In a new survey for Microsoft and insurance broker Marsh, only 17% of the senior executives surveyed said they spent more than a few days cumulatively over the past year on cyber risk. More than half, 51%, spent several hours or less. Yet 80% of organizations ranked cyber risk as a top-five concern.
In an important article for ISSA Journal, Jack Freund, PhD, co-author of the FAIR book, Measuring and Managing Information Risk, introduces the concept of a Cyber Risk Intelligence Framework that combines four standard frameworks, including FAIR
Today marks a milestone in FAIR history as NIST has formally published FAIR as an Informative Reference to the NIST CSF, the most widely used cybersecurity framework in the U.S. This means that there is mapping between FAIR and the NIST CSF standard in the sections covering risk analysis and risk management.
FAIR book co-author Jack Freund, PhD, recently spoke with the risk management team at a large retailer with a firm belief that “organizational apocalypse will occur if the website goes down.” A FAIR analyst on staff ran the numbers on the potential impact of a site outage – and found no apocalypse, just a manageable problem.
Using the FAIR model, forward-thinking CISOs are applying quantitative financial analysis of cyber risk to the recommendations generated by the NIST Cybersecurity Framework. FAIR analysis shows how to prioritize among the recommended best practices in the CSF to maximize investment
In an article just out on FedScoop, Why government is slow to endorse frameworks for quantifying cybersecurity risk, Dave Nyczepir reports that, while qualitative, red-yellow-green approaches risk still dominate, the move to FAIR-based, quantification-driven risk management is well underway among federal agencies
Attendees at the FAIR Institute Breakfast during the recent Gartner Summit on Security and Risk Management heard tales of three successful FAIR cyber risk quantification programs from Matthew Martin of LPL Financial, Robert Immella of Key Bank and, lastly, Musso Shaikh, Program Manager, Cyber Threat Intelligence, at Fannie Mae, the big provider of mortgage financing.
New York Times reporters Stacy Cowley and Nicole Perlroth turned to FAIR Institute Chairman and RiskLens Chief Risk Scientist Jack Jones to answer the question, why are big banks in an Endless Fight with Hackers, as their article on the massive Capital One breach asks.
It’s a devastating report from the Government Accountability Office that should accelerate the movement to cyber risk quantification (CRQ) and the FAIR model, already underway at the Department of Energy.