It’s been a little over a year since my love of-FAIR began, and my, does time fly when you’re having a good time! Perhaps “love” of-FAIR is a bit dramatic. However, I must say that the FAIR model has many benefits that make it an attractive and advantageous affiliation.
Don’t believe me? Allow me to elaborate on each of the above benefits.
Navigating through the murky waters of the risk landscape can be tough. Answering questions and defending the results of a risk analysis against demanding managers can be grueling.
FAIR can be (and has been) a great companion in such situations. FAIR provides a framework for critical thinking that can be leveraged to: clarify the problem space, think through risk related questions by decomposing and framing the problem, and help produce defensible results. Using the FAIR framework during an analysis fosters logic, consistency and rigor.
In short, FAIR can bolster confidence because it helps demystify the risk landscape and equips you with a strong mental game-plan (model) for analyzing risk.
Please note: it takes two to tango. FAIR doesn’t do the risk analysis work for you… it simply aids you in the process. You get out of it what you put into it (like any other meaningful relationship).
Miscommunication can lead to misunderstandings. Misunderstandings can damage credibility. Damaged credibility can compromise a relationship. Don’t underestimate the power of clear and effective communication. Communication is key – cliché, I know, but true.
In order to communicate with clarity, it’s important to speak the same language. FAIR has a codified terminology with clear and concise definitions for crucial terms such as risk, threat, asset etc. This helps provide clarity, especially when sifting through risk registers that can be peppered with control deficiencies (e.g. from audit findings) and other non-loss-event entries that are masquerading as “risks.”
Beyond the role of an analyst, FAIR can empower you to quantify operational and information security risk in monetary terms. It translates enigmatic (to non-techy people, that is) cyber and/or technology risks into the language of business: money. It’s amazing how people listen when confronted with the monetary ramifications of their decision.
Clear communication is a powerful tool.
Where would Jim be without Pam? Monica without Chandler? And, where would qualitative analysis be without quantitative analysis? Qualitative analysis, on its own, can be incomplete.
Purely qualitative risk analysis methods fail to help provide answers to simple questions such as, “How much risk” and “How much less risk” would there be if we funded and implemented xyz control? Being unable to answer such questions can leave you feeling dejected and deficient. Don’t fret, FAIR can help.
“FAIR, you complete me” – Qualitative Analyses (if they could speak).
FAIR marries qualitative and quantitative risk analysis and empowers you to provide substantive answers to “how much” types of questions. A FAIR analysis, conducted in the RiskLens application or a spreadsheet solution, equips you with the ability to discuss the economic impact of a loss event i.e. the annualized loss exposure.
Also, since FAIR includes a quantitative approach, you can conduct a current vs. future state cost-benefit analysis to justify new controls. When you do this, you provide actionable value to decision makers.
Sharing is caring. I wanted to share reflections on my friendship of-FAIR in case there were open-minded risk professionals who were looking for an advantageous friendship of utility. If you’re such a professional, I’d encourage you to consider FAIR.