When analysts don’t use a rigorous risk quantification model like FAIR to rate risks, and instead rely on the mental models in their heads they’ve developed from years of habit – odd things happen.
Here’s one example, I’ve seen many times in helping clients clean up their risk registers: Virtually all risks are rated “medium.”
I’ve wondered why qualitative rating practices produce so many lukewarm results, so to speak, and this is what I think is going on (though perhaps unconsciously) in the analysts’ minds when they make this choice:
- A high rating is a strong statement and and draws unwanted attention to the risk from business management, who may demand some strong justification for the rating.
- A low rating will look foolish if something bad actually happens
- “Medium” is therefore the safe way out.
What’s problematic here? There’s no way to prioritize among the pile of medium risks. Is one medium at the upper end of medium and should be watched as a potential high risk? No one can conclusively say because they can’t measure cyber/operational risk in meaningful terms that would enable them to make an informed decision. This is analysis that’s not producing useful results for the business, for instance, on how any risk, medium or otherwise, stacks up against the organization’s risk appetite in dollar terms.
Read A FAIR View of Risk Appetite by Jack Jones, creator of the FAIR methodology.
With critical thinking and FAIR as a guide, risk analysis shops can pull themselves out of the medium trap. To work your way through a FAIR analysis is to
- Dive into the risk from different angles
- Collect the relevant data from subject matter experts
- Focus in on a risk scenario based on a credible threat, a targeted asset, a probable impact and probable frequency of occurrence
- Arrive at a specific risk with a range of probable losses that are quantifiable
Actually, you don’t have to carry your analysis through to the quantify stage to do a rough triage on your mediums – just to go through the process of defining a risk scenario to meet FAIR requirements can reveal the relative status of the items on your list and may show that some are not risks at all, in the sense of being events that cause losses (I’m talking about “the cloud” or “passwords” or other clutter in your risk register).
And you can go beyond that, if you want, by making the move to quantitative risk analysis and use FAIR as a model for data input. By leveraging a risk quantification tool that applies Monte Carlo simulations on top of FAIR, you can articulate risk in financial terms.
Add a loss exceedance chart for an extra boost in confidence, as in this example from RiskLens. It shows the probability of the loss exceeding a certain amount, for instance, a 10% probability of a loss exceeding $300,000.
With a solid model and hard numbers to show, you're no longer looking for the safe way out; you're generating risk estimates that lead decision-making in your organization forward.