The FAIR framework defines the necessary building blocks for implementing effective cyber risk management programs. Being able to quantify cyber risk is at the core of any such program; after all, "You cannot manage what you don't measure."
Your organization already manages risk. The question is whether it is doing it implicitly or explicitly. A risk management program needs to be explicit to be effective.
In an implicit approach to cyber risk management, an organization might have aligned its cybersecurity policies with a framework like NIST CSF, and it might have a NIST CSF-based enterprise risk assessment performed annually. The cybersecurity staff probably prioritizes and works hard to address the findings from that assessment. Where the organization ends up risk-wise however, is a by-product of these efforts.
There is little control of the outcome from a residual loss exposure perspective as it isn't clearly defined within such frameworks, and the measurements are only loosely associated with risk. In order to be explicit, there would need to be a specific and quantified risk target that is actively being managed against.
FAIR defines risk management as "the combination of personnel, policies, processes and technologies that enable an organization to cost-effectively achieve and maintain an acceptable level of loss exposure." A closer look at this definition reveals key take-aways:
The foundation required to achieve and maintain effective risk management is comprised of five elements:
The FAIR methodology was conceived as a way to provide meaningful measurements so that it could satisfy management's desire to make effective comparisons and well-informed decisions. FAIR has become the only international standard Value at Risk (VaR) model for cybersecurity and operational risk.
FAIR tells us that an effective risk management system is comprised of the following elements: