I’ve observed an epidemic that is endemic to perfectionists and newer practitioners of quantitative cyber risk analysis: analysis paralysis. Here are some of the symptoms:
A large population of risk professionals are truly gifted. Gifted with the gift of gab, that is. This is because they haven't had any other choice until recently.
Skeptics about the FAIR model love to scoff at quantitative risk analysis and dismiss it as mere “guesswork.” I have encountered this assertion several times while conducting analyses and I welcome the challenge each time; I view it as an invitation to a discussion.
Risk registers, by definition, are meant to identify, itemize and help prioritize risk. More specifically, they are intended to provide a portfolio of potential loss exposure to inform decision makers and enable them to mitigate and/or manage risk.
In a perfect world, a quantitative cyber risk analysis would always leverage data that is both accurate and precise. Heck, every sort of financial analysis, whether personal or organizational, would leverage data and produce results that are both accurate and precise.
A recurring question in the early stages of FAIR adoption is, “How do I get organizational buy-in for FAIR?” The short answer is: You communicate FAIR’s value proposition.
I had heard that SIRACon, the annual event hosted by the Society of Information Risk Analysts, was one of the two big opportunities of the year to hear the best thinking – and have the best hallway conversations – about risk analysis and risk management (FAIR Institute’s FAIRCON is the other).
It’s crunch time for Santa, his big December 25th deadline is quickly approaching. To prepare for Christmas, he’s making his risk register and checking it twice.
It’s been a little over a year since my love of-FAIR began, and my, does time fly when you’re having a good time! Perhaps “love” of-FAIR is a bit dramatic. However, I must say that the FAIR model has many benefits that make it an attractive and advantageous affiliation.
In the FAIR model for risk analysis, Loss Magnitude—i.e. the monetary impact of a loss event—is bucketed in six Forms of Loss: Productivity, Response, Replacement, Competitive Advantage, Fines & Judgements, and Reputation.