Bernie Dunn has graduated hundreds of trainees in cyber risk quantification techniques with FAIR™ (Factor Analysis of Information Risk) using the RiskLens risk analysis platform, and she wants to pass along her formula for success: Practice FAIR risk analysis till it is second nature. We asked for her tips to most efficiently get up to speed on the FAIR risk quantification methodology.
Q: What is the class experience like for FAIR training with the RiskLens Academy?
A: I try to keep classes small and make them do the work. They are not just watching. They are learning by using their hands on the mouse and keyboard to start to learn things with their minds.
Q: What’s the need to practice after that kind of hands-on training in quantitative risk?
A: Any time we are learning a new skill, depending on our previous experience, it may take us 10 times or 100 times before it’s second nature. When we are young, all we do is practice – math, musical instruments, sports – it’s all about skill-building. In adulthood, we sometimes don’t think about continuously practicing and developing skills.
FAIR Training Opportunities from RiskLens
RiskLens offers training in a variety of formats – in person, online and hybrid (with live instructor training) – throughout the year.
FAIR Training and Certification
>>The next FAIR Hybrid Class begins April 17th - 21st (1p-3p EDT). The first five people to register will receive 25% off using code: GD7JS7RKKMYS - Enroll now!
>>Use this code through the end of April 30th, 2023, to receive 25% off the FAIR Analysis Fundamentals Online course: FAIRPRACTICE. Enroll now!
Q: What does a recommended practice program look like?
A: I lean toward practicing doing FAIR analysis in the Risklens platform. Run different analyses, look at the results, see how they are different, that’s how you are going to learn. You may do that two or three times in training, but it takes a minimum of 10 times on your own practicing the analysis and the platform to know the “a-hah’s” and the “what ifs” and “let me try this or that.”
Set a goal for yourself: I recommend practice one analysis a day for a week or two weeks or work on one analysis for an entire week but schedule out 20-30 minutes a day to work on it. The goals and milestones are up to you, but essentially make a commitment to practice every week.
Image: Cost-benefit analysis on the RiskLens Platform
Q: How should they choose risk analyses to practice?
A: Start by thinking about the crown jewels in your organization. What kind of loss events would the company care about as relates to those assets? For learners who are mid- to senior-level, I challenge them to think about the risks that no one has ever made a decision on because it’s always been subjective or qualitative. Now, you can practice using FAIR and RiskLens to work through a quantitative analysis. Think of it as your hypothesis and you’re looking for objective data.
You can also look for quick decisions to be made. One of our clients hadn’t even built out their CRQ program, went through training and right away used it to make a risk-based decision on whether to invest in a software upgrade.
Q: How will they know they are improving at FAIR analysis?
A: When analysis time speeds up. From one week to do a single analysis, they will get to a point where they are able to do 20 analyses in a day. You start to know the questions because you’ve seen them before. You get to know the data that RiskLens provides so that speeds up analysis time. Also, you will know you are improving when you can look at the results and start to challenge them. You can say “this doesn’t seem probable,” and start troubleshooting.
Q: Any “a-ha” moments that trainees go through?
A: For people who come out of a risk management or compliance background, they sometimes think this is about replacing their current frameworks. Once they understand this is adding to how their organization looks at risk by giving them objective data, they are good to go.
But mostly, it’s just practice. One client told me, it didn’t make sense at first, but we just kept doing it then at some point, you look at everything this way. When someone talks about risk you start thinking what the asset would be, what would be a threat impacting it, what would the loss be -- it just becomes second nature.
Learn more:
