In writing the FAIR-CAM™ white paper, I took a short detour from the complex landscape of cybersecurity to explain the new FAIR Controls Analytics Model™ with an analogy that almost anyone can relate to.
The Apache Log4j security vulnerability uncovered recently is every cybersecurity defender’s nightmare - a zero-day exploited in a practically ubiquitous software library. Because zero-day exploits aren’t going away anytime soon, it’s important for organizations to increase their resilience to this type of change in the risk landscape.
In my last blog post on qualitative risk measurement, I discussed three key aspects that often make the difference between good measurements and bad measurements — scope, model, and data. I also pointed out that these apply to both qualitative and quantitative risk measurement.
What makes for a high-quality qualitative risk measurement? The answer is simple. We just have to go back to the scope, model, and data elements
Jack Jones, creator of Factor Analysis of Information Risk (FAIR™), the standard for quantitative analysis of cyber risk, introduced a new model, the FAIR Controls Analytics Model (FAIR-CAM™), for quantitative measurement of controls efficacy for risk reduction.
Jack Jones, creator of Factor Analysis of Information Risk (FAIR™), the international standard for quantification of cyber risk, gave an RSAC21 audience a preview of his breakthrough FAIR Controls Analytics Model (FAIR-CAM) that will, for the first time, enable security teams to reliably evaluate how controls affect risk in quantitative terms.
I’m thrilled with many of the provisions in the President’s recent Executive Order on Improving the Nation’s Cybersecurity. The tiered software security ratings system, the IoT consumer labeling, the cybersecurity review board, and the emphasis on sharing information on breaches and other cyber incidents, are all bold initiatives
State legislatures in Nevada, Ohio, Utah and Connecticut have passed or are in the process of passing “safe harbor” protection against negligence lawsuits for companies hit with a data breach – if the companies implement controls from a recognized cybersecurity framework.
As the popularity of cyber risk quantification (CRQ) grows, so grows the confusion in the marketplace about choosing the right cyber risk quantification solution among many with the CRQ label.
If you’re new to Factor Analysis of Information Risk (FAIR™), understand that it’s first of all a movement