“In order to evolve and mature as a profession, we have to recognize and correct what isn’t working,” he told a full room of FAIR practitioners and learners. The goal should be defensible risk measurement that “does not have significant intrinsic flaws in scoping, modeling or the using of data” – three benefits that Factor Analysis of Information Risk (FAIR™), the standard for risk quantification, provides. Judging by the growth of the FAIR Institute, now past 14,500 members, that future is already here, though unevenly distributed.
Jack discussed two more trends in risk measurement:
>>Automation: He cautioned that cybersecurity controls have nuances and dependencies that automated risk analysis must account for to produce accurate results.
>>Artificial Intelligence: AI can only be as good as its training; it is particularly vulnerable to bias and opaqueness in training data.
“In order for automation and AI to generate results we can trust, they can’t rely on the commonly used methods of the past and present,” he said.
That’s where the FAIR Controls Analytics Model (FAIR-CAM™), recently introduced by Jack, comes in.
“The controls landscape is the most complex and least understood dimension of cybersecurity. FAIR-CAM resolves a huge gap in our ability to understand, measure, and manage control efficacy and risk. It also provides the means to responsibly automate and apply AI to risk analysis.” Learn more about FAIR-CAM.
FAIR Institute sponsors Ostrich Cyber-Risk and RiskLens supported the FAIR Institute breakfast event.
Join the FAIR Institute as a Contributing Member. Receive invitations to exclusive events such as the recent breakfast meeting, discounts to FAIRCON and on FAIR training courses, early access to new Institute content materials, access to the FAIR community Slack channel and a copy of the FAIR book Measuring and Managing Information Risk: A FAIR Approach.