Contributing to the National Institute of Standards and Technology (NIST) effort to update the Cybersecurity Framework (NIST CSF), the FAIR Institute sent a proposal to help align the framework with the FAIR Controls Analytics Model (FAIR-CAM™), the new model for quantifying the risk reduction effect of cybersecurity controls in financial terms.
Our message to NIST said in part:
We believe that even as NIST CSF has seen wonderful adoption as a way to gauge an organization’s risk management posture or maturity, even more benefits can be realized. Specifically, there is a great opportunity to increase CSF’s value by enabling it to help organizations empirically measure and prioritize their risk remediation efforts.
Luke Bader is Director, Membership and Programs, for the FAIR Institute
With the recent release of the new FAIR Controls Analytics Model (FAIR-CAM™), there is now a way to empirically measure control efficacy and risk reduction value. With some modifications, NIST CSF could map cleanly to FAIR-CAM™, which would help organizations understand the efficacy and value of controls in their risk programs.
Our proposed first steps are as follows:
>>Modify NIST CSF to provide more granularity at, or below, the subcategory level
>>Define measurement scales for each of the elements in the framework to reduce ambiguity and improve quality of benchmarking and measurement
What Is FAIR-CAM?
A model that:
>>Categorizes controls by type and function
>>Sets them in relation to each other, clarifying their interplay
>>Accounts for the direct and indirect effect of controls on risk
>>Assigns units of measurement for control performance enabling a quantitative approach for reliable analysis of the effectiveness of controls and controls systems.
Background on Mapping FAIR-CAM to the NIST CSF
In a video presentation to the FAIR Conference Series earlier this year, Jack Jones, creator of FAIR-CAM and FAIR™ (Factor Analysis of Information Risk), the standard for cyber risk quantification, explained the FAIR Institute’s nearly complete project to map the categorization of controls in FAIR-CAM to the NIST CSF’s categories and subcategories of controls.
Watch the video:
Jack identified two challenges:
Challenge #1: Clarifying how the NIST CSF subcategories affect risk so they can be mapped to FAIR-CAM
Jack’s proposal: “The NIST CSF sub-categories have to be redefined to cover no more than a single control function.”
Challenge #2: Standardizing the NIST CSF scoring system
Cybersecurity teams routinely assign scores for compliance with the recommended controls in NIST subcategories, but the scores aren’t standardized. One organization’s “2” may not be another’s. Secondly, as shown in the example above, a single score can’t cover a subcategory with multiple functions – each type of control could have a different unit of measurement in FAIR-CAM.
Jack’s proposal: “To overcome this challenge, ordinal scale definitions should be developed for each control function.”
Get the latest on the development of FAIR-CAM – attend the 2022 FAIR Conference for presentations by Jack Jones and FAIR-CAM users.