In another milestone for acceptance of FAIR™ and cyber risk quantification, COSO has issued its first guidance document on applying the COSO Enterprise Risk Management Framework to cyber risk management – and included a reference to the FAIR model
“Thought leadership” is a term that gets used loosely but Jack Jones, creator of Factor Analysis of Information Risk (the FAIR™ model) and Chairman of the FAIR Institute has been out in front of the profession for years patiently pointing out the limitations of conventional, qualitative risk analysis
In a new article for Threatpost, Jack Freund, PhD, co-author of the FAIR™ book Measuring and Managing Information Risk, makes the radical proposal that organizations issue a “cyber risk prospectus” much like an investment prospectus that warns “past performance is not an indicator of future results.
To judge from the most-read topics of the year, FAIR Institute blog readers were focused on keeping up with the risk quantification movement and learning all they could about FAIR™ best practices. Leading off the list were the two big events of the year, the 2019 FAIR Conference and the addition of FAIR to the NIST CSF
If you need a concise manifesto to convince others in your organization of the need for FAIR™ cyber risk quantification – particularly in budget-setting season—Jack Freund, PhD, co-author of the FAIR book Measuring and Managing Information Risk, has written it, just out in the ISACA Newsletter.
One of the breakthroughs of cyber risk quantification through FAIR™ is to finally place cyber on a par with the other risks that roll up into enterprise risk management (ERM) instead of remaining in its own special silo. But to get to that place takes an effort at communication and coordination and even some org chart changes
Moving risk quantification out to “hundreds of vendors - it magnifies the challenges for sure.”
That was FAIR Institute Advisory Board Member Wade Baker framing up the issue of risk in the cloud, covered in the FAIRCON panel discussion “Managing Organizational and Third-party Risk in the Age of Digital Transformation.”
FAIR™ can support every stage of a risk management program, as Greg Rothauser, Enterprise Business Information Information Security Officer (BISO) for MassMutual, told a session at the 2019 FAIR Conference – starting with the widely used wheel from NIST 800-39: Frame / Assess / Respond / Monitor.
It's official: NIST has formally published FAIR as an Informative Reference to the NIST CSF, the most widely used cybersecurity framework in the U.S, a major milestone in the history of FAIR. This means that there is mapping between FAIR and the NIST CSF standard in the sections covering risk analysis and risk management.