FAIR Institute Blog

NISTIR 8286 Second Draft: Strong Focus on Risk Quantification for Aligning Cyber and Enterprise Risk Management

[fa icon="calendar"] Jul 30, 2020 7:42:00 AM / by Jack Freund

Jack Freund

News - Hand on Tablet- BlueNIST has released a second draft of its groundbreaking NISTIR 8286 standard that provides a roadmap for organizations looking to better align cyber risk management with enterprise risk management functions. This second draft keeps much of the same language of the first draft of NISTIR 8286 with some tightening and cleanup of sections.

Strong Focus on Cyber Risk Quantification

The document still has a strong focus on using quantification (in terms of economic impact) of cyber events as being representative of the gold standard for aligning cyber and enterprise risk. It continues to articulate that shadow IT and asset inventories are a challenge to this, but not an insurmountable one.



Dr. Jack Freund, PhD, is co-author with Jack Jones of the FAIR book Measuring and Managing Information Risk and a FAIR Institute Fellow.



One important section that has remained was the articulation of an informal analysis method and the problems therein. It says, “Decisions are often made based on an individual’s instinct and knowledge of conventional wisdom and typical practices” and “there is usually no analysis performed after control deployment to determine if risk has been reduced to a level deemed acceptable.”

Conventional Risk Management No Longer Acceptable

In this short passage, the standard effectively outlines the entirety of the security and risk space up until the advent of FAIR™. So much of cybersecurity risk management today is built on instinct (euphemistically one’s “gut”) and hardly any retrospective look-back to measure our gut’s success. This is the primary benefit of using FAIR to add rigor and defensibility to your risk and control operations; namely, measurable outcomes.

The standard does continue the use of the concept of “positive risk.” This use of this term has always been academic, as there’s no one that lists positive things on a risk register. Indeed, standards organizations acknowledge positive risk and then the entire professional world goes about managing negative risk (or just “risk”) in spite of it. I gave this concept a longer treatment in Good Risk or Bad Risk?, a blog post for ISACA. 

It is always important to consider organizational objectives when managing risk, and this second draft of the NISTIR 8286 standard continues to implore organizations to find ways to connect their disparate risk management practices under a single umbrella. Such a unified approach, grounded in solid quantitative methods (the standard lists Monte Carlo, Bayesian Analysis, and Event Tree Analysis amongst them), will prepare organizations for negative events that will impede progress towards organizational goals and objectives.

Related: 

NIST Maps FAIR to the CSF - Big Step Forward in Acceptance of Cyber Risk Quantification

How FAIR Can Ensure The Success of COSO Risk Management Programs

Topics: Risk Management, Government

Jack Freund

Written by Jack Freund

Dr. Jack Freund is a leading voice in Information Risk measurement and management with experience across many industry segments. His corporate experience includes spearheading strategic shifts in IT Risk by leading his staff in executing multimillion dollar efforts in cooperation with other risk and control groups. He is the co-author of "Measuring and Managing Information Risk: A FAIR Approach."

Join the FAIR Community