The standard risk model known as Factor Analysis of Information Risk (FAIR) was authored by Jack Jones while he was a new CISO at Nationwide Insurance in 2001. Part of his job was to put together an information security strategy, present it to senior executives and ask for money. During this process, one of the executives asked, “How much risk do we have?” The only answer Jack had was a shrug of his shoulders and a single word, “Lots”. The executive then asked the question, “If we spend these millions of dollars, how much less risk will we have?” Jack shrugged again and replied, “Less”. The executive knew he wasn't going to get a better answer, but wanted to make a point.
Jack knew the questions deserved an answer that could be defended and was useful to the business. He began researching other risk assessment methods, but none helped answer these questions. Undeterred, he tried to figure out a new method himself. Thinking deeply, Jack made it his mission to decompose risk into something he and an executive could understand. He found that risk is a probability problem, but he had limited experience with statistics. So he dug more deeply into statistics and probability to gain a better knowledge of the field.
Jack’s research taught him that anytime you are talking about probability and statistics, you are dealing with numbers and (presumably) data. Unfortunately, the absence of good data was, and in some cases still is, a big challenge to the security industry. In his studies, Jack came across a method called Bayesian Statistics. With this, you do not need data initially. A risk analyst can begin with estimates from subject matter experts and refine the probabilities as data improves. This was a breakthrough moment.
Bayesian statistics and probability use Bayesian networks, which is a way to decompose something you are trying to measure into a tree-like structure. When used on risk, the tree provided clarity to understand risk. This was the starting point for FAIR. Once Jack started using it, his ability to understand risk was increased and he was far better able to communicate it, making it easier to unwind the complexity of the risk landscape for himself and others.