“The threat management team needs the business priorities that the risk team can offer, and the risk team needs to better understand threats to assess risk and business priorities,” Jack writes. “Using a cyber risk intelligence framework as the blueprint for collaboration gives explicit reporting responsibilities for each team,” with the ultimate benefit of bringing “unity in the end-to-end cyber risk stories being told to organizational leadership.”
The four standards and frameworks Jack draws on:
FAIR adds to the risk analysis process two FAIR factors, Threat Event Frequency (TEF) and Threat Capability (TCap), to model “how often threat agents are attacking…and when they do, what force they can bring to bear…
“After several FAIR analyses, the organization will have a prioritized list of top risk scenarios…that can be used along with some forecasted attack plans (which can be aided by outputs from the threat intelligence lifecycle) to focus the organization on the top ways attackers/insiders can bring about the realization of top-risk scenarios.”
Get all the details on Jack’s proposal in the article Creating a Cyber Risk Intelligence Framework: Integrating Best Practices and Standards in the September, 2019, edition of the ISSA Journal (requires a membership to view).
Related:
NIST Maps FAIR to the CSF - Big Step Forward in Acceptance of Cyber Risk Quantification
Over 6,000 cyber risk professionals and business leaders are members of the FAIR Institute, actively engaged in what SC Magazine calls one of the most important cybersecurity industry organizations of the last 30 years. Join the Institute.