Introduced at the October, 2021, FAIR Conference, the FAIR Controls Analytics Model™ (FAIR-CAM™) will begin to have an impact in 2022. Although eventually it should benefit the risk management profession in many ways, both large and small, its effects are likely to be gradual as people and the industry as a whole begins to wrap their minds around its implications.
“The FAIR-CAM model is a formal description of how risk management controls operate, both individually and within a system of other controls, to affect the frequency or magnitude of loss.”
Even so, I expect we’ll begin to see some of the following in 2022:
>>Glimpses of grudging recognition that our understanding of the controls landscape has been incomplete and unclear. This should lead control framework providers to clarify the descriptions for some elements within their frameworks; today, no framework formally defines the many ways in which controls directly or indirectly affect risk. In some cases, FAIR-CAM will also highlight gaps in control frameworks that need to be addressed.
>>Maturity models will begin to redefine what makes a risk management program “mature”. Specifically, FAIR-CAM accounts for systemic control relationships and dependencies, which aren’t accounted for in current maturity scoring models. Furthermore, there are gaps in existing maturity models that need to be addressed.
>>Forward-thinking organizations will leverage FAIR-CAM to identify and rectify gaps in their control coverage.
>>Current methods for evaluating control efficacy that use subjective, ordinal scoring will be recognized as fundamentally unreliable. This includes technologies that claim to quantify risk but do so leveraging those unreliable scores. The FAIR-CAM™ model provides specific units of measurement (%, $, time, etc.) for each control function so cybersecurity teams can empirically measure the efficacy of controls.
>>Risk analysis quality will begin to improve. When combined with FAIR, the new model will enable analysts to more easily and reliably measure the risk reduction value of controls.
>>We may even begin to see changes in security telemetry to align with FAIR-CAM functions.
>>FAIR-CAM will be applied within one or more risk management technologies.
Of course, not all of the insights FAIR-CAM surfaces will be easy to swallow or welcome. Just as widespread recognition of FAIR’s value proposition has taken years, it’s likely that FAIR-CAM will encounter its share of skeptics. This is healthy, as all new models should be subjected to the kind of open-minded skepticism that helps them to evolve.
Read the eBook by Jack Jones
An Executive’s Guide to Cyber Risk Economics