FUD & CRQ – As the leading advocates for FAIR, the standard for cyber risk quantification, we freely admit that uncertainty, doubt and even fear have dogged the introduction of CRQ to express cyber risk in the non-technical, financial terms that business communication needs.
In the new Buyer’s Guide to Cyber Risk Quantification, Jack Jones, creator of FAIR™ (Factor Analysis of Information Risk), the standard for cyber risk quantification, makes the case for CRQ for All with answers to the most common concerns about quantitative analysis.
Top 2 Concerns about Cyber Risk Quantification
1. Measurement Reliability
The catchphrase is “You can’t quantify cyber risk” – there’s not enough data and threat actors are too much of a moving target. As Jack writes, that objection could apply to any form of risk measurement, but it’s not a reason to give up on risk measurement. The accuracy of any measurement of a complex risk hinges on three factors:
>>Clarity regarding the scope of what’s being measured. FAIR practice shows how to focus on well-defined risk scenarios for analysis.
>>The quality of the model. FAIR is an open model, validated by the large community of the Open Group, and recommended as an informational resource by the NIST CSF.
>>The quality of data and how they’re applied to the model. FAIR follows the lead of the hard sciences and accounts for uncertainty by expressing risk in ranges with Monte Carlo simulations and other proven tools.
2. Level of Effort
As Jack writes, there is no single standard for how organizations adopt cyber risk quantification. FAIR practice shows organizations how to:
>>Know which parts of the risk landscape to focus on, and
>>Know when and how to leverage more precise data (e.g., telemetry) versus less precise data (e.g., subject matter expert estimates).
“What’s important is for organizations to recognize that there is flexibility in this regard and that they have significant control over this concern,” Jack writes.
Read in depth about the answers to the five common concerns about cyber risk quantification: Download the white paper Understanding Cyber Risk Quantification: A Buyer’s Guide by Jack Jones (FAIR Institute Contributing Membership required).