3 Types of FAIR Skeptics (and How Mastercard Wins Them Over) – FAIRCON23 Video

What’s holding back your FAIR cyber risk quantification program? Learn from Mastercard’s journey up from qualitative risk analysis to running a global team of FAIR-certified professionals, as told by Robert Moore (right in the photo), Vice President of Technology Risk at the credit card giant and Tom Callaghan (left) of C-Risk, the European FAIR consultancy, at the recent 2023 FAIR Conference. 

Watch the conference session video: 

Winning Over the Doubters - Cutting through Complexity to Exceed Stakeholder Expectations 

A free FAIR Institute membership required to view. Join now!

Tom and Robert identified three tribes of skeptics who could slow implementation of quantitative risk assessment practices. Their motivations are: 

Fear of the Unknown

Doubters in this tribe think quantitative cyber risk analysis is complex and scary and fear they won’t be able to explain analysis results to executives. Tom and Robert’s suggested response:

--Show them analysis based on use cases that are highly relevant to them. 

--Show visuals that simplify the analysis process

--Heat maps are OK! But inform the audience that the colors represent ranges generated by the FAIR model, not subjective choices. 

As Tom says, “always go top down. Think from the business perspective what forms of loss to focus on. It’s about understanding the use case. Then define the model. keep the model as simple as you possibly can for the use case.”

Inflated Expectations

This is the perfect getting in the way of the good. “The model is too precise or too high level or too detailed or the wrong distribution.” FAIR creator Jack Jones has a ready answer to perfectionism: Any quantitative analysis at least reduces uncertainty and beats no analysis. 

--Show that FAIR reporting is in line with the sorts of projections generated by their finance team with probabilities in ranges. 

--Don’t get trapped in “death by statistics” by going too far into the details of Monte Carlo simulation, etc. 

As Robert says, “Any forecast uses very similar methodology to FAIR, and that’s what we’re doing. We’re not predicting the future; we’re making a forecast of uncertainty. That’s where using ranges and the principles of FAIR are really important.”

“CRQ Takes Too Long” (AKA Don’t Take My Qualitative Analysis Away)

These doubters claim that FAIR is too time-consuming and requires too much data but really seem to be saying they’d like to stick with qualitative risk analysis because it’s easy and fast. Tom knocked down that objection with one key point:

“If you’re doing a good qualitative risk assessment you are probably collecting all the data you need to flip that into a quantitative risk assessment with minimum effort… If stakeholders believe it takes too long, it’s probably an issue with the underlying risk model.”

You can also proactively beat “takes too long” by developing for your risk analysts and stakeholders a menu of standardized FAIR analysis services and data to maximize efficiency.

Tom and Robert presented many more tips valuable to any FAIR advocate beginning a CRQ program. Watch the video now: 

Winning Over the Doubters - Cutting through Complexity to Exceed Stakeholder Expectations 

A free FAIR Institute membership required to view. Join now!