In an important article for ISSA Journal, Jack Freund, PhD, co-author of the FAIR book, Measuring and Managing Information Risk, introduces the concept of a Cyber Risk Intelligence Framework that combines four standard frameworks, including FAIR, to bridge the divide between risk management teams on one side and security operations and threat intelligence teams on the other.
“The threat management team needs the business priorities that the risk team can offer, and the risk team needs to better understand threats to assess risk and business priorities,” Jack writes. “Using a cyber risk intelligence framework as the blueprint for collaboration gives explicit reporting responsibilities for each team,” with the ultimate benefit of bringing “unity in the end-to-end cyber risk stories being told to organizational leadership.”
The four standards and frameworks Jack draws on:
- Incident response life cycle of NIST 800-61 rev2
- Threat intelligence cycle adapted from the book Intelligence Essentials for Everyone.
- Risk analysis life cycle, combining RAND’s publication Using Risk Analysis to Inform Intelligence Analysis with the FAIR model.
FAIR adds to the risk analysis process two FAIR factors, Threat Event Frequency (TEF) and Threat Capability (TCap), to model “how often threat agents are attacking…and when they do, what force they can bring to bear…
“After several FAIR analyses, the organization will have a prioritized list of top risk scenarios…that can be used along with some forecasted attack plans (which can be aided by outputs from the threat intelligence lifecycle) to focus the organization on the top ways attackers/insiders can bring about the realization of top-risk scenarios.”
Get all the details on Jack’s proposal in the article Creating a Cyber Risk Intelligence Framework: Integrating Best Practices and Standards in the September, 2019, edition of the ISSA Journal (requires a membership to view).
Over 6,000 cyber risk professionals and business leaders are members of the FAIR Institute, actively engaged in what SC Magazine calls one of the most important cybersecurity industry organizations of the last 30 years. Join the Institute.