Synopsis: The Common Vulnerability Scoring System (CVSS) is used throughout various industries for scoring vulnerabilities based on several metrics. These metrics focus on confidentiality, integrity and availability, the very well known CIA triad ingrained in the mentality of cybersecurity professionals and extends to maturity and environmental when and where the additional information is required.
It’s an issue that comes up again and again at FAIR conferences, chapter meetings, webcasts or discussion boards: “I get the value of FAIR quantitative risk analysis – but I don’t know how or where I could start implementing it.”
I’ve observed an epidemic that is endemic to perfectionists and newer practitioners of quantitative cyber risk analysis: analysis paralysis. Here are some of the symptoms:
In basic terms, a company’s “risk appetite” is the level of risk the organization sees as acceptable. Not surprisingly, some use the phrase “risk tolerance” interchangeably with “risk appetite” (there is an important difference: "tolerance" is how far off "appetite" the organization will go).
Risk register has become a dirty phrase. It is a catch-all for any concern that keeps an executive up at night. Items such as “insiders”, “the Cloud”, and “data loss” adorn risk registers in organizations across industries. FAIR trained or not, it does not take a risk expert to tell you those items are not actionable.
Industry guidelines and standards often strongly recommend or even require a “risk assessment” to satisfy various regulatory and compliance requirements. However, not all assessments are created equal as one entity’s assessment of risk may be another’s control evaluation.
The FAIR Institute is excited to announce our nomination in the 2019 Advisen Cyber Risk Awards for the brand-new category of "Cyber Risk Model of the Year."
New England FAIR Chapter Co-Chair, and Vice President for Enterprise Cybersecurity at Fidelity Investments, the giant ($7.4 trillion in customer assets) mutual fund company, Jim Robert has been a FAIR practitioner for three years.
I’ve heard critics of quantitative risk analysis challenge the approach, stating that it is “too difficult”, “time consuming” or that their organization is “simply not mature enough for quantification.” In my experience, a majority of such arguments can be addressed by revisiting a few fundamental FAIR concepts.
The FAIR Institute hosted its annual FAIR Breakfast in San Francisco in conjunction with the RSA Conference, featuring a panel of experienced FAIR practitioners. Scroll down the page for the videos – watch for a wealth of tips on starting and running a quantitative risk analysis program.
