Why did FAIR™ (Factor Analysis of Information Risk) emerge as the de facto number-one standard model for cyber, technology and operational risk analysis? No other risk model supports defensible quantitative analysis in the financial terms
Nicola (Nick) Sanna

Recent Posts
10 Reasons Why FAIR Is Winning
[fa icon="calendar'] May 17, 2022 3:57:43 PM / by Nicola (Nick) Sanna posted in FAIR
SEC Proposes Rules for Faster, More Defensible Cyber Risk Reporting. It Could Do Better Still
[fa icon="calendar'] Mar 16, 2022 8:49:15 AM / by Nicola (Nick) Sanna posted in FAIR Institute, Government
The Securities and Exchange Commission recently proposed amendments to its rules that would require reporting on cyber risk in a fast, “consistent, comparable and decision-useful manner,” as SEC Chair Gary Gensler said – a goal that effectively calls for regulated public companies to run a cyber risk management program based on risk quantification
Three Tips to Make Cyber Risk Quantification Work for Your General Counsel as Well
[fa icon="calendar'] May 25, 2021 3:39:19 PM / by Nicola (Nick) Sanna posted in Risk Management
Surprisingly, we still sometimes hear that some cyber risk professionals are challenged by their General Counsel and legal department not to quantify their cyber risk, as that might - in their opinion - introduce a liability, driven by the fact of possibly knowing about a problem and not having done enough to address it.
FAIR Institute Pres. Nick Sanna’s Message to SEC Nominee Gary Gensler: "Stop the Opaqueness of Cyber Risk Reporting"
[fa icon="calendar'] Mar 10, 2021 2:30:09 PM / by Nicola (Nick) Sanna posted in FAIR Institute, Government
In his recent Senate confirmation hearing, the pressure was on Gary Gensler, the new Administration’s nominee
John Carlin, Pioneer of Risk Quantification in Government, Will Lead Cyber Law Enforcement at Department of Justice
[fa icon="calendar'] Feb 7, 2021 7:09:37 PM / by Nicola (Nick) Sanna
We were delighted to learn that John Carlin, a friend of the FAIR Institute and a pioneer of risk quantification in the federal government, has been appointed Acting Deputy Attorney General
2021 Is the Year of Operationalizing Cyber Risk Quantification
[fa icon="calendar'] Jan 5, 2021 10:35:54 AM / by Nicola (Nick) Sanna posted in FAIR Institute
I want to take a moment to reflect on where the FAIR™ movement stands as we begin the New Year. I believe we are right now at a turning point, headed for far-reaching improvements in cyber risk management
How FAIR™ Can Help the US Federal Government Better Prioritize and Right-Size Its Cybersecurity Investments
[fa icon="calendar'] May 15, 2020 7:45:00 AM / by Nicola (Nick) Sanna posted in FAIR, Risk Management
>>DHS/OMB mean well in pushing for a risk-based approach to cybersecurity in the Federal Government, but their requirements fall short of helping agencies effectively prioritize and right-size their cybersecurity investments
Cyberspace Solarium Commission Proposes Amending Sarbanes-Oxley to Include Cybersecurity
[fa icon="calendar'] Apr 9, 2020 7:51:37 AM / by Nicola (Nick) Sanna posted in FAIR, Risk Management
Congress created the Cyberspace Solarium Commission, a bipartisan group of lawmakers and cybersecurity experts, to get out ahead of both a “catastrophic cyberattack” and the “millions of daily intrusions disrupting everything
IMF Chief Says Finance Sector Urgently Needs Cyber Risk Quantification
[fa icon="calendar'] Jul 9, 2018 8:00:00 AM / by Nicola (Nick) Sanna posted in FAIR, Risk Management
In a recent LinkedIn post, Christine Lagarde, Managing Director of the International Monetary Fund, calls cyber risk not just a top risk but “a significant threat to the financial system” and cites a new IMF study that cyber attacks could already cost banks close to nine percent of net income globally or around $100 billion on average a year.
Does NIST CSF 1.1 Endorse Risk Quantification and FAIR?
[fa icon="calendar'] Jun 28, 2018 1:56:02 PM / by Nicola (Nick) Sanna posted in FAIR
The National Institute of Standards has released NIST CSF 1.1, the new version of its popular cybersecurity risk framework—it’s filled with strong implications that infosecurity programs should treat risk in cost-effective or economic terms but never quite comes out and states the words “cyber risk quantification.”