While many cybersecurity operations and risk management teams make controls decisions based on deficiencies in their programs vs. the list of recommended controls in a security assessment framework, they haven’t had a model to reliably know if any one control provides risk reduction that justifies its cost. And they often don’t account for the interaction among controls in reducing risk – for instance, the effect of a missing patch might be minimized by other controls in place.
FAIR-CAM organizes controls into functional categories, based on how they affect the frequency and magnitude of loss, and assigns to each control type a unit of measurement for its function (%, $, time, etc.) so that cybersecurity teams can empirically measure the efficacy of controls.
FAIR-CAM is an extension, not a replacement for FAIR. The distinction: FAIR is a model for measuring risk, FAIR-CAM describes how controls affect risk. In fact, FAIR-CAM will improve the reliability of FAIR analysis by better quantifying the risk reduction value of controls.
Learn FAIR quantitative risk analysis with training through the FAIR Institute.
FAIR-CAM also complements the common cybersecurity frameworks now in wide use by clarifying how each element in those frameworks affects risk. FAIR-CAM combined with a well-defined controls “anatomy” framework (e.g., NIST 800-53) and a solid risk measurement model like FAIR will improve an organization’s ability to focus on the controls that matter most, and more cost-effectively reduce cyber risk.
Look for a detailed whitepaper from Jack at the FAIR Conference in October, and announcements to come on how you can get trained in FAIR-CAM.