Jack Jones, creator of FAIR™ (Factor Analysis of Information Risk), recently was interviewed by Tony Morbin of ISMG on how quantitative analysis with FAIR differs from the cybersecurity posture scores rated by insurance companies and vendors of insurance industry data.
Watch the video interview: Putting Monetary Value on Cyber Risk
“The cyber insurance industry has good information on the effects of a breach and the losses that occur, but not really all of the losses because they only pay attention to the losses that are covered by their policies,” Jack said.
“What they don’t have is great information about probabilities. They can speak to probabilities at an industry level, for example, the probability that an average financial institution will have an event of some sort. But probabilities will vary from organization to organization, based on the unique characteristics of that organization, in terms of their controls conditions and so on…
“So, for your average CISO, insurance data really isn’t likely to be all that useful for decision making day-to-day or even at a strategic level.
“On the other hand, organization can use the FAIR model to identify which components of the risk landscape carry the most risk. Then they can do cost/benefit analysis on potential improvements. From a decision-making perspective this is more useful.”
FAIR helps organizations “apply their resources more cost effectively by choosing amongst the various options they have in controlling risk,” including insuring or self-insuring.
Jack also covered these topics in the interview:
- Flaws in some standard risk management frameworks
- Mixing qualitative with quantitative risk assessment
- Creating incentives in organizations to improve security initiatives.
