In the new Buyer’s Guide to Cyber Risk Quantification, Jack Jones, creator of FAIR™ (Factor Analysis of Information Risk), the standard for cyber risk quantification, makes the case for CRQ for All with answers to the most common concerns about quantitative analysis.
1. Measurement Reliability
>>Clarity regarding the scope of what’s being measured. FAIR practice shows how to focus on well-defined risk scenarios for analysis.
>>The quality of the model. FAIR is an open model, validated by the large community of the Open Group, and recommended as an informational resource by the NIST CSF.
>>The quality of data and how they’re applied to the model. FAIR follows the lead of the hard sciences and accounts for uncertainty by expressing risk in ranges with Monte Carlo simulations and other proven tools.
2. Level of Effort
As Jack writes, there is no single standard for how organizations adopt cyber risk quantification. FAIR practice shows organizations how to:
>>Know which parts of the risk landscape to focus on, and
>>Know when and how to leverage more precise data (e.g., telemetry) versus less precise data (e.g., subject matter expert estimates).
“What’s important is for organizations to recognize that there is flexibility in this regard and that they have significant control over this concern,” Jack writes.
Read in depth about the answers to the five common concerns about cyber risk quantification: Download the white paper Understanding Cyber Risk Quantification: A Buyer’s Guide by Jack Jones (FAIR Institute Contributing Membership required).