“Everyone dislikes novelty, and experts tend to be over-critical of proposals in their own domain.” This is the plainly-stated conclusion of a fascinating blind study wherein expert medical researchers were asked to evaluate new research proposals, some in other medical specialties and some in the areas in which they were experts. “New ideas got worse scores from everyone, but they were particularly punished by experts.”
Can this phenomenon explain risk analysts’ and managers’ reluctance to abandon high/medium/low ratings and heat maps in favor of the FAIR approach, which they perceive as novel? Perhaps in part.
But how novel is the FAIR model? It may have been published and standardized relatively recently, but is the logic of decomposing risk and using that understanding to control it really that new? I would argue that it is not — people have been thinking in the way formalized by FAIR for millennia.
As evidence for that claim, let’s look at a Mesopotamian loan contract (written in tablets) from 611 B.C. provided in Fordham University’s Ancient History Sourcebook.
“One mana of money, a sum belonging to Iqisha-Marduk (…) is loaned unto Nabu-Etir (…) Yearly the amount of money shall increase its sum by seven shekels of money. His field near the gate of Bel is Iqisha-Marduk’s pledge.”
Why did Icky charge Nabu interest? And why did he require Nabu to pledge his field as collateral? Icky understood that making the loan to Nabu placed his asset, one mana of money, under threat, and that there was some percentage chance that Nabu would not pay him back.
Graphic illustration: The FAIR Model on One Page
In FAIR terms, making the loan became a Threat Event and the percentage chance Nabu would not pay back the loan represents Vulnerability. Icky charged Nabu interest to recoup his asset faster and encourage Nabu to repay the loan (and to make a little extra for taking on the risk), and held Nabu’s field as collateral so as to limit Primary Loss should Nabu fail to repay the loan.
Modern credit risk evaluation likewise follows the FAIR model. By analyzing a borrower’s credit history, available assets, etc., the lender seeks to understand the borrower’s capability to repay the loan, and thus the lender’s Vulnerability to default.
It’s difficult to overstate the novelty of the cyber risk space — every day new vulnerabilities are discovered, every month a new exploit kit created, every year a new and alarming attack vector gets added to the top of every CISO’s list of concerns. Little remains the same other than the fact that the organization’s assets must be protected and that limited resources are available with which to do so.
But the novelty of the cyber problem space should not be misattributed to the FAIR model and the way it logically decomposes risk into its constituent parts. Cyber risk may be new, but thinking in a structured way about the frequency and magnitude of future loss and how to limit it is not.
Be assured — FAIR has been here all along.