As a FAIR consultant, I have seen many organizations go through the transformation from qualitative to quantitative risk management.
The Cyentia Institute recently published the Information Risk Insights Study (IRIS), which utilized data gathered via Advisen on tens of thousands of known cyber events over the past decade to draw conclusions about the frequency and magnitude of such events.
There are many reasons why cyber risk quantification utilizing the FAIR™ model has been adopted by 30% of the Fortune 1000.
Cyber risk quantification has often been seen as difficult or impossible due to the perceived lack of data on the subject. Many organizations do not have sophisticated logging systems which allow them perfect hindsight into past cyber events.
‘Low’ loss exposure scenarios are often cause for celebration, or at least an exhausted sigh of relief from the CISO who is already juggling the remediation plans of countless other higher risk scenarios.
As auditors , you often get a bad rap. Given audit is a compliance focused profession, one of the many aspects of your job is telling someone that the way they do theirs is wrong, which is not a fun conversation for either party.
While I could easily write a novella focused solely on the many benefits of FAIR over other risk analysis methods, there is an important caveat to keep in mind when conducting FAIR analyses: The analysis is only as reliable as the analyst who conducted it.
Risk is inherent in business. By operating in the market place, offering products or services to the public, processing transactions or storing data, companies large and small face risk, and increasingly that’s cyber risk. The question is, how do these companies decide whether to accept or respond to risks?
(To the tune of Ice Ice Baby)
Alright, stop! Collaborate, and listen. FAIR is back to give advice you been missin’
If Risk has grabbed ahold of you tightly, run an analysis, quantify it rightly.