As an advocate for FAIR, I spend a great amount of time preaching the benefits of quantitative risk analysis over the qualitative approach. Ranking of risks 1-5 or red-yellow-green based on subjective judgments doesn’t measure up (literally) to a standard model like FAIR that produces consistent results expressed as probabilities.
A busy week at the RSA Conference for the FAIR Institute. Tuesday at the SC Awards ceremony, the FAIR Institute received the extraordinary honor of being named one of the Most Important Industry Organizations of the Last 30 Years.
Yesterday, while speaking to a university cybersecurity class, I was accused of being pedantic when I pointed out a problem with the phrase “The risk of that impact…”
In a cover story for the National Association of Corporate Directors Directorship Magazine, James Lam – independent director on the RiskLens board, leader of the risk committee for the E*TRADE board, and FAIRCON18 keynoter– writes that board directors generally believe that business-disrupting (and even business-killing) risks are much more important now than five years ago
This year’s RSA Conference, Monday-Friday, March 4-8, in San Francisco is a great opportunity to hear some of the world’s best thinkers and doers in and around the FAIR movement and advanced techniques in risk management in general.
FAIR model creator Jack Jones recently answered a FAIR Institute member's question about terminology that's one of those easily confused yet critical distinctions in cyber risk management: What's the difference between a security exception (or policy exception) and risk acceptance?
What would you like to see in the FAIR Institute blog that would most advance your knowledge, skills and awareness of FAIR and the fast-growing movement for critical thinking and quantification in risk analysis?
When I saw Jack Jones present on FAIR at an IANS Research Forum several years ago, it was like a light bulb went off in my head. I immediately ordered the FAIR book and began a cover-to-cover reading, twice. I had been unsatisfied with existing methods to assess privacy risks and I was excited to apply my new-found knowledge of FAIR to privacy.
In an article for Forbes Technology Council, Two Frameworks For Securing A Decentralized Enterprise, Ian Amit, Chief Security Officer at Cimpress (parent company of Vistaprint), tells how he combines the NIST CSF and the FAIR model to handle a challenging situation
The Securities and Exchange Commission, the European Union and the International Monetary Fund all pointed cyber risk managers toward cyber risk quantification in 2018