Hat tip to the members of the FAIR Institute who have done so much to develop FAIR™ as the standard for quantitative cyber risk analysis – and a special recognition medal to the team of volunteers who mapped the new FAIR-CAM controls analytics model
Cyber risk analysis must scale to meet the rising challenges of cybersecurity, and automation of quantitative analysis will get us there.
Automating quantitative cyber risk analysis – pulling together updated controls telemetry, threat intel, asset data, audits information and more to produce always-on analytics
Contributing to the National Institute of Standards and Technology (NIST) effort to update the Cybersecurity Framework (NIST CSF), the FAIR Institute sent a proposal to help align the framework with the FAIR Controls Analytics Model (FAIR-CAM™)
Jack Jones introduced FAIR-CAM™, the FAIR Controls Analytics Model, to challenge the cybersecurity profession to move beyond its reflexive focus on cybersecurity controls lists
FAIR standard creator Jack Jones spoke this week at the 2022 RSA Conference with the message that the future of risk measurement and management is (drum roll) artificial intelligence and automation. You might have heard the same in vendor booths on the show floor, but not like Jack told it: The industry won’t get there without a major shift left
Since Jack Jones introduced the FAIR Controls Analytics Model (FAIR-CAM™) at the 2021 FAIR Conference, “I get asked all the time, ‘Can we take our NIST CSF scores and plug them into FAIR-CAM and measure controls efficacy and risk reduction value?’”
If you search the FAIR Institute blog, you will find several posts about Inherent Risk, each highlighting fundamental problems with the standard definition for Inherent Risk and offering insights and advice regarding how to better define and use it. To save you the trouble of finding and reading old posts, I’ll boil them down:
A study sponsored by the National Science Foundation and reported in the Harvard Business Review, Research: Why Employees Violate Cybersecurity Policies, identified a wide disconnect between the demands of cybersecurity and the reality of day-to-day work for employees – one of the key gaps that the new FAIR Controls Analytics Model™ (FAIR-CAM™) is intended to help close.
In writing the FAIR-CAM™ white paper, I took a short detour from the complex landscape of cybersecurity to explain the new FAIR Controls Analytics Model™ with an analogy that almost anyone can relate to.
