The new NIST 800-63-3 Digital Identity Guidelines and FAIR were “made for each other”, writes Chip Block, VP at Evolver, Inc., (the operator of large-scale security operations centers for government and business) in an article just published on The Security Ledger website -- the guidelines establish levels of security based on risk, and FAIR sets monetary values for the risk, enabling organizations to prioritize spending.
UPDATE: The FAIR-U training app is now available. Get access to the web app now.
At the FAIR Conference in mid-October, the FAIR Institute will introduce FAIR-U, our first officially sanctioned training application for running FAIR risk analysis, guaranteed to correctly leverage the FAIR model.
Precise definitions of the factors that go into an accurate risk analysis – that may be the bottom line advantage of the FAIR approach. For a great example, take Vulnerability, loosely defined as "weakness" most often, but FAIR gives it a focussed and more useful meaning: “the probability that a threat event will become a loss event.”
Since our founding, The FAIR Institute has received an increasing number of requests to create an information risk management course based on FAIR. We are responding to those personal requests, and to a market demand, to help create risk analysts who are well trained and well versed in quantitative risk analysis.
I regularly read blog posts or encounter people in our profession who dismiss quantitative cyber risk measurement as “guessing”, or “nothing more than feelings” (cue the Morris Albert song). Since this is such a common concern, I thought it would be worthwhile to examine this issue of what's subjective, what's objective and what falls between.
Do you want to hear from and network with the best in the risk management industry? The 2017 FAIR Conference is going to be a powerful event that brings together the world’s top FAIR practitioners. Here are just some of the great speakers that you will meet and hear from at the conference.
With over 100 responses already, we would like to extend the opportunity to participate in the 2017 Risk Management Maturity Survey to all risk management professionals.
I recently had a conversation with clients around a risk analysis they conducted and noticed as they walked me through it that they seemed to get hung up on the terms “inherent risk” and “residual risk” and what inherent risk represented in that particular scenario.
The first big step in a risk analysis is scoping. Each part of the analysis process builds on the other so if you get scoping wrong, the rest of your analysis is on shaky ground at best. Remember, scoping is where you clearly:
FAIR Institute Board Member Wade Baker started the Verizon Data Breach Investigations Report (DBIR), the granddaddy of cybersecurity incident reporting, and still the leading source of hard data on the threat landscape.