Marlin cites the FAIR model as the banking industry’s “most commonly used approach to quantifying cyber risk…FAIR seeks to provide a straightforward map of risk factors and their interrelationships.”
But the article goes on to quote banking CISOs stating a series of objections (and misperceptions) about quantitative risk analysis:
Bank CISOs who are FAIR fans speak up, too. Evan Wheeler of MUFG Union Bank (and a FAIR Institute Board Member) said FAIR provides "a decomposition of risks and understanding of the relationships between threats, weaknesses and potential impacts in a consistent way that you can model."
FAIR model creator Jack Jones is also quoted, extensively answering all the objections.
“It’s unfortunate that there are still a large number of people who don’t understand that there are reasonable and effective solutions [to modeling cyber risk],” Jack told Risk.net. ”I’ve had numerous conversations with CISOs about FAIR. They see the practical value of it.”
For an in-depth guide to educating executive management about the value of the FAIR model and quantitative risk analysis, read Jack’s eBook An Executive’s Guide to Cyber Risk Economics.