If you’re ready to start cyber risk quantitative analysis, you should know about the FAIR Materiality Assessment Model (FAIR-MAM), the recent addition to the FAIR toolkit that quantifies loss in cyber incidents.
Starting with 10 high-level modules of loss (proprietary data loss, business interruption cyber extortion, etc.) and drilling deep into the loss drivers of each module, FAIR-MAM guides you to enter loss data specific to your organization and industry and enables you to make highly accurate estimates for the right-side “Loss Magnitude” of the FAIR model.
Webinar on Demand: FAIR-MAM™: Your (Not-So) Secret Tool to Build Defensible Resiliency
Watch this webinar for an introduction to the FAIR Materiality Assessment Model (FAIR-MAM) by two leading authorities on FAIR and one expert practitioner:
- Erica Eager, Sr. Director, Risk Quantification, at SAFE, principal architect of FAIR-MAM
- Pankaj Goyal, Director, Standards and Research, FAIR Institute
- Pierre Olodo, Senior Lead, Cyber Risk at Richemont luxury goods manufacturer
Some highlights from the webinar:
1. Key Points about FAIR-MAM
As Erica explained, FAIR-MAM is
Fully FAIR compliant, ready to plug in as loss values to the Loss Magnitude side of any FAIR analysis
”MECE” - The loss categories (or cost modules) are Mutually Exclusive and Comprehensively Exhaustive and can handle any cost
Modular - Users can add any cost category or module to customize FAIR-MAM to their organization, without changing the model
Aligned with corporate financial statements, such as P&L and balance sheet, so cyber risk analysis takes on true meaning to the organization.
2. How to Get Started with FAIR-MAM
Pierre shared his steps for implementing the model at Richemont, starting with test cases.
–Look through your FAIR-compliant risk scenarios in your risk register. ”Choose your battles,” he says: focus on two or three risk scenarios you know well and have already figured the impact with the Six Forms of Loss.
–Identify the FAIR-MAM cost categories that match the forms of loss identified in your risk scenarios
–Identify the subject matter experts in the organization who can supply the best data
–Expect some surprises as you drill down to a deeper level than before. Pierre gave the example of costing out breach notifications for customers, ranging from email to snail mail, numbers he had never gathered before.
–Re-run the risk scenarios and see how the FAIR-MAM versions compare to the previous analysis results.
–”Do it step by step; don’t try to apply everything” to start.
3. Benefits of FAIR-MAM
Erica has seen these positive effects at organizations she has worked with:
–Better preparation for risk assessments by better defining areas of probable loss.
–Better defense of results; you can point to the organization’s own SMEs as the sources of data
–Better stakeholder management. The process of information gathering to fill out an organization’s version of FAIR-MAM creates buy-in from across organizational silos. “Often it starts a discussion among experts in the company that they have never had before,” Erica said.
–Builds resiliency. Pankaj said “resiliency is cross-functional…FAIR-MAM enables you to bring stakeholders to the same table and agree what resilience means in numbers.”
4. FAIR Institute Members Continue to Evolve FAIR-MAM
Next development: tuning FAIR for third-party risk management. “To manage thousands of vendors it needs to be drastically simplified,” Erica commented. “That requires a tremendous amount of industry benchmarking. We are carefully curating tens of thousands of attacks to extract industry benchmark values.”
Watch the Webinar on Demand: FAIR-MAM™: Your (Not-So) Secret Tool to Build Defensible Resiliency
