FAIR Institute Blog

Key Terms in Cyber Risk Analysis – Test Your Knowledge

[fa icon="calendar"] Jun 24, 2020 1:42:23 PM / by Jeff B. Copeland

FAIR ModelHow do you define key terms such as “inherent risk”, “quantitative risk analysis”, “risk appetite” or “vulnerability”?  Do your colleagues define them the same way?

Or are you still engaging in over-the-cubicle-wall debates about basic risk terminology that get in the way of effective risk management?   

FAIR™ shops have solved that problem by adopting the clear, direct, and above all useful language of Factor Analysis of Information Risk, the international standard for quantitative analysis of cyber and technology risk.  See the FAIR Model on one page.

With this lineup of short blog posts, test your knowledge or learn for the first time the FAIR approach to key risk analysis terms:   

 

What Is Cyber Risk? The FAIR Definition 

Let’s begin at the beginning. Unlike the many tangled definitions of cyber risk or information security risk, the FAIR definition is simplicity itself.  Hint: Just two variables are required to define “risk.”  

 

Inherent Risk vs. Residual Risk 

Before and after controls – but that definition falls apart in practice, as this post explains. FAIR has a more useful way to look at it.  

 

Vulnerability - FAIR ModelVulnerability vs. Weakness 

Unlike the way “vulns” are used in cybersecurity generally, FAIR has a very specific definition and a very useful one for quantitative cyber risk analysis. Similarly, in FAIR, controls deficiencies are not risks

 

 

Qualitative vs. Quantitative Cyber Risk Analysis 

Beware – the difference isn’t just about numbers but how analysis results are derived. Spoiler: True quantitative analysis is the way to go.   

 

Probability - FAIR ModelProbability vs. Possibility

Sure, you know the difference but are you applying that to your risk analyses to save time and effort?  

 

Risk Appetite vs. Risk Tolerance 

Often used interchangeably but that’s actually a serious mistake. They're different and you should base decision-making on each.   

 

Risk Analysis vs. Risk Assessment 

As FAIR model creator Jack Jones says, “Much of what you see today in risk management is assessment without meaningful (or accurate) analysis.”  Read this and get them both straight.  


Raise your education level in quantitative cyber risk analysis:

Learn about FAIR training and certification

Jeff B. Copeland

Written by Jeff B. Copeland

Jeff is the Content Marketing Manager for RiskLens.

Join the FAIR Community

Subscribe to Email Updates

417NjDVYgtL._SX404_BO1204203200_.jpg
Learn How FAIR Can Help You
Make Better Business Decisions

Recent Posts