Army documents marked Top Secret…data on 14 million Verizon customers…voter information on 198 million Americans…Just a few of the recent reports on data breaches—or open data discovered by security researchers before a breach occurred—on Amazon S3 “buckets”.
The new NIST 800-63-3 Digital Identity Guidelines and FAIR were “made for each other”, writes Chip Block, VP at Evolver, Inc., (the operator of large-scale security operations centers for government and business) in an article just published on The Security Ledger website -- the guidelines establish levels of security based on risk, and FAIR sets monetary values for the risk, enabling organizations to prioritize spending.
I just wrapped an engagement helping a really great customer identify their top ten risks. Talk about commitment: They organized a book club where members of Information Security, Privacy and Audit were actively studying the FAIR book, Measuring and Managing Information Risk.
At the last club meeting, somebody said “I love the FAIR model and risk quantification. But how do I apply this to the risks that face me and my department?”
When Tony Martin-Vegue, Cyber Risk Manager at National Mortgage Insurance, presented this case study on measuring Distributed Denial of Service (DDoS) risk at FAIR Conference 2016, the world was only a week away from one of the largest DDoS attacks in history to-date.
This case study by Laura Payne on 'Quantitative Risk Analysis & Information Security' does a very good job in explaining the journey of an organization like BMO, as it evolved from a 'High, Medium and Low' approach to measure and express risk to to a more scientific and quantitative approach.