FAIR Institute Chairman and FAIR model creator Jack Jones gives a concise, high level view of the limitations of conventional thinking in the cybersecurity profession, and how FAIR and a quantitative approach to cyber risk shows the way forward, in this Enterprise Security Weekly podcast hosted by Paul Asadoorian.
Watch Jack Jones on the Security Weekly podcast
Paul kicks off the discussion asking Jack about a common problem for enterprise cybersecurity practitioners: how to prioritize among vulnerabilities and risks.
Jack answers that “in some ways our profession makes it harder than it has to be. An example is CVSS, which is generally the scoring model for technical vulnerability. Although it does a good job of characterizing the exploitability of various deficiencies, it’s nowhere close to being a representation of how much risk exists because it leaves out of the equation a couple of the critical factors that exist,” namely the probable frequency and probable magnitude of future loss (to crib from the FAIR definition of risk).
View this video and learn how Jack approaches…
- Assessing threats from insider and external actors
- Lack of coherent or consistent definitions of cyber risk
- Problems with using NIST CSF or other checklist or maturity models to prioritize risks.
Jack gives a great summation of FAIR and how quantitative analysis works. The bottom line?
“Everything we do in the cybersecurity realm should affect the probability or the magnitude of loss occurring,” Jack says.
SC Media calls the FAIR Institute "one of the most important industry organizations of the last 30 years." Join the Institute now!