The FAIR Institute Blog

FAIR Case Studies from Mastercard, Maersk, Virgin Media - Europe Summit

Written by Jeff B. Copeland | Aug 20, 2025 10:11:39 PM

Literally, something for everyone in a panel at the recent London Summit of the FAIR Institute, presenting use cases with solid advice across the stages of FAIR adoption. 

Our panelists were (left to right)

  • Pooya Alai, Senior Cyber Security Risk Manager at Maersk, applying risk management across global supply chains
  • Oliver Bodger, Security Risk Officer at Virgin Media O2, managing risk in critical telecommunications infrastructure
  • Rob Moore, VP of Technology Risk Management at Mastercard, implementing FAIR in one of the world's largest payment networks
  • Moderator Greg Spicer, Co-Founder & CRO of Ostrich Cyber-Risk

Watch the video now: 

FAIR in Action: Case Study Panorama - 2025 Europe Summit

Highlights from each panelist: 

Rob Moore 

 

Rob suggested three use cases for launching a FAIR program. 

1. Begin with the risk register, reframe risks in terms of FAIR scenarios. “If you only get this far, you’re already ahead of most companies.”
2. Identify an active business decision in process and perform a fast quantitative assessment to identify risks and rewards – a high-level, 30-minute FAIR analysis will suffice. “Don’t wait three months to influence a decision — get ahead of it.”
3. Jump on a purchase decision for cyber insurance - a fast way to demonstrate FAIR’s value and win executive buy-in for quantitative cyber risk analysis.

Other lessons learned, contributed by Rob. 

Keep scenarios high-level, ideally business-unit focused.

Scoping – getting the right people in the room to define the problem is actually the most time-consuming step. 

Automation is critical to accelerate repetitive FAIR modeling. 

FAIRCON25 is coming Nov. 2-6. Check out our biggest-ever FAIR Conference Agenda. And Register Now!

 

Pooya Alai

Pooya’s use case demonstrated a clever solution to a problem seen at large organizations that already have a well-established risk management program: rectifying different approaches to reporting from the security operations, vulnerability and issues management and risk management teams. 

Maersk came up with a solution inspired by the MITRE ATT&CK chain that “unpacks” the Loss Event Frequency side of the FAIR model.  The Maersk model weights likelihood of known risks and unknown risks at each of the steps of the attack chain 

The approach enables Maersk to ask, at scale:
Where is risk concentrated across our estate?
Which risks or issues drive the highest cumulative likelihood?
What can we actually mitigate now?

It positions FAIR not just as a quantification tool but a decision-support framework that sparks critical trade-off discussions, Pooya said. 

Oliver Bodger

The final use case was actually the case of not using FAIR. Virgin Media O2 is just at the opening steps of FAIR adoption, and Oliver presented a portrait of the status quo: “The whole thing was a mess.”

  • The risk register was just a dumping ground. “I thought the more risks on there, the better I was doing.” Security teams were flooded with register entries from across the business, often forgotten after audits.
  • Risks were overvalued due to simplistic formulas. “An open port could show up as a £400M GDPR fine — it was absurd…The value of the risks we had would have reached billions.”
  • Reporting to the board always presented the same risks with no change. The board probably wondered why they were paying for a security and risk team, Oliver said.  

He is now cleaning up the mess, starting with FAIR education, looking to invest in tooling and to track how risk reductions map to spend and hoping to introduce quarterly board reporting using FAIR-based metrics.

This session from the FAIR Institute Europe Summit is loaded with ground-level insights for risk and security practitioners. Watch the video now: 

FAIR in Action: Case Study Panorama - 2025 Europe Summit
View full post