Press Release: Two Cybersecurity Standards Come Together to Help Organizations Quantify and Prioritize Risk

Since its first release in February 2014, the NIST Cybersecurity Framework(CSF) has rapidly emerged among companies and government organizations as the leading taxonomy and set of best practices for managing cybersecurity risk, both here in the U.S. and abroad. The NIST CSF has helped many organizations report on the maturity level of their cybersecurity practices and their progress toward meeting their goals.

One limitation that users encountered was the lack of an analytic capability that would allow them to quantify the risk associated with compliance gaps or the sufficiency of compliance. Factor Analysis of Information Risk (FAIR) - the international standard value-at-risk model for quantifying cybersecurity risk from The Open Group - provides analytical support for organizations using NIST CSF by helping them measure and prioritize their control improvements in financial terms.

The combined use of both NIST CSF and FAIR standards allow organizations to not only assess the maturity level of cybersecurity activities, but also to answer fundamental questions such as: How much risk do we have? and What activities matter the most and should be prioritized? Accordingly, the economic analysis provided by FAIR allows organizations to draw additional value out of the NIST CSF by enabling informed choices on where to apply limited financial resources. Ultimately, FAIR helps users to meet NIST CSF's stated goal to manage cybersecurity risk in a cost-effective way based on business needs.

A series of articles on "NIST CSF & FAIR" can be accessed on NIST's Industry Resources page under the Guidance that Incorporates Framework section or directly on the FAIR Institute(http://www.fairinstitute.org/blog/nist-csf-fair-part-1).

Joint users of both standards include large enterprises in various sectors (including financial services, healthcare and manufacturing) and governments agencies. Membership in the FAIR Institute is free. Learn more and network by joining the FAIR Institute.

About the FAIR Institute

The FAIR Institute is an expert, non-profit organization led by information risk officers, CISOs and business executives, created to develop and share standard information risk management practices based on FAIR. Factor Analysis of Information Risk (FAIR) is the only international standard value-at-risk model for information security and operational risk. FAIR helps organizations quantify and manage risk from the business perspective and enables cost-effective decision-making. To learn more and get involved visit www.fairinstitute.org.

###