How the New FAIR Framework for Cyber Risk Management Complements ISO 27005

Puzzle - FAIR Framework for Cyber Risk Management

The FAIR Institute recently presented the FAIR Framework for Effective Cyber Risk Management™, which explains how standard extensions to the FAIR model specifically designed for cyber risk can help organizations build highly effective and automated cyber risk management programs that align cybersecurity efforts with business priorities and regulatory compliance.

Nick Sanna is Founder of the FAIR Institute

The two standards that extend the FAIR model specifically for cyber risk management are: 

>>The FAIR Controls Analytics Model (FAIR-CAM), that describes and helps measure the effect of controls on risk; 

>>The FAIR Materiality Assessment Model (FAIR-MAM), that provides a more detailed taxonomy of the various forms of cyber losses than the original FAIR model, similar to how a CFO or a cyber insurance company would account for them. 

Together with the original FAIR standard, FAIR-CAM and FAIR-MAM form the FAIR Framework for Cyber Risk Management™. 

A common question that we get at the FAIR Institute is: How does FAIR - or in this case the FAIR Framework for Cyber Risk Management -  compare with risk management processes that are at the core of risk management standards from ISO, NIST or COSO? The short answer is: they complement one another and form the necessary foundation for effective cyber risk management programs. 


Effective cyber risk management enables explicit, risk-informed decision-making and strong alignment with business objectives by basing decisions on quantitative, financially-oriented analysis. Quantitative analysis is crucial because it provides actionable answers to critical questions such as:

     >>Is a cyber incident or risk material?
     >>Which controls are most effective in reducing risk?
     >>How much cyber risk does a third party represent?

These questions cannot be adequately addressed through vague, imprecise, and easily misinterpreted qualitative statements. Unfortunately, many cyber risk management programs still rely on qualitative methods for assessing risk. Standards organizations like ISO and NIST have historically suggested using scales such as High-Medium-Low or 1-4 to "quantify" risk. However, these are still qualitative models, even when numbers are used instead of colors or letters.

Research by the Institute has shown that risk assessments based on qualitative models often produce worse results than random decisions. As a result, many organizations see their cyber risk programs as regulatory checkboxes rather than tools for driving meaningful business decisions.

Thankfully, these standards organizations have recently updated their guidance, acknowledging that risk management processes can benefit from quantitative models, especially when better decision-making is a priority.

So, how do we integrate defensible data into risk management processes to produce outputs that all stakeholders can understand and act upon? That’s where combining the FAIR Framework with established risk management practices delivers transformative results.


The longer answer is that the FAIR Framework complements risk management processes like ISO/IEC 27005 by enhancing quantitative analysis capabilities and decision-making along each step of the process. Here’s how they align and complement each other (the same applies to NIST-RMF or COSO in relation to the FAIR Framework): 

1.  Focus on Quantitative Risk Analysis >>ISO 27005: Primarily supports qualitative or semi-quantitative methods for assessing risks.

>>FAIR Framework: Offers a structured approach to quantify risk in monetary terms, making it easier to prioritize and justify mitigation strategies based on potential financial impact.

2.  Enhancing Risk Identification and Assessment

>>ISO 27005: Provides detailed guidance on identifying, assessing, and treating information security risks but leaves room for different methodologies to quantify risk.

>>FAIR Framework: Provides a clear methodology for analyzing cyber risks in detail, focusing on understanding loss event frequency and magnitude. This complements the broader identification and classification processes in ISO 27005.

3.  Prioritization of Risks

>>ISO 27005: Typically relies on qualitative high, medium, and low categories to prioritize risks.

>>FAIR Framework: Helps refine this prioritization by quantifying the impact of risks, enabling data-driven decisions about where to allocate resources effectively.

4.  Integration with the Risk Treatment Process

>>ISO 27005: Describes steps to select and implement appropriate risk treatments (controls). 

>>FAIR Framework: Can be used to measure the effectiveness of proposed controls quantitatively and to model "what-if" scenarios, assessing how changes in controls would alter risk exposure.

5.  Facilitating Communication

>>ISO 27005: Offers guidance on documenting and communicating risk management processes but doesn’t specify how to express risks clearly to business stakeholders.

>>FAIR Framework: Translates technical risk into business language by focusing on financial implications, improving communication with non-technical stakeholders and aligning cybersecurity with business objectives.

6.  Aligning with Governance Standards

>>ISO 27005: Part of the broader ISO/IEC 27000 series, it ensures alignment with international information security management standards like ISO/IEC 27005's flexible framework. 

>>FAIR Framework: Complements these standards (and all other similar risk management standards) by offering an advanced cyber risk quantification mechanism that fits within ISO/IEC 27005's flexible framework.

7.  Iterative Improvement and Automation

>>Both frameworks encourage iterative refinement of risk management processes.

>>The FAIR Framework’s detailed quantification capabilities can provide feedback to enhance and refine the implementation of ISO 27005, and automate it when used as part of a Cyber Risk Management System.

In summary, by using FAIR in conjunction with risk management processes such as ISO 27005, organizations gain a robust foundation for:

>>Comprehensive identification and classification of risks.

>>Detailed quantitative analysis and prioritization of risks.

>>Aligning cybersecurity efforts with business outcomes through financial quantification.

This combination ensures organizations can effectively manage risks, optimize resource allocation, and communicate risk management insights to all stakeholders.

Learn more about the new FAIR Framework for Cyber Risk Management.

 

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37