If you’re looking to hire a cyber risk analyst – or if you are a risk analyst looking to up your game – I recommend reading Jack Jones’ new eBook An Executive’s Guide to Cyber Risk Economics where you’ll find the definitive checklist of skills required to do reliable risk analysis.
The NIST Cybersecurity Framework (NIST CSF) is one of the cornerstones – and most popular features – of US government policy to strengthen our nation’s cybersecurity. The hottest topic at the recent NIST workshop aimed at updating and refining the CSF was the development of metrics.
During the April meeting of the Operational Risk workgroup, the members continued working on a project to recast a list of top operational risks using the FAIR model. Quick recap of this effort so far - every year, you’ll find numerous lists of supposed “top risks” from various sources, but are they even risks?
The terms “risk appetite” and its close cousin “risk tolerance” are often poorly understood, very rarely used to good effect, and commonly used interchangeably.
In my previous post (No Data? No Problem) I discussed the question, “How do you make estimates when you have no data?” This post focuses on a related question – whether historical data can be relied upon to reflect the future.
FAIR Institute Member Wade Baker surveyed over a hundred CISOs and corporate board directors to find out just why these two groups have so much trouble communicating. The results are in the just released Cyber Balance Sheet from Wade’s Cyentia Institute and risk management firm Focal Point (FAIR Institute Chairman Jack Jones was a contributor).
“Think of all the advantages the bad guys have,” FAIR Institute Chairman Jack Jones tells an audience this week at the InfoSecWorld 2017 Risk Management Summit in Orlando.
“We have to protect a very complex and dynamic landscape. The bad guys can pick and choose what they want to go after. And we are giving them a gift.
A member of the FAIR Institute LinkedIn forum asked an important question the other day:
“I was wondering if there are any guidelines, rules-of-thumb, etc. on how to decide when something should end up in a risk register or should be handled differently.
NYSE-listed organizations are extending the use of the COSO standard and framework beyond the management of financial reporting risk as mandated by section 404 of the Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act (SOX).