [fa icon="long-arrow-right"]

How to Deal with "Data Challenged" Risk Analyses

[fa icon="calendar'] May 2, 2017 10:36:38 AM / by Jack Jones posted in FAIR

[fa icon="comment"] 3 Comments

In the first two posts of this series, I discussed questions regarding how to make estimates when data is sparse or missing altogether, and how to account for the fact that historical data may not perfectly reflect the future.  In this post, I’ll walk through an example risk analysis that is challenged in both of those respects.

Read More [fa icon="long-arrow-right"]

Using Historical Data

[fa icon="calendar'] Apr 25, 2017 10:44:11 AM / by Jack Jones posted in FAIR, Risk Management

[fa icon="comment"] 1 Comment

In my previous post (No Data? No Problem) I discussed the question, “How do you make estimates when you have no data?”  This post focuses on a related question – whether historical data can be relied upon to reflect the future.  

Read More [fa icon="long-arrow-right"]

No Data? No Problem

[fa icon="calendar'] Apr 18, 2017 6:05:40 PM / by Jack Jones posted in Risk Management

[fa icon="comment"] 0 Comments

One of the most common questions I hear is, “ What if there’s no historical data to base an estimate on?”  A close cousin to this question is the statement, “ Historical data isn’t necessarily a good representation of the future, so you can’t rely on it for your estimates.”  Both of these are reasonable concerns that deserve good answers. 
Read More [fa icon="long-arrow-right"]

What Belongs in a Risk Register?

[fa icon="calendar'] Mar 31, 2017 11:16:51 AM / by Jack Jones posted in FAIR, Risk Management

[fa icon="comment"] 1 Comment


A member of the FAIR Institute LinkedIn forum asked an important question the other day: 

“I was wondering if there are any guidelines, rules-of-thumb, etc. on how to decide when something should end up in a risk register or should be handled differently. 

Read More [fa icon="long-arrow-right"]

How to Spot Data Breaches in Audit Trails?

[fa icon="calendar'] Mar 27, 2017 10:23:13 AM / by Jack Jones posted in Risk Management

[fa icon="comment"] 0 Comments

Jack Jones led the discussion at this month’s meeting of the FAIR Institute’s Data Utilization Work Group, including fielding this question from a FAIR Institute member about data breaches. Jack is the Institute’s Chairman and the co-author of Measuring and Managing Information Risk: A FAIR Approach.  

Read More [fa icon="long-arrow-right"]

An Immature Maturity Model?

[fa icon="calendar'] Mar 23, 2017 3:10:42 PM / by Jack Jones posted in FAIR, Events

[fa icon="comment"] 3 Comments

This month’s FAIR Institute Data Utilization and Cyber Risk workgroup calls had excellent attendance and some great dialog.  I’m always pleased/impressed with the quality of thinking people bring to the these calls.  

Read More [fa icon="long-arrow-right"]

Connect With Jack Jones At RSA Conference 2017

[fa icon="calendar'] Feb 14, 2017 8:20:00 AM / by Jack Jones posted in FAIR, Events

[fa icon="comment"] 0 Comments

Well, the annual pilgrimage to San Francisco and the RSA conference is underway.

Read More [fa icon="long-arrow-right"]

Cyber Risk Workgroup Discusses "Clarifying Risks"

[fa icon="calendar'] Jan 25, 2017 4:45:00 PM / by Jack Jones posted in FAIR, Risk Management

[fa icon="comment"] 0 Comments

Last week we held the second Cyber Risk Workgroup call, with excellent attendance and active engagement. During the call, we discussed the white paper I wrote regarding “Clarifying Risks”.

Read More [fa icon="long-arrow-right"]

Examining a Defense of NIST 800-30

[fa icon="calendar'] Jan 17, 2017 12:15:00 PM / by Jack Jones posted in FAIR, Risk Management

[fa icon="comment"] 5 Comments

A couple of weeks ago I wrote a blog post pointing out some problems with NIST 800-30 (Fixing NIST 800-30). 

Read More [fa icon="long-arrow-right"]
LEARN MORE

Subscribe to Email Updates

417NjDVYgtL._SX404_BO1204203200_.jpg
Learn How FAIR Can Help You
Make Better Business Decisions

Recent Posts