Second in a series of interviews of attendees at last year’s FAIR Conference, we asked three FAIR Institute members for quick notes on their experiences getting started and proving the value in cyber risk quantification.
Head of Technology Risk
“Typically, you get people in a room talking about risk and everyone’s got a different question in their heads. With FAIR, everything’s out in the open, there’s no black box. You clarify your assumptions. If someone doesn’t like the assumptions, you run the model again and see how the outcome differs.”
“Take it slow. Don’t try to make the best thing that ever came along, and present it as the best thing that ever came along as soon as you get it. People will feel that some of their turf might be stepped on a little bit. So just be gentle with folks and keep presenting the numbers.”
“I’ve conducted one official FAIR analysis so far about a product that we wanted to roll out and had a lot of uncertainty around the loss we were going to have with it. I presented the analysis to our executive committee and it went really well. They had some questions--like “Where did you come up with these numbers?”--and I walked them through my thought process and assumptions and they were pleased with it. They said, 'So if we actually do get the point where we experience X number of losses then we’re going to shut down this project'.”