You can’t get a more authoritative introduction to Factor Analysis of Information Risk than this webinar for ISACA by Jack Jones, creator of FAIR™ and Chairman of the FAIR Institute, and his co-author on the FAIR book, Jack Freund, Head of Cyber Risk Methodology for VisibleRisk.
In about an hour, the two Jacks give a persuasive, high-level introduction to the necessity of cyber risk quantification (CRQ) and how FAIR makes CRQ into a tool for communicating risk in business terms.
Jack Jones sets up the value proposition for a risk-based approach to cybersecurity, using quantification of loss exposure in dollars:
“At the end of the day, our problem space, the cybersecurity landscape, is incredibly complex and dynamic, and we have limited resources, which means we have to be really good at prioritizing. If we can’t prioritize the challenges we face, then we aren’t going to win. We simply have no chance, I believe, of prevailing.”
Freund and Jones cover these topics:
What is CRQ?
>>“The application of rigorous statistical methods to quantify the impact and frequency of cybersecurity incidents.”
How cyber risk quantification fits with the standard cybersecurity frameworks
Problems with heat maps, ordinal scales, and other prevalent risk-rating tools in cybersecurity
>>Classifying risks as red, yellow, and green is too often a substitute for rigorous analysis.
The starting point for quantitative analysis: clearly scoping risk as loss event scenarios
>>Key elements are Asset, Threat Effect, Vector and Method
Types and sources of data for analysis
How to use calibrated estimation and Monte Carlo simulation to account for uncertainty in data
Aligning controls gaps to business loss scenarios, then developing cost/benefit analysis
Interested in a thorough education in FAIR CRQ? Your next step is the FAIR Fundamentals Training course endorsed by the FAIR Institute.