FAIR™ can support every stage of a risk management program, as Greg Rothauser, Enterprise Business Information Information Security Officer (BISO) for MassMutual, told a session at the 2019 FAIR Conference – starting with the widely used wheel from NIST 800-39: Frame / Assess / Respond / Monitor.
Watch the video: Closing the Risk Management Loop with Cyber Risk Quantification with Greg Rothauser. A free FAIR Institute membership and sign-up for the LINK discussion board is required. Join the Institute now!
Greg described the Framing effort his team put into defining risk appetite, and how they were able to quantify appetite based on some vague guidance from management, like “keep us out of the news.”
MassMutual uses the RiskLens platform to Assess risk – but he also shared some simplified charts he uses to show management (based on the platform’s analysis reports) to help them visualize top risks and decision alternatives. He also described how he adapts the standards set by the enterprise risk management team (ERM) to FAIR analysis outputs.
For Respond, Greg used a ransomware scenario to demonstrate how breaking down the factors in FAIR analysis helps target defensive measures, based on what would affect Contact Frequency, Resistance Strength and Primary Loss.
To Monitor, “all the data we collected to do the risk scenario become the KPIs for what we are going to track” through monthly reporting by SMEs to judge if response was effective.
Watch the video for much more detail and tips from Greg.
If you’re not already a FAIR Institute member, join now with more than 7,000 of your peers to network and learn about the movement that’s re-shaping cyber risk management.