Learn the basics of Factor Analysis of Information Risk (FAIR™) and the case for risk quantification from FAIR creator Jack Jones, see FAIR analysis in action and hear practical tips from experienced builders of FAIR programs in this three-part, 2.5-hour seminar presented online by the FAIR Institute at the 2021 RSA Conference (RSAC21).
FAIR Institute members can watch the seminar on demand here: How to Manage and Communicate Cyber Risk in Business Terms - FAIR Institute Association Seminar at RSAC21. Not a member yet? Join here. (it’s free to individuals with interest in information risk management).
Here’s an outline of this FAIR short course presented at the RSA Conference:
An Introduction to FAIR with Jack Jones, Chairman, FAIR Institute
- The problem: Organizations can’t prioritize risk management activities because they can’t effectively measure risk.
“Until we’re able to prioritize reliably, we won’t have good odds against the threats we face,” Jack says.
- Defects of “qualitative” risk analysis – Your “red” is not my “red”
- Why the classic formula, Risk = Likelihood x Impact is wrong
- How to define loss event scenarios that can be analyzed
- The key elements of a risk measurement: Scope, Model, Data
- How to clearly scope a risk for analysis
- Introduction to the FAIR model
- How to overcome “But we don’t have enough data”
- Use case: Which “high risk” should we fix first?
Learn beginner and advanced quantitative risk management techniques with FAIR training endorsed by the FAIR Institute.
3-Step Guide to How Cyber Risk Quantification Can Solve Your Business Problems – A FAIR Approach with Rebecca Merritt, Senior Manager, RiskLens
Use case: Should a healthcare organization upgrade its electronic health records (EHR) system? As the CIO says, “There’s so much the system touches, we don’t even know where to start.”
- Step 1: Identify and prioritize top cybersecurity risks as a baseline for future investment decision. See how FAIR analysis reveals a range of probable losses, broken down by loss types.
- Step 2: Cost-benefit assessment: Evaluate ROI of security investments related to the top cybersecurity initiatives to enable better prioritization. See how six controls under consideration compare for risk reduction in dollars.
- Step 3: Communicate results to the business to drive cost-effective decision-making, including a proposed rollout plan for controls, with projected cost savings over time.
How to Build a Quantitative Risk Management Program with FAIR – Expert Panel from Horizon BCBS of New Jersey, Datto, IBM and Protiviti
Nicola (Nick) Sanna, President of the FAIR Institute, guided this panel discussion, full of practical tips from these FAIR experts:
- Damon Becknel, Vice President and Chief Information Security Officer, Horizon Blue Cross Blue Shield of New Jersey
- Julian Meyrick, Managing Partner & Vice President, Security Transformation Services, IBM Security
- George Quinlan, Senior Manager - Security & Privacy, Cyber Risk Quantification, Protiviti, Inc.
- Jack Whitsitt, Risk Manager, Datto
Among the questions answered:
- What driver led your organization to launch a FAIR program?
- What kinds of business decisions has your program enabled?
Julian Meyrick: “How do you quantify the risk associated with mergers and acquisitions. That’s a huge headache for many CISO clients; they face breaches within weeks of bringing the acquisition on board…And on the IT side, looking at the journey to the cloud and zero trust – how can you quantify the risk associated with that and set yourself up to be cyber resilient.”
- What are the main enablers of a successful FAIR program?
- What were your main obstacles to introducing FAIR?
Jack Whitsett: “Learning how to do FAIR is not that hard, getting data is actually easier than most people think, it’s making a sustainable program that’s potentially difficult.”
- What was a quick win from FAIR analysis that helped to win over your organization?
- What advice would you give organizations that want to start a FAIR program?
George Quinlan: “Just get started; don’t get bogged down in little details. FAIR will scale with you.”
Gain a quick introduction to FAIR risk analysis and the power of quantitative cyber risk management – watch the seminar: How to Manage and Communicate Cyber Risk in Business Terms - FAIR Institute Association Seminar at RSAC21.