The generally accepted model for risk is that it is a function of frequency (some refer to it as probability or likelihood, i.e., how often the loss event will probably occur in a given time frame) and magnitude (how bad the event will probably be, consequences).
Quantifying risk scenarios using quantitative analyses helps understanding the exposure to specific risks, however, building a portfolio of quantified risks to understand and manage a company’s risk landscape comes with additional challenges.
Strange, unusual, media-worthy vulnerabilities and cyberattacks… they seem to pop up every few months or so and send us risk managers into a fire drill. The inevitable questions follow:
The recent SolarWinds and Microsoft security issues remind us of the importance of Third-Party Risk Management (“TPRM”). If your organization is using a one-scorecard-fits-all approach to TPRM, you may be wasting resources
Every few months or so, we hear about a widespread vulnerability or cyber attack that makes its way to mainstream news. Some get snappy nicknames and their very own logos
In this blog post, I will share my thoughts on why cyber risk is considered a board level fiduciary responsibility, the need for a globally sourced set of board level cybersecurity best practices
I wear my ‘FAIR™ evangelist’ badge proudly. I have had the opportunity to present quantitative risk analysis to a variety of audiences
One of the keys to consistency when using the FAIR™ model is using the same magnitude across cyber loss data analyses. Particularly when using it for a risk assessment where the goal is to be compliant with regulations and compare the applications to each other, it is reasonable and “fair” to use consistent magnitude amounts.
In March, 2019, I passed the ISACA CRISC exam and got certified in the next month. The CRISC is a great certificate because it shifts your mindset and helps you to establish standardized information risk management practices.
However, I decided not to stop there, but to further search for holistic and effective standards for cyber risk quantification
Targeting can be applied to the following tasks in the investment decision process based on the potential financial loss against an asset:
- Prioritizing the risk assessment scope
- Prioritizing the recommendations on remediation actions