NIST has released a second draft of its groundbreaking NISTIR 8286 standard that provides a roadmap for organizations looking to better align cyber risk management with enterprise risk management functions. This second draft keeps much of the same language of the first draft of NISTIR 8286 with some tightening and cleanup of sections.
Strong Focus on Cyber Risk Quantification
The document still has a strong focus on using quantification (in terms of economic impact) of cyber events as being representative of the gold standard for aligning cyber and enterprise risk. It continues to articulate that shadow IT and asset inventories are a challenge to this, but not an insurmountable one.
Dr. Jack Freund, PhD, is co-author with Jack Jones of the FAIR book Measuring and Managing Information Risk and a FAIR Institute Fellow.
One important section that has remained was the articulation of an informal analysis method and the problems therein. It says, “Decisions are often made based on an individual’s instinct and knowledge of conventional wisdom and typical practices” and “there is usually no analysis performed after control deployment to determine if risk has been reduced to a level deemed acceptable.”
Conventional Risk Management No Longer Acceptable
In this short passage, the standard effectively outlines the entirety of the security and risk space up until the advent of FAIR™. So much of cybersecurity risk management today is built on instinct (euphemistically one’s “gut”) and hardly any retrospective look-back to measure our gut’s success. This is the primary benefit of using FAIR to add rigor and defensibility to your risk and control operations; namely, measurable outcomes.
The standard does continue the use of the concept of “positive risk.” This use of this term has always been academic, as there’s no one that lists positive things on a risk register. Indeed, standards organizations acknowledge positive risk and then the entire professional world goes about managing negative risk (or just “risk”) in spite of it. I gave this concept a longer treatment in Good Risk or Bad Risk?, a blog post for ISACA.
It is always important to consider organizational objectives when managing risk, and this second draft of the NISTIR 8286 standard continues to implore organizations to find ways to connect their disparate risk management practices under a single umbrella. Such a unified approach, grounded in solid quantitative methods (the standard lists Monte Carlo, Bayesian Analysis, and Event Tree Analysis amongst them), will prepare organizations for negative events that will impede progress towards organizational goals and objectives.