Who Uses FAIR? Six Organizations Leading the Way on Cyber Risk Quantification

We have a deep bench of organizations practicing Factor Analysis of Information Risk (FAIR™) represented by the 11,000+ members of the FAIR Institute. Here’s a small sample of public and private enterprises that have shared details on their FAIR programs with our membership. 

1. Fidelity Investments 

“We’ve taken the step to start to build a structured risk assessment program that looks at metrics as they come in, how they map to the FAIR factors like Threat Event Frequency, how they map to the scenarios we’ve built out, whether it’s a privileged insider taking adverse action or a hacker breaking into your systems. It gives us that framework to do some repeatable risk assessments.”

--Tim Titcomb, VP – Technology Risk

Meet a Member Podcast: Tim Titcomb, VP, Technology Risk, at Fidelity Investments  

FAIRCON19 Video: Use Case Panorama – FAIR™ Practitioner Success Stories from Fidelity and More


2. Highmark Health 

Omar Khawaja Highmark Health FAIRCON 2018 (2)“I made it a requirement that every single director and manager within the security program had to take the certification. Then that becomes the common language that we can use to talk to each other.”

--Omar Khawaja, CISO 

Meet a Member: Omar Khawaja, Introducing FAIR to Highmark Health

FAIR Training and Certification – Take Your Career to the Next Level


3. Netflix

Netflix deploys FAIR risk analysis for decision support at three levels:

  • Tier 1 – Strategic decisions – major issues for the company with long time frames. Example: Analysis of in-house vs. outsourced code development
  • Tier 2 – Tactical decisions – cost vs. benefit of decisions with one-year time frames. Example: Third party service choices.
  • Tier 3 – Operational decisions – detailed analysis of large numbers of individual assets. Example: Endpoint protection alternatives (AV software, DLP, etc.). 

--Tony Martin-Vegue, Sr. Information Security Risk Engineer

Video: How Netflix Rethinks Cyber Risk Analysis with FAIR (FAIRCON2020)


4. DoorDash 

FAIRCON2020 - DoorDash - Sarina Hothi-1“People come in with an edge case and say XYZ is a huge problem and now the end of the world is coming. By going to the FAIR taxonomy and asking questions like ‘How often has the end of the world truly happened? What threat would cause the world to end?’, more often than not we come to the conclusion that the issue at hand is not really a priority. That five minutes spent verbally going through the taxonomy has probably helped me save hundreds of hours.”

-- Sarina Hothi, Security Program Manager

FAIRCON2020 Video: Implementing FAIR Risk Management at DoorDash at ‘1,000 Miles a Minute’


5. Hewlett-Packard Enterprise (HPE)

“If you can boil [risk] down to the specific loss event scenarios that resonate with business leaders, they can understand the disruption of your critical service which is supporting their business goal. They can then start to talk about the event in ways that open your eyes as the risk analyst and really give you detail to things you would not have thought of.  FAIR is great for that.”

--Drew Simonis, VP, Global Security

Meet a Member: Drew Simonis, Deputy CISO, HPE, on How Risk Analysts Can Connect with Business Leaders


6. National Aeronautics and Space Administration (NASA)

Cody Scott - NASA - FAIR Conference 2020 - Featured-1“We now have people coming to us asking how they can get support for doing risk assessments. They’re asking, ‘Can you help us solve a business problem? Can you help us know what to prioritize first?’ That's never happened before.”

--Cody Scott, Chief Cyber Risk Officer s

Meet a FAIRCON2020 Speaker: Cody Scott of NASA on Building A Quantitative Risk Management Program in the Federal Government

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37