How do you define key terms such as “inherent risk”, “quantitative risk analysis”, “risk appetite” or “vulnerability”? Do your colleagues define them the same way?
Or are you still engaging in over-the-cubicle-wall debates about basic risk terminology that get in the way of effective risk management?
FAIR™ shops have solved that problem by adopting the clear, direct, and above all useful language of Factor Analysis of Information Risk, the international standard for quantitative analysis of cyber and technology risk. See the FAIR Model on one page.
With this lineup of short blog posts, test your knowledge or learn for the first time the FAIR approach to key risk analysis terms:
Let’s begin at the beginning. Unlike the many tangled definitions of cyber risk or information security risk, the FAIR definition is simplicity itself. Hint: Just two variables are required to define “risk.”
Before and after controls – but that definition falls apart in practice, as this post explains. FAIR has a more useful way to look at it.
Unlike the way “vulns” are used in cybersecurity generally, FAIR has a very specific definition and a very useful one for quantitative cyber risk analysis. Similarly, in FAIR, controls deficiencies are not risks.
Beware – the difference isn’t just about numbers but how analysis results are derived. Spoiler: True quantitative analysis is the way to go.
Sure, you know the difference but are you applying that to your risk analyses to save time and effort?
Often used interchangeably but that’s actually a serious mistake. They're different and you should base decision-making on each.
As FAIR model creator Jack Jones says, “Much of what you see today in risk management is assessment without meaningful (or accurate) analysis.” Read this and get them both straight.
Raise your education level in quantitative cyber risk analysis: