Leading infosecurity education organization ISACA is out with a new white paper Reporting Cyber Risk to the Board of Directors (free download) that advocates for “placing cybersecurity concerns in the context of business objectives” to capture the attention of board members – and calls out Factor Analysis of Information Risk (FAIR™) as the way to “enable the economic representation of cybersecurity risk that is sorely missing in the boardroom, but can illuminate cybersecurity exposure.”
“The technology-to-business translation goal is to capture the elements of technological failure and connect them to enterprise objectives, presented as strategic risk,” the white paper explains. “This process typically involves decomposing cybersecurity risk into a series of progressively decomposed loss scenarios.” Identifying and quantifying those scenarios in financial terms is the key deliverable of FAIR analysis.
“The more a risk-management measurement resembles the financial statements and income projections that the board typically sees, the easier it is for board members to manage cybersecurity risk,” the white paper says and, as examples, presents typical outputs from FAIR analysis, such as a Monte Carlo loss distribution and ranking of risks based on single loss event loss value, plotted against risk appetite or other limits.
The white paper in particular warns CISOs and other infosec professionals not to confuse controls deficiencies with risks – or to confuse board members with that approach. “Translating these broken and missing controls into strategic risk management requires a risk practitioner to avoid confusing security terminology. Leveraging the nomenclature in the FAIR methodology provides additional clarity to distinctions between risk, threat and vulnerability that are helpful to boards.”
Last year, ISACA released the Risk IT Framework, 2nd Edition and Risk IT Practitioner Guide which align with FAIR in significant ways, as FAIR creator Jack Jones wrote in a blog post for ISACA:
- Risk IT uses approximately the same definition for risk — essentially, the probability and impact of loss events.
- Risks are defined as loss event scenarios.
- The components used to define loss event scenarios are the same as in FAIR (asset, threat, event type, etc.).
- The example scenarios Risk IT provides consistently align with that loss event scenario construct.
Download the white paper Reporting Cyber Risk to the Board of Directors from ISACA.
What CISOs Should Tell Boards about Cyber Risk – 5 Insights from FAIRCON2020 (Video)