Critical thinking is what makes humans human. In this post, we provide a quick introduction to the transformative FAIR-CAM standard for “Control Physiology”, as a scaffolding for critical thinking. We will apply this new critical thinking paradigm to an Open Banking use case to enable financial inclusion to support marginalised communities.
Denny Wan is Co-Chair of the Sydney Chapter of the FAIR Institute, a member of the Standards and TPRM Work Groups, CI-ISAC Australia Ambassador for Cyber Threat-Led/Informed Risk Measurement, and host of the Reasonable Security podcast.
Jack Jones is Chairman Emeritus of the FAIR Institute and author of the FAIR standards.
Critical thinking vs analytical thinking
"We think, therefore we are", is often attributed to René Descartes, asserting that the act of thinking is a proof of one's existence. Thinking transcends physical and temporal boundaries. For example, Professor Stephen Hawking was recognized for his thinking skill in developing the "Theory of Everything" – a unified framework to explain all physical phenomena, including quantum mechanics and general relativity. But later, after considering Gödel's Theorem, he concluded that such a theory might not be attainable, showing his willingness to challenge his own thinking.
While both analytical and critical thinking are important for problem-solving, analytical thinking focuses on breaking down information into components for understanding, while critical thinking evaluates information, questions assumptions, and forms reasoned judgments. For example, Gödel's Incompleteness Theorem states that within any sufficiently complex and consistent formal system (like mathematics), there will always be true statements that cannot be proven within that system. These true statements are the product of analytical thinking whereas Gödel's Incompleteness Theorem, and Hawking’s application of the theorem to his own work could be categorized as critical thinking.
The fact is that analytical and critical thinking are a continuum. For the purpose of this article, we are not defining a hard boundary between the two thinking strategies but rather highlight the relationship of these thinking processes, where analytical thinking serves as a building block of critical thinking. In particular, we characterize FAIR and FAIR-CAM as analytical thinking tools that provide a well-defined structure (a scaffold) that supports critical thinking when analysing cyber or other forms of risk.
Illustration by Denny Wan
FAIR-CAM Control and Control function
To properly understand FAIR-CAM “Control Physiology”, we first need to clarify a couple of terms:
- Controls are anything that can be used to directly or indirectly affect the frequency or magnitude of loss from one or more loss event scenarios.
- Control functions are the ways in which a control can affect the frequency or magnitude of loss, either directly or indirectly.
Common control frameworks describe controls (or control objectives) in a way that is roughly analogous to anatomy in the practice of medicine. They describe which controls can or should be part of a risk management program, and what those controls should look like. What they don’t tell you is how those controls function, either individually or as a complex system of interdependent parts, to reduce or maintain risk levels. FAIR-CAM, on the other hand, provides what is analogous to medical physiology, which enables a much deeper and clearer understanding of how the control landscape works. In doing so, it also provides a means of evaluating and measuring the risk reduction value of controls.
FAIR-CAM is composed of three control functional domains (Loss Event, Variance Management and Decision Support) to expose the way in which controls affect the frequency or magnitude of loss, either directly or indirectly. This structure enables us to evaluate controls within the context of a potential loss event scenario, question our assumptions, and make reasoned judgments about capabilities and affect.
Critical thinking example
The FAIR Institute blog post “Improving Financial Inclusion through FAIR-CAM” tabled an Open Banking use case in embedded finance products. The post applies the FAIR-CAM Variance Management Controls (VMCs) to examine the discretional operational risk decisions by entities along the embedded finance chain. Each provider along the chain could impose its specific terms and conditions or Term of Service (TOS). Consumers of embedded finance could be disproportionately disadvantaged when they violate the TOS such as missing or late payments due to financial stress. VMCs can be applied to enable early detection of when a provider along the supply chain, accidentally or intentionally, alters the TOS in a manner that disadvantages the consumer.
Traditionally, interpretation and enforcement of TOS require legal expertise and a long lead time to build a litigation case history. A self-regulation approach focusing on common interests along the embedded finance supply chain is more sustainable and scalable. FAIR-CAM variance management offers the opportunity for cost effective early warning in detecting TOS changes. Sample VMC controls for embedded finance are tabled below:
In conclusion, FAIR-CAM provides a structure that enables us to better understand and evaluate a complex environment, and make better-informed judgments. This becomes especially important with the integration of AI and automation. For example, the policies embedded in an AI Agent are managed by its developers, where sanctions against a consumer could be enforced at the click of a button. But by understanding where control opportunities exist and how they function within the overall landscape we can build in appropriate safeguards or, failing that, more reliably identify gaps after the fact and choose cost-effective remediations.
More to come
In the next blog post in this series, we will further illustrate how to harvest these insights to improve decision making and minimize loss by applying the Decision Support (DSC) and Loss Event (LEC) FAIR-CAM functions.
