Talk about ahead of his time – 2024 will mark the tenth anniversary of the publication of Jack Jones’ Measuring and Managing Information Risk: A FAIR Approach, the book that brought Factor Analysis of Information Risk (FAIR™) out of the shadows. It is now the accepted standard in conceptualizing cyber risk in quantitative terms – establishing it as a business management discipline, not a subjective guessing game.
Let’s check in with Jack on what he foresees for the surely eventful year of 2024.
“1. Growing interest in, and adoption of CRQ, in part due to the new SEC ruling regarding disclosure of material risks.”
The SEC obligated public companies to quickly disclose a material risk when one occurs but only defined “materiality” as information for investors that’s “consistent, comparable, and decision-useful” – in other words, quantified in financial terms. No longer could cyber risk be treated as a mere technical issue outside of the rest of enterprise risk management. That set off a scramble among companies to implement a CRQ program, and one that would be defensible if questioned by the regulators. Look for 2024 to be the year of the steep learning curve on CRQ.
Material Cyber Risk: More from the FAIR Institute:
How Material Is That Hack? an online resource dedicated to helping organizations understand and quantify the materiality of recent cybersecurity breaches.
The FAIR Materiality Model (FAIR-MAM), a new standard that expands the loss magnitude factors of the FAIR™ model, and provides a more detailed taxonomy and breakdown of loss categories driven by cybersecurity incidents.
“2. The SEC ruling will drive more and better reporting of losses from cyber incidents.”
Based on early experience of the SEC rules, companies will err on the side of disclosure to be safe, Jack thinks, fulfilling part of the SEC’s strategy. The cyber rules enforcement chief for the agency, David Hirsch, told the 2023 FAIR Conference that as companies file disclosures more frequently, cyber incidents will become “less significant in the minds of investors…just one of a string of incidents that everyone is potentially vulnerable to.” The SEC’s insistence that companies be prepared at any time to rapidly disclose material incidents will also drive companies toward real-time, comprehensive data gathering on their attack surface, and toward implementing finely tuned, responsive risk measurement processes, Jack says.
“3. The effect on publicly traded company share values will be more significant at first, and then wane over time (maybe beyond 2024) as investors realize that most incidents don't materially affect the long-term value of most companies.”
More filings plus increased prevalence of quantitative estimates of loss in cyber events will give investors a dollars-to-dollars comparison of loss vs. earnings, revealing that cyber incidents are rarely an existential threat to large companies, Jack says. That trend for 2024 may already be underway: Take two companies that recently filed for 8-K disclosure on breaches, MGM Resorts International (September, 2023) and Okta (October, 2023); in each case, share price fell off a cliff after the filing and, as of market close on December 15 had very nearly recovered to pre-8-K levels.
“4. Many new and existing solution providers will claim to support CRQ.”
Vendors are also scrambling to respond to the SEC rules, by slapping “CRQ” on their apps without changing a line of code in their proprietary, black box applications. “I will argue tooth and nail that it's at least as easy to screw up cyber risk quantification, and that solutions need to be open so the community can inspect, understand, and challenge them,” Jack says. FAIR™ is an open standard for cyber risk quantification, recognized by the National Institute of Standards and Technology Cybersecurity Framework (NIST-CSF). Get ready for the wave of CRQ marketing in 2024; read Jack’s “Understanding Cyber Risk Quantification: The Buyer’s Guide.”
“5. FAIR-CAM enabled solutions will hit the market and will demonstrate significant insights into better risk management practices.”
Jack introduced the FAIR Controls Analytics Model (FAIR-CAM™) as an extension of the FAIR standard in a white paper published two years ago. He likened the breakthrough to the leap medicine made from understanding anatomy, an inventory of organs much like the NIST CSF is an inventory of cybersecurity controls, to understanding physiology, the ways that organs function and interact. “The controls landscape is complicated and highly nuanced,” Jack says. FAIR-CAM reveals controls physiology and opens opportunities to apply artificial intelligence and automation to cyber risk management in the long run, and, starting in 2024, opportunities for better, risk-informed decisions on adding, keeping, or removing controls.
“6. CRQ must meet the challenge of AI and automation."
You don’t need psychic abilities to see two trends bearing down on the cyber risk and security community, each with heavy risks and opportunities: artificial intelligence and automation applied to risk analysis and offensive and defensive cybersecurity. In his address to the 2023 FAIR Conference, Jack raised these cautions:
>>Artificial intelligence. “In AI, the analytics model is learned rather than designed which means it’s only as good as its training,” Jack said, and now we are training it on the flawed models and data generated by current risk management practices.
>>Automation. Similarly, with “models and math based on incomplete understanding, all we have done is speed up and scale bad decision-making.”