Blog post: 3 New Ways to Think about Cybersecurity Controls
That may sound like an obvious statement, but in conventional cyber risk management, the risk reduction value of controls is just assumed, not measured. FAIR creator Jack Jones developed FAIR-CAM™ (the FAIR Controls Analytics Model) to categorize controls, clarify their inter-relationships and assign them units of measurement for reliable analysis of their effectiveness.
Stay up to date with the leaders in advanced risk management - join the FAIR Institute.
Blog post: Jack Jones Speaks at RSAC22 on the Future of Cyber Risk Measurement
In his RSAC Conference talk and a blog series on automation, Jack made the point that without careful scoping of risk scenarios for analysis, a model that accounts for the nuances of controls effectiveness, and accurate data carefully applied to modeling, the much-publicized hopes for AI for cyber risk management would not develop.
Blog post: Understanding and Managing Skeptical Stakeholder Reaction to Quantitative Cyber Risk Analysis
Blog post: How Long Does It Take to Launch a FAIR Program?
Chad Weinman of RiskLens laid down markers for success in a quantitative risk management program: Launch in 90 days and you’re not launched till you “produce a report that’s used to inform a risk-based decision, for instance to prioritize a new control/project or to accept a risk based on your analysis.”
Blog post: Jack Jones Speaks at RSAC22 on the Future of Cyber Risk Measurement
Longtime FAIR expert Tony Martin-Vegue, Senior Information Security Risk Engineer at Netflix, joined Jack on the RSAC stage with some pointed advice: Security people should get into the habit of talking about security “investments” that can be prioritized for cost vs. benefit and stop obsessing over risk mitigation. Tony said that “return on investment” is now his most requested analysis at Netflix. Tony’s advice dovetails with the presentation by enterprise risk management authority James Lam, speaking at the 2022 FAIR Conference Series quarterly event, who gave advice on presenting risk analysis to the board, with tips such as “discuss risk in terms of business opportunities” and “relate quantified risk to risk appetite.”