Jack Jones, creator of Factor Analysis of Information Risk (FAIR™), the international standard for quantification of cyber risk, gave an RSAC21 audience a preview of his breakthrough FAIR Controls Analytics Model (FAIR-CAM) that will, for the first time, enable security teams to reliably evaluate how controls affect risk in quantitative terms. The FAIR Institute will officially release FAIR-CAM at the 2021 FAIR Conference in October.
While many cybersecurity operations and risk management teams make controls decisions based on deficiencies in their programs vs. the list of recommended controls in a security assessment framework, they haven’t had a model to reliably know if any one control provides risk reduction that justifies its cost. And they often don’t account for the interaction among controls in reducing risk – for instance, the effect of a missing patch might be minimized by other controls in place.
Jack compares the common control frameworks in our profession to anatomy, the parts of a system, vs physiology, how the system works – and you can’t understand one without the other. FAIR-CAM describes an organization’s controls as a system of interdependent parts.
FAIR-CAM organizes controls into functional categories, based on how they affect the frequency and magnitude of loss, and assigns to each control type a unit of measurement for its function (%, $, time, etc.) so that cybersecurity teams can empirically measure the efficacy of controls.
FAIR-CAM is an extension, not a replacement for FAIR. The distinction: FAIR is a model for measuring risk, FAIR-CAM describes how controls affect risk. In fact, FAIR-CAM will improve the reliability of FAIR analysis by better quantifying the risk reduction value of controls.
FAIR-CAM also complements the common cybersecurity frameworks now in wide use by clarifying how each element in those frameworks affects risk. FAIR-CAM combined with a well-defined controls “anatomy” framework (e.g., NIST 800-53) and a solid risk measurement model like FAIR will improve an organization’s ability to focus on the controls that matter most, and more cost-effectively reduce cyber risk.
Look for a detailed whitepaper from Jack at the FAIR Conference in October, and announcements to come on how you can get trained in FAIR-CAM.