Watch this webinar for a fresh look at analyzing and acting on cyber risk, as FAIR Institute Chairman and FAIR model creator Jack Jones, applies “situational awareness” from the world of the military to the cyber world.
Watch Cyber Risk Through a Cyber Situational Awareness Lens - Webinar with Jack Jones (requires a FAIR Institute membership and participation in the LINK site for members-only resources). Join the Institute now.
“The military lives and breathes risk management,” Jack says, and there are important lessons to be learned in how it breaks down risk to support rapid decision-making. The situational awareness doctrine covers three phases
- SA Level 1 – perception of the elements in the environment (data)
- SA Level 2 – comprehension of the current situation (synthesis into a whole picture)
- SA Level 3 – projection of the future (forecasting)
In preparing for war or cyber attack, “the better we are at these three things, the better we will be at decision making,” Jack says. “Using this construct, we have a better understanding of the data, how the data combine to more accurately portray our real condition, and that drives our ability to make decisions based on that forecast.”
In the current economy, with cybersecurity budgets likely to get cut, “forecasting” could mean prioritizing and choosing which controls to retain and focus on. “But there’s a huge signal-to-noise problem in our industry,” starting with SA Level 1: limited visibility into assets, controls and threats. Most importantly, Jack says, many organizations haven’t identified their crown jewel assets.
On SA Level 2, there’s another noise problem: over-reliance on best practices checklists and high-medium-low qualitative models in place of critical thinking and a model such as FAIR. With the first two situational awareness levels hobbled, SA Level 3, informed decision-making, doesn’t get off the ground.
Jack runs through in detail, a use case of applying situational awareness to cyber risk decision-making, with the example of an XSS vulnerability found in a client-facing web app—how much should you care and how quickly should it be fixed?
And towards the end of the webinar, Jack introduces something new: a FAIR-based way to think through the control opportunities along a loss event chain of events. See the chart below.
Watch Cyber Risk Through a Cyber Situational Awareness Lens - Webinar with Jack Jones (requires a FAIR Institute membership and participation in the LINK site for members-only resources). Join the Institute now.
Related:
Jack Jones on How the COVID-19 Pandemic Is Likely to Affect Cybersecurity Programs
