Image from Tony Martin-Vegue
FAIR Institute San Francisco Chapter Chair Tony Martin-Vegue recently published a blog post Six Levers that Quietly Change Your Risk and How to Spot Them that’s an intriguing complement to the FAIR Controls Analytics Model (FAIR-CAM).
FAIR-CAM provides a richly detailed categorization of controls and their capability to affect risk singly or together. Tony starts from the premise that “controls are just one lever, and often not the biggest one. Most changes in risk come from forces far outside your walls.”
The blog post identifies six of what might be called environmental forces acting on cyber risk. He assesses each for their effect on the familiar FAIR parameters, loss event frequency and loss magnitude. Here are the six with a few of the many examples Tony gives:
1. Internal Security Posture & Control Effectiveness
For example, switching to passkeys or other controls reduces frequency and magnitude - but control configuration drift raises them.
2. Business and Operating Model Changes
M&A could cut either way if you’re acquiring a risky subsidiary or divesting one.
3. External Threat and Regulatory Landscape
Risk magnifiers could be shifts in regulatory activity or threat-actor capability.
4. Incident and Near-Miss Learnings
5. Improved Visibility
6. Risk Appetite Governance and Insurance Terms
Read Tony’s blog post for the full list.
“Bottom line,” Tony writes, “if any of these levers have shifted since your last assessment, expect the math to move. Update the model and your assumptions before the headlines do it for you.”
Read the latest in FAIR Institute research:
Expanding the FAIR Vision: How the FAIR CRM Framework Builds On and Complements Open FAIR™
