"Evolving Cyberrisk Practices to Meet Board-level Reporting Needs," is Jack Jones' latest article featured in the ISACA Journal, Volume 1, 2017. Jack explains that as the threat landscape evolves, board of directors and executives are seeking answers from the information security team to understand what the financial impact of any given risk is to their organization. In this article, he focuses on:
- Changing how cyber risk is reported to the board.
- Quantitative risk measurement does exist and organizations are learning how to use it.
Changing how cyber risk is reported to the board
Most practitioners are currently using ordinal scales, heatmaps, risk ratings and other metrics (compliance levels, audit, employee awareness data) in their reports to the board and business executives about risk. While it is not wrong to use these qualitative methods, Jack points out that they tend to be more subjective and do not effectively inform the board of what the impact of a risk event could be to the financial health of the organization.
Quantitative risk measurement does exist
Jack notes that quantitative risk measurement is picking up steam. Large corporations that include but are not limited to global retailers and major financial institutions have adopted the FAIR quantitative risk analysis model. In the US, federal banking regulators are recognizing FAIR as an effective model for large banks to quantify their loss exposure.
At the highest level, FAIR breaks down risk into loss event frequency (read number of times a loss can occur) and loss magnitude (read impact to the organization). Every day, around the globe, FAIR analysts leverage historical and industry benchmark data to conduct risk analyses that enable their leadership to make security spending decisions and set their organization's risk appetite.
In addition to being used for enterprise risk management, FAIR has been used to:
- Inform public policy decisions.
- Assess the risk of migrating an application to the cloud.
- Teach risk analysis methods at several major universities, including, San Jose State University.
Learn to quantify
At the FAIR Institute, our mission is to help organizations advance in the adoption of quantitative risk analysis through our workgroups, chapter meetings, and resources and to ultimately advance your career. Login in to read Jack's article on ISACA.