Can you say which is the most valuable control in your cybersecurity program? The least valuable? Why are those questions for the cybersecurity and risk management professions difficult to answer? We have frameworks that list recommended controls but provide no insight into the effectiveness of those controls for risk reduction, either on their own or as a system. It’s like practicing medicine based on anatomy – an inventory of body parts – without physiology, the knowledge of how they work together.

The FAIR Controls Analytics Model™ (FAIR-CAM™), i.e. control “physiology”:

• Enables empirical measurement of control efficacy and value
• Accounts for individual control functionality as well as systemic effects
• More effectively leverages cybersecurity telemetry

FAIR-CAM™ was created by Jack Jones, the author of FAIR™, the international standard for quantification of cyber and technology risk. FAIR-CAM™ is an extension of the FAIR standard that documents how controls physiology functions by describing how controls affect the frequency and magnitude of loss events. The FAIR-CAM™ model accounts for controls both with direct and indirect effects on risk, yielding a complete system view.

With FAIR-CAM™, the effect of each control on risk can be measured based on a specific unit (for instance frequency, probability, or time) as opposed to subjective ordinal values like "1-through-5" or "red/yellow/green." The result is an understanding of controls and control systems based on empirical measurements.

The FAIR-CAM™ model can readily be leveraged to make better use of existing control frameworks. Expert workgroups convened by the FAIR Institute have mapped, or are in the process of mapping the FAIR-CAM™ model to:

• NIST 800-53
• CIS Controls
• ISO 2700
• HITRUST

Work is being scheduled to map other common frameworks to the FAIR-CAM™ model.When combined with a well-defined control “anatomy-like” framework and solid risk measurement using FAIR, the FAIR-CAM™ model will improve an organization’s ability to focus on the controls that matter most, significantly reducing the odds of cybersecurity loss events and wasted resources.