You might say this article, “Bank Cyber Chiefs at Odds Over Risk Models” (registration required) by Steve Marlin, just out on Risk.net, takes a snapshot of the current stage of evolution of banking information security executives, progressing towards a bank cyber risk model that’s as rigorous as the industry's models for market and credit risk.
Marlin cites the FAIR model as the banking industry’s “most commonly used approach to quantifying cyber risk…FAIR seeks to provide a straightforward map of risk factors and their interrelationships.”
But the article goes on to quote banking CISOs stating a series of objections (and misperceptions) about quantitative risk analysis:
- Too many scenarios to model in the banking threat landscape
- Too complicated for executives to follow—checklists are all they can handle
- Too limited for use on an enterprise level
Bank CISOs who are FAIR fans speak up, too. Evan Wheeler of MUFG Union Bank (and a FAIR Institute Board Member) said FAIR provides "a decomposition of risks and understanding of the relationships between threats, weaknesses and potential impacts in a consistent way that you can model."
FAIR model creator Jack Jones is also quoted, extensively answering all the objections.
“It’s unfortunate that there are still a large number of people who don’t understand that there are reasonable and effective solutions [to modeling cyber risk],” Jack told Risk.net. ”I’ve had numerous conversations with CISOs about FAIR. They see the practical value of it.”
For an in-depth guide to educating executive management about the value of the FAIR model and quantitative risk analysis, read Jack’s eBook An Executive’s Guide to Cyber Risk Economics.