Who Uses FAIR? Six Organizations Leading the Way on Cyber Risk Quantification
We have a deep bench of organizations practicing Factor Analysis of Information Risk (FAIR™) represented by the 11,000+ members of the FAIR Institute. Here’s a small sample of public and private enterprises that have shared details on their FAIR programs with our membership.
1. Fidelity Investments
“We’ve taken the step to start to build a structured risk assessment program that looks at metrics as they come in, how they map to the FAIR factors like Threat Event Frequency, how they map to the scenarios we’ve built out, whether it’s a privileged insider taking adverse action or a hacker breaking into your systems. It gives us that framework to do some repeatable risk assessments.”
--Tim Titcomb, VP – Technology Risk
2. Highmark Health
“I made it a requirement that every single director and manager within the security program had to take the certification. Then that becomes the common language that we can use to talk to each other.”
--Omar Khawaja, CISO
Netflix deploys FAIR risk analysis for decision support at three levels:
- Tier 1 – Strategic decisions – major issues for the company with long time frames. Example: Analysis of in-house vs. outsourced code development
- Tier 2 – Tactical decisions – cost vs. benefit of decisions with one-year time frames. Example: Third party service choices.
- Tier 3 – Operational decisions – detailed analysis of large numbers of individual assets. Example: Endpoint protection alternatives (AV software, DLP, etc.).
--Tony Martin-Vegue, Sr. Information Security Risk Engineer
“People come in with an edge case and say XYZ is a huge problem and now the end of the world is coming. By going to the FAIR taxonomy and asking questions like ‘How often has the end of the world truly happened? What threat would cause the world to end?’, more often than not we come to the conclusion that the issue at hand is not really a priority. That five minutes spent verbally going through the taxonomy has probably helped me save hundreds of hours.”
-- Sarina Hothi, Security Program Manager
5. Hewlett-Packard Enterprise (HPE)
“If you can boil [risk] down to the specific loss event scenarios that resonate with business leaders, they can understand the disruption of your critical service which is supporting their business goal. They can then start to talk about the event in ways that open your eyes as the risk analyst and really give you detail to things you would not have thought of. FAIR is great for that.”
--Drew Simonis, VP, Global Security
6. National Aeronautics and Space Administration (NASA)
“We now have people coming to us asking how they can get support for doing risk assessments. They’re asking, ‘Can you help us solve a business problem? Can you help us know what to prioritize first?’ That's never happened before.”
--Cody Scott, Chief Cyber Risk Officer s