If you’re looking to understand the rise of FAIR and acceptance of the quantitative approach to cyber risk management, you’ll want to watch this brief keynote address to the recent FAIR Institute Europe Summit in London by Nick Sanna, the Founder of the Institute and a driving force of the FAIR movement, now in its tenth year.
Watch the video of Nick’s presentation: Managing Risk at the Speed of the Business.
As he told the story, Nick displayed the year-by-year rise of FAIR awareness in this chart covering the mind-shift the cyber risk and security community has undergone from the purely technical treatment of cyber risk management to now, when practitioners have the FAIR-based tools to be truly relevant to the business.
At the starting point, the attitude was cyber risk can’t be measured, so the best strategy was to check boxes off a compliance framework. “How many business decisions are you influencing?” Nick would ask. “The answer was zero. Nobody in the business was taking that seriously.”
As Nick continued, a farsighted group of FAIR pioneers kept advancing the practice – “it takes a village” he said. In 2021 came a breakthrough with the development by FAIR creator Jack Jones of FAIR-CAM (the Controls Analytics Model), that enabled measuring the effectiveness of controls, followed by FAIR-MAM (the Materiality Assessment Model) for accurate measurement on the impact side of the equation.
“Until then, doing FAIR analysis required a lot of interpretation by analysts, looking at controls and the threat environment, and then doing some brain exercise to interpret the values and plug them in manually.”
Those developments opened the door to automation of FAIR risk analysis. And just in time, as three forces came together:
- The rise of ransomware as a service showed that cyber risk quantification was being leveraged to devastating effect by the attackers. “They know exactly what ROI they’re going to get if they launch.”
- The US SEC, the EU’s enforcers of DORA and NIS 2, and other regulators began to demand that regulated businesses produce accurate, quantified estimates of their cyber loss exposure.
- Business leaders responding to the heightened level of cyber risk began demanding the cyber risk analysis get done “at the speed of business” – a theme of the conference.
The goal of the London FAIR Institute conference, Nick told the audience “is to advance the journey together because it will take a village…of practitioners, academics, and service providers to make sure we change the equation and have an impact in treating this as an economic problem and a business problem.”
Learn more: Recapping the 2025 FAIR Institute Europe Summit
Join us in New York November 4-5 for the 2025 FAIR Conference. Register now.
