“The technology-to-business translation goal is to capture the elements of technological failure and connect them to enterprise objectives, presented as strategic risk,” the white paper explains. “This process typically involves decomposing cybersecurity risk into a series of progressively decomposed loss scenarios.” Identifying and quantifying those scenarios in financial terms is the key deliverable of FAIR analysis.
“The more a risk-management measurement resembles the financial statements and income projections that the board typically sees, the easier it is for board members to manage cybersecurity risk,” the white paper says and, as examples, presents typical outputs from FAIR analysis, such as a Monte Carlo loss distribution and ranking of risks based on single loss event loss value, plotted against risk appetite or other limits.
The white paper in particular warns CISOs and other infosec professionals not to confuse controls deficiencies with risks – or to confuse board members with that approach. “Translating these broken and missing controls into strategic risk management requires a risk practitioner to avoid confusing security terminology. Leveraging the nomenclature in the FAIR methodology provides additional clarity to distinctions between risk, threat and vulnerability that are helpful to boards.”
Last year, ISACA released the Risk IT Framework, 2nd Edition and Risk IT Practitioner Guide which align with FAIR in significant ways, as FAIR creator Jack Jones wrote in a blog post for ISACA:
Download the white paper Reporting Cyber Risk to the Board of Directors from ISACA.
Related:
What CISOs Should Tell Boards about Cyber Risk – 5 Insights from FAIRCON2020 (Video)
COSO ERM’s Cyber Risk Guidance Recommends FAIR