An extension of the FAIR model, FAIR Controls Analytics Model (FAIR-CAM™), allows analysts to map controls to risk more easily and reliably
RESTON, Va., Oct. 20, 2021 (GLOBE NEWSWIRE) -- The FAIR Institute, a non-profit professional organization dedicated to advancing the discipline of measuring and managing information risk, has launched its FAIR Control Analytics Model (FAIR-CAM™), making cyber risk quantification even more useful as a decision support tool. It provides the means to map and account for risk management controls when performing a FAIR analysis, enabling analysts to more accurately measure the risk-reduction value of controls in terms that are accessible to the business.
While most control assessment practices simply express control conditions as ordinal scores (1 through 5, or red, yellow, green), these values are abstract and subjective, as they aren’t actual units of measurement, like percentages, time, units of money, etc. As a result, control measurements tend to be less reliable, making it difficult for cybersecurity teams to translate control improvements into risk reduction. The FAIR-CAM™ model addresses this critical knowledge gap.
The FAIR™ (Factor Analysis of Information Risk) cyber risk model has already emerged as the premier Value at Risk model for cybersecurity and operational risk. To add to this recognized industry standard, the FAIR-CAM™ controls model will provide these crucial units of measurement for each control function, which means cybersecurity teams can empirically measure the efficacy of controls. And because the FAIR-CAM™ model overlays its control functions on top of the FAIR model, analysts will be able to determine how much less risk will exist as controls improve (or vice versa).
Whereas FAIR quantifies the frequency and magnitude (in dollar terms) of cyber loss events, the FAIR-CAM™ model quantifies the effectiveness of controls for reducing that frequency and magnitude. Combining the two enables risk and security organizations to measure the risk reduction value of controls and controls systems more easily and reliably.
“Existing control frameworks or ‘risk scores’ are lists of individual controls or control objectives. However, none of these frameworks formally define the many ways in which controls directly or indirectly affect risk,” explained Jack Jones, president, FAIR Institute. “A useful analogy is the difference between the anatomy of a human body, and its physiology. Anatomy is a list of the parts (bones, muscles, nerves, organs, etc.), while physiology is a description of how those parts function both individually and as a system.
"Existing frameworks provide a useful ‘anatomy’ for cybersecurity controls, and the FAIR-CAM™ model describes control physiology. It provides the missing link between today’s control frameworks and risk measurement. This enables reliable measurement of control efficacy and value, so that organizations make better use of their limited resources to manage cybersecurity and risk.”
The FAIR-CAM™ controls model maps to all the popular controls frameworks, such as NIST, ISO, and CIS, and will help security teams get more value from frameworks. Rather than conducting simple gap analysis, teams can make well-informed choices among the controls recommended by the frameworks, based on quantifiable risk reduction.
“The FAIR-CAM™ controls model goes a long way in connecting the dots within the cyber risk equation. In particular, it will help organizations like Highmark Health take a more practical approach to operationalize cyber risk management by mapping controls to risks. This will enable us to more confidently evaluate controls to determine which ones to grow, sustain or sunset,” said Omar Khawaja, CISO, Highmark Health.
About the FAIR Institute
The FAIR Institute is an expert, non-profit organization led by information risk officers, CISOs and business executives, created to develop and share standard risk management practices based on FAIR. Factor Analysis of Information Risk (FAIR™) is the only international standard analytics model for information security and operational risk. FAIR helps organizations quantify and manage risk from the business perspective and enables cost-effective decision-making. To learn more and get involved visit: www.fairinstitute.org.
FAIR Institute education partners include Arizona State University, Carnegie Mellon University, Center for Applied Cyber Education, Ferris State University, George Mason University, Harvard University, Macquarie University, Pepperdine, San Jose State University, University of Massachusetts Amherst, University of Tampa, University of Toronto, Virginia Tech, and Washington University in St. Louis.
Cathy Morley Foster