In a new commentary on the Dark Reading website, What We Talk About When We Talk About Risk, FAIR Institute Chairman and cyber risk quantification pioneer Jack Jones takes the cybersecurity profession to task for the many confused – and confusing – ways it uses the term risk.
“Which of these are risks?” Jack asks when he speaks to information security professional groups.
- Disgruntled employees
- Untested recovery plans
- Sensitive consumer information
- Weak passwords
“All of them!” the audience answers. In fact, none of them are risks in the way that business leaders think of risk as potential loss events for the business. “The same executive stakeholders whose eyes glaze over when we talk about vulnerabilities and threat vectors suddenly take interest when the risks we talk about are loss events,” Jack writes.
Jack cautions against another blind spot for the profession, the notion that cyber risk can’t be measured. “The good news is that measuring infosec risk is not that hard once you've gotten your terms straight and when you leverage well-established methods and principles from other risk disciplines.” In other words, the FAIR model.
Many other disciplines went through long periods before they settled on standardized terms and principles, Jack writes. "But given today's imperatives surrounding cyber and technology risk management, we do not have the luxury of decades to get our act together."
More About FAIR and quantitative cyber risk analysis: