FAIR Institute Blog

Reporting to the Board on Cyber Risk: 2 Charts to Tell Your Story

[fa icon="calendar"] Nov 17, 2021 9:23:14 AM / by Jeff B. Copeland

Three experienced FAIR™ (Factor Analysis of Information Risk) practitioners got together at the 2021 FAIR Conference (FAIRCON21) to compare notes on best practices for reporting to the board with risk quantification. Their bottom-line advice for a board command performance: Keep it simple and relatable to what the audience already knows. 


Panel - Experiences from the Field: Reporting Top Risks to the Board

Moderator: Chris Patteson, Executive Director – Risk Transformation Office, Archer

Johann Balaguer, Director, Global Security, Ultimate Kronos Group (UKG)

Michael Moresco, Sr. Security Policy and Risk Manager, ServiceNow

FAIR Institute members can watch the video of this FAIRCON21 session in the LINK member community. Not a member yet? Join the FAIR Institute now, then sign up for LINK. 

Visual aids help, too. Michael Moresco and Johann Balaguer shared two slides they’ve used to walk board members through a presentation based on FAIR cyber risk quantification.  

FAIRCON21 - Board Reporting Chart - Risk Scenarios

FAIRCON21 - Michael Moresco - ServiceNowThis chart Michael recommends for organizations new to FAIR (or in cases when the legal department doesn’t want to see risk communicated in dollar terms alongside vulnerabilities).

On the left are high-level security risk scenarios – DDoS attack, data breach, etc. Next are primary risk drivers identified in quantitative analysis, the issues or gaps that lead to frequency or magnitude of attacks increasing. 

Then a range of risk estimated with FAIR. “It’s a zero-to-ten scale so we’ve translated that quantitative assessment to qualitative,” Michael said, “but still harnessed the value of FAIR to say ‘here’s an accurate range of how much risk we actually have with these specific scenarios.’” 

On the right are projects to mitigate the identified risks. “Typically, when going to a board-level presentation, you want to go in with solutions” and show how the projects tie into the CIO or CISO priorities and ultimately the corporate KPIs. 

FAIRCON21 - Board Reporting Chart - Prioritize Vulnerability Management

FAIRCON21 - Johann Balaguer - UKGJohann’s board-ready slide sets the output of FAIR quantitative analysis, annualized loss expectancy (ALE), in a relatable context, in this case demonstrating how the team uses FAIR to prioritize vulnerability management.  A presenter can walk the audience through an explanation of the threat actors, vulnerability, controls, the asset at risk and finally the loss exposure and probable risk reduction of alternative treatments.

“Having an example like this helps them to visualize what’s at risk, what’s the probability of the impact, what are mitigations options you can leverage to remediate or manage that risk,” Johann said.  “Then it’s going back and tying those key projects that we can apply to manage or remediate this issue across the board.”

Watch the complete video of the session on board reporting -- register now at no charge to view all the FAIRCON21 sessions on video. 

Topics: FAIR Conference 2021

Jeff B. Copeland

Written by Jeff B. Copeland

Jeff is the Content Marketing Manager for RiskLens.

Join the FAIR Community

Subscribe to Email Updates

Learn How FAIR Can Help You
Make Better Business Decisions

Recent Posts