In a new article for Threatpost, Jack Freund, PhD, co-author of the FAIR™ book Measuring and Managing Information Risk, makes the radical proposal that organizations issue a “cyber risk prospectus” much like an investment prospectus that warns “past performance is not an indicator of future results.
“Instead of this current state, where we are complicit in the fictional narrative that organizations might never be hacked, what if we all openly admit what the reality is and embrace it?” writes Jack, who is also Risk Science Director at RiskLens (technical partner of the FAIR Institute) and a Fellow of the FAIR Institute. “Imagine a world where organizations are upfront about what their cyber-loss forecast looks like.
“Firms could utilize a Cyber Risk Quantification (CRQ) methodology [like FAIR] to forecast how often the firm believes they will experience a breach and in so doing, how much capital would be required to weather such an event.”
Unlike regulatory standards, such as the Securities and Exchange Commission rules that require disclosure of past loss events, this would be future-looking approach. A bank might tell customers it could keep breach frequency to once every 5 years, for instance – and banks might compete on those frequency numbers, ultimately creating “a more competitive landscape for firms to use their information-security teams as marketplace differentiators.”
Read more of Jack’s provocative ideas in The Case for Cyber-Risk Prospectuses on Threatpost.
Jack Freund in ISACA Blog: Stop Telling Yourself Risk Management Stories