Jack Jones on the Future of Cyber Risk Analysis in an AI World (FAIRCON23)
“AI will transform our problem space, but we aren’t there yet,” Jack Jones, creator of Factor Analysis of Information Risk (FAIR™), told the 2023 FAIR Conference in his keynote speech. To take full advantage of artificial intelligence and risk analysis automation, “we have to really think more deeply about our problem space, and not assume we know what we are talking about at a more scientific and fundamental level.”
Watch the video:
Keynote Address: The Future of Risk Analysis in an AI and Automation World
Jack Jones, Chairman, FAIR Institute
To see the future taking shape, Jack pointed to medicine, now evolving from version 1.0 focused on “reactive” diagnosis and treatment of disease to v. 2.0, focused on “proactive” prevention and achieving “healthspan,” longer and healthier life through an understanding of “root causes” of disease in an individual (heredity, lifestyle, etc.)
As Jack sees it, risk management is still evolving from being a craft (Risk x.0) to being a science (Risk 1.0), which still tends to be reactive in nature. In Risk 1.0, “diagnosis” such as event detection or malware recognition and “treatment” such as prioritized remediation, make up the state of the art. But “now the tone is changing” for risk management Jack said, with the introduction of scientific approaches such as the FAIR Controls Analytics Model (FAIR-CAM™), developed by Jack as a “physiology” that explores how controls interact with each other, much as medicine studies the interplay of the organs.
Even though Risk 1.0 is reactive, its more scientific nature still represents an important step forward. It also provides a bridge to what Jack refers to as Risk 2.0, which focuses on identifying and treating root causes. To demonstrate, Jack ran a simulation of a synthetic risk landscape that used FAIR-CAM to model the reduction in risk using a root cause approach – the security program goes from “spending money like crazy” without improving risk posture, to “making systemic strategic changes in how they manage risk” and steadily driving loss exposure downward.
Implications for Automation and AI in Cyber Risk Management
Jack raised some important cautions for the cyber risk management profession as it rushes forward on two frontiers:
>>Artificial intelligence. “In AI, the analytics model is learned rather than designed which means it’s only as good as its training,” Jack said, and right now we are training it on the flawed models and data generated by current risk management practices.
>>Automation. Similarly, with “models and math based on incomplete understanding, all we have done is speed up and scale bad decision-making.”
The FAIR Movement Will Lead the Way to Risk Management 2.0
Jack finished on a hopeful note: “The good news is those of us in the room have the opportunity to play a major role in getting us to the next level….We get to play a pivotal role in making a transition in an industry from one epoch to another.”