“Which of these are risks?” Jack asks when he speaks to information security professional groups.
“All of them!” the audience answers. In fact, none of them are risks in the way that business leaders think of risk as potential loss events for the business. “The same executive stakeholders whose eyes glaze over when we talk about vulnerabilities and threat vectors suddenly take interest when the risks we talk about are loss events,” Jack writes.
Jack cautions against another blind spot for the profession, the notion that cyber risk can’t be measured. “The good news is that measuring infosec risk is not that hard once you've gotten your terms straight and when you leverage well-established methods and principles from other risk disciplines.” In other words, the FAIR model.
Many other disciplines went through long periods before they settled on standardized terms and principles, Jack writes. "But given today's imperatives surrounding cyber and technology risk management, we do not have the luxury of decades to get our act together."
Read What We Talk About When We Talk About Risk now.
More About FAIR and quantitative cyber risk analysis:
Gartner Names Risk Quantification a Critical Capability of Integrated Risk Management