How GSK is Building A Next Generation TPRM Program and Tooling - Sponsored by Safe Security
The cybersecurity landscape is constantly evolving with new threats and traditional TPRM methods are not suited to handle emerging risks such as cyber threats, data breaches, and supply chain disruptions. Join Marek Jakubczak, Cyber Risk Leader at GSK and Ram Vemula Product Management, Head of Partnerships at Safe Security to hear about the current state of TPRM and how a large company is changing the game. Lets review the shortcomings and limitations of current approaches and how to build next generation TPRM processes and tools that will help your organization stay resilient, keep pace with the dynamic risk environment, improve operational efficiency, and protect the organization from potential threats associated with third-party relationships. We will also talk about how we can effectively partner with third-parties in managing risk and give them the tools necessary to burn down risk.
Learn MoreNIST CSF Effectiveness: Controls & Quantification – Sponsored Webinar with Ostrich Cyber-Risk
In this webinar, Greg Spicer, Co-Founder and CRO of Ostrich Cyber Risk, along with Kevin Gelsthorpe and John Feezell of Kyndryl, will dive into the intricacies of identifying your biggest cyber risks using NIST Cybersecurity Framework (NIST CSF). We then will explore how to determine which controls most effectively mitigate these risks and how to quantify their effectiveness in financial terms, and influence decisions with stakeholders in your business. Sponsored by Ostrich Cyber-Risk.
Learn MoreFAIR-CAM Controls Library
The FAIR Institute, with the assistance of technical adviser Safe Security, is creating a draft Cybersecurity Controls Library, informed by FAIR-CAM, the FAIR Controls Analytics Model. Now, we are inviting the FAIR community to support this project to develop a highly useful resource for FAIR practitioners looking to assess their controls based on FAIR-CAM. The Controls Library categorizes controls according to their functions as described by FAIR-CAM, and each with an extensive description of how they operate and their value in a cyber risk management program.
Learn MoreFAIR Standards Booklet
A new and complete guide to the FAIR model and standard extensions, FAIR-CAM, FAIR-MAM, FAIR-TAM, FAIR AIR, and FAIR Automation.
Learn MoreRSAC24 Seminar: Mastering Cybersecurity Risk with FAIR: An Introduction and Case Study
Join the FAIR Institute for a two-part seminar that will demystify the world of FAIR™ (Factor Analysis of Information Risk). In the first session, we'll provide an in-depth introduction to FAIR™, equipping you with the knowledge needed to tackle cyber risk effectively. In the second session, we'll dive into a compelling case study that showcases the practical application of FAIR™ principles.
Learn MoreThe Future of AI Risk Management: A Deep Dive with the FAIR Institute AI Workgroup
Join the FAIR Institute AI Workgroup as we navigate the evolving world of AI risks. We'll introduce the workgroup, its members, and exciting 2024/25 initiatives. In this webinar, the Workgroup members will share their insights on: Building trust in the age of AI Navigating recent hot-button topics like illegal AI robocalls, a use case with Rite Aid, and the EU Act Mitigating model development risks and ensuring materiality We will learn how to navigate these complexities and build trustworthy AI for your organization.
Learn MoreFinancial Impact Questionnaire (FIQ) - Customize FAIR-MAM for Your Most Accurate Cyber Loss Data
The FAIR Institute introduced in 2023 the FAIR Materiality Assessment Model (FAIR-MAM ™) a step change in quantifying loss magnitude for FAIR cyber risk analysis. FAIR-MAM enabled analysts to gather loss data at a granular level that ensured a high level of accuracy – and store it in an always available repository, ready for reporting out the impact of a data breach or other loss event in a defensible format that could stand up to scrutiny by regulators. We’re now introducing a tool to help further sharpen loss data for analysis: the Financial Impact Questionnaire (FIQ).
Learn MoreManaging Cyber Risk in a Time of New Incident Disclosure Rules Welcome Address
Without further ado, please join me in welcoming our esteemed keynote speaker, Nick Sanna, Founder of the FAIR Institute. Speaking today on “Managing Cyber Risk in a Time of New Incident Disclosure Rules” and how FAIR plays a necessary part. Welcome Nick!
Learn MoreCase Study Panorama with Richemont and Econocom
Speaking about real life examples, next up today is our first of two Case Study Panorama sessions with Pierre Olodo, Senior Lead Cyber Risk, Richemont and Anne Lupfer, Deputy CSO, Econocom who will both give us examples of deploying quantification at their organizations.
Learn MoreMeeting Regulatory Compliance - How to Think About Materiality with FAIR
Our session now is “Meeting Regulatory Compliance - How to Think About Materiality with FAIR” that will discuss real life examples at companies using FAIR and also give insight into the research that the Institute is planning this year. Welcome Mouhamad el Houssaini, Risk Director, ADP and Pankaj Goyal, Director of Standards and Research, FAIR Institute.
Learn MoreThe Significance of the NIS2 Directive and of the Digital Operational Resilience Act DORA
Next up, we have an esteemed panel of experts who will deep dive into “The Significance of the NIS2 Directive and of the Digital Operational Resilience Act (DORA).” Welcome to the stage: Moderator: Anne Leslie, Cloud Risk & Controls Leader EMEA, Financial Services, IBM Cathie-Rosalie Joly, Partner, Bird & Bird Law Firm Martina Dvar, Advisor, European Central Bank Iva Tasheva, Co-founder & Cybersecurity Lead, CYEN; Working Group Member, ENISA
Learn MoreRe-thinking Third Party Risk Management
Wrapping up our morning sessions today, we will turn our focus to another research initiative of the FAIR Institute, how to re-thinking third party risk management with quantification. Here to discuss and present are Meena Martin, VP Cyber Risk and Assurance, GSK and Pankaj Goyal, Director of Standards and Research, FAIR Institute.
Learn MoreGenAI Related Risk and Opportunities
Moving on to the next panel focusing on managing new risks and opportunities in the rapidly growing world of AI, please help me welcome our panel today: Moderator: Pankaj Goyal, Director of Standards and Research, FAIR Institute Gérôme Billois, Partner, Wavestone Sabine Marcellin, Lawyer, Digital Law, Oxygen+; Professor, AI, KEDGE Business School Jacqueline Lebo, Risk Advisory Manager in Security Services, Safe Security
Learn MoreThe Future of the Cyber Risk Management Profession with Jack Jones
As we advance into the day, so we advance into the further of our profession. Join me in welcoming Jack Jones, Chairman Emeritus of the FAIR Institute and author of FAIR and FAIR-CAM for his talk on “The Future of the Cyber Risk Management Profession!”
Learn MoreCxO Panel - Managing Cyber Risk in a Time of New Incident Disclosure Rules
Next up we have a very special CxO panel for you to share how executives can more effectively manage cyber risk in this time of new incident disclosure rules. Please welcome: - Moderator: Thiébaut Meyer, Director, Office of CISO, Google Cloud - Benoit Fuzeau, CISO, CASDEN; President, CLUSIF - Aljona Reiser, Head of Cyber Business Risk, Commerzbank AG - Ariane Chapelle, Partner, BDO Chapelle
Learn MoreOptimizing Cyber Insurance with Risk Quantification
Our next panel will dive deep into optimizing cyber insurance with risk quantification, help me welcome our moderator and panelists: - Moderator: Christopher Khadan, Chief Customer Officer, Safe Security - Leopold Larios, Director of Cyber Insurance Offering, Descartes Underwriting - Andreas Schmitt, Global Cyber Underwriting Manager, Zurich Insurance - Thierry Zucchi, Head of Cyber Activity, Relyens - Patrick Montagner, Deputy Secretary General, ACPR (French Prudential and Resolution Authority)
Learn MoreCase Study Panorama with Mastercard and Fresenius
Kicking off our last segment of sessions today is our final case study panorama session, moderated by Greg Spicer, Co-Founder and CRO at Ostrich Cyber-Risk. Join me in welcoming two expert FAIR professionals, Rob Moore, VP, Technology Risk, Mastercard and David Steng, Director, Cyber Risk & Economics, Group Cybersecurity Office, Fresenius Group.
Learn MoreUsing FAIR and MITRE to Understand How Controls Impact Risk
The next session shifts focus to controls and FAIR-CAM as we understand how using FAIR and MITRE Controls Impact Risk. Welcome back Tom as moderator and our panelists, Frédéric Bouveresse, IS&T Cyber Risks Governance Specialist, Alstom and Francesco Chiarini, Global Head - Technology Resilience, Sandoz.
Learn MoreA FAIR Artificial Intelligence (AI) Cyber Risk Playbook
The FAIR Institute presents FAIR-AIR, a FAIR-inspired approach to help you identify your AI-related loss exposure and make risk-based decisions on treating this new category in cyber risk management – new but a puzzle to be solved using the FAIR techniques of modeling and quantifying cyber risk that our community has validated for years.
Learn MoreCIS 8.0 to FAIR-CAM Mapping V1
A team of FAIR Institute members led by FAIR creator Jack Jones have mapped the CIS Critical Security Controls v. 8.0 to the new FAIR Controls Analytics Model (FAIR-CAM™). The CIS Controls are a popular 18-category set of best practices that, like other cybersecurity frameworks, tell you what controls to implement but not what measurable effect they have on reducing cyber risk singly or as an interdependent system. Jack developed FAIR-CAM to make compliance with frameworks more about mitigating risk than checking off boxes on a list.
Learn MoreWebinar: The NIST Artificial Intelligence Risk Management Framework (AI RMF)
The NIST Trustworthy and Responsible AI Resource Center published the Artificial Intelligence Risk Management Framework (AI RMF) in early 2023 to support the responsible adoption of trustworthy AI systems. The voluntary, risk-based, rights-preserving, and flexible framework provides an approach for organizations to manage the benefits and risks of AI through specific approaches outlined in the AI RMF. The AI RMF is designed to function as part of a larger organizational risk management program specifically to mitigate the potential of harms to people, organizations, and ecosystems (people & planet) unique to AI systems. Today, Martin Stanley will provide an overview of the AI RMF and supporting NIST resources available to assist organizations in responsibly adopting AI. Martin Stanley is the Strategic Technology Branch Chief and leads the research and development program for the Cybersecurity and Infrastructure Security Agency (CISA/DHS). Martin previously led the Cybersecurity Assurance Program at CISA and the Enterprise Cybersecurity Program at the U.S. Food and Drug Administration. Prior to his federal service Martin held executive leadership positions at Vonage and UUNET Technologies. Martin recently co-authored “Digital Health”, an Oxford University Press Publication in 2021. Martin is currently assigned to NIST to advance adoption of the NIST Artificial Intelligence Risk Management Framework.
Learn MoreKeynote Address: The Future of Risk Analysis in an AI and Automation World
I am very honored to present our Day 2 Keynote Speaker this morning, Jack Jones, author of the FAIR model and Chairman of the FAIR Institute presenting the Keynote Address today, “The Future of Risk Analysis in an AI and Automation World.” Jack has worked in information security for over thirty-five years, ten years of which as a CISO with three different companies, including a Fortune 100 company. In 2012 Jack received the CSO Compass award for risk management leadership. An adjunct professor at Carnegie Mellon University, he teaches in the CRO and CISO executive programs. Jack created the “Factor Analysis of Information Risk” (FAIR) model which has been adopted as an international standard. Currently, Jack is the Chairman of the FAIR Institute and the Chief Research Scientist at Safe Security. He has also co-authored a book on FAIR entitled “Measuring and Managing Information Risk, a FAIR Approach” which was inducted into the Cyber Security Canon in 2016.
Learn MorePanel: How to Get Ready for the New SEC Rule on Cybersecurity
I am excited for our first panel today titled “Panel: How to Get Ready for the New SEC Rule on Cybersecurity”. Nothing has pushed CRQ more front and center than the release of new rules from the Securities and Exchange Commission (SEC) on cyber risk disclosure – and the concern and confusion around what’s a material cyber risk. Together, we will tackle the issue head-on with expert panelists, including the SEC’s cyber enforcement chief. Led by moderator Kim Nash, Deputy Bureau Chief, WSJ Pro Cybersecurity, please help me welcome the panelists to the stage: • David Hirsch, Chief, Crypto Asset and Cyber Unit in the Division of Enforcement, SEC • Brian Walker, CEO, The CAP Group • Kurt John, CSO, Expedia Group • Richard Borden, Cybersecurity and Privacy Partner, Frankfurt, Kurnit, Klein, & Selz
Learn MoreQuantifying Multi-Product Security and Privacy AI Risk with FAIR and NIST AI RMF
This track is focused on one of the hottest topics in our industry right now, AI. How can organizations balance the opportunities that arise from AI adoption while managing its risk? What does AI risk actually mean? How can we best manage it? Those questions are coming fast, and FAIR practitioners of quantitative cyber risk management are adapting rapidly. First up in our track today are Tyler Britton, Security Engineer and Taylor Maze, Risk & Governance Manager at Dropbox. They will be presenting on their work with this case study session titled “Quantifying Multi-Product Security and Privacy AI Risk with FAIR and NIST AI RMF.”
Learn MoreChallenges and Opportunities of Moving to Quantitative Risk Management in ERM
Help me welcome our panelists today: Evan Wheeler, Senior Director, Technology Risk Management at Capital One and FAIR Institute Advisory Board Member Ted Webster, Chief Security and Privacy Officer,
Learn MoreAccelerating your GenAI Adoption Through AI Risk Posture Management
Presenting today is Pankaj Goyal, Director of Standards & Research at the FAIR Institute, joined by Brandon Sloane in AI Governance at Meta.
Learn MorePatch Prioritization with FAIR-CAM™
Next we have Denny Wan, Co-Chair, Sydney Chapter and the FAIR-CAM Workgroup, John Linford, Forum Director at The Open Group, and Sasha Romanosky, Senior Policy Researcher at RAND. The timely application of software patches is the first line of defense against malware by reducing the attack surface. This presentation will discuss how to apply the FAIR-CAM model to inform on the effectiveness of a patch prioritization policy.
Learn MoreThe State of the CRQ Market
Here to give a view of the entire state of the CRQ Market, please welcome to the stage, Cody Scott, Senior Analysts for Security and Risk at Forrester Research. Cody will be focusing on what users are asking for and where the market is now, including both the positives and the challenges, and where the industry research needs to focus moving forward.
Learn MoreHow is the Discussion About Cyber Risk Changing at the Board Level?
We are lucky to have with us today a superstar panel on “How the Discussion About Cyber Risk is Changing at the Board Level?”. Reminder to please use the QR code and follow the instructions on page 2 in your program to submit questions. Led by moderator Larry Clinton, President of the Internet Security Alliance (ISA), please help me welcome the panelists to the stage: • Elias Oxendine IV, CISO, Yum Brands • Kevin McCarty, CISO, Cigna US Healthcare • Kris Lovejoy, Board Member, Dominion Energy and Global Security and Resilience Practice Leader, Kyndryl • David Burg, Americas Cybersecurity Leader, EY
Learn MoreConnecting Threat Intel to risk with MITRE ATT&CK and FAIR™
We are lucky to have with us today a great session on “Connecting Threat Intel to risk with MITRE ATT&CK and FAIR™”. Reminder to please use the QR code and follow the instructions on page 2 in your program to submit questions. Please help me welcome the panelists to the stage: • Jon Baker, Director, MITRE Center for Threat-Informed Defense • Stephen Bartolini, Executive Director, Cybersecurity & Technology, JPMorgan Chase • Vidit Baxi, CISO, Safe Security
Learn MoreIntroducing FAIR-MAM™ - A Comprehensive Approach to Loss Modeling in FAIR™
This track is focuses on way in which we can build on the FAIR model, making improvements and advancement to our risk management practices. Starting today with an introduction in FAIR-MAM, FAIR Materiality Assessment Model. Join me in welcoming: • Erica Eager, Senior Director, Risk Quantification, Safe Security • Filippo Curti, Financial Economist, Federal Reserve Board of Richmond • Tom Macphee, Cyber Risk Senior Manager, Cigna
Learn MoreCyber Insure or Self Insure?
My name is Arturo Perez-Reyes Strategist, SVP, Cyber and Technology at Newfront. Welcome to our session today that will ask the question “to cyber insure, or to self-insure?”! Joining me on stage are my esteemed colleagues: • Tom Srail, EVP Cyber Risk, Willis Tower Watson • Brandon Pinzon, SVP, Chief Security Officer, Argo Group Insurance • Mayur Patel, VP, Senior Cyber Underwriter, Munich Re
Learn MoreUsing the FAIR Model for AI Risk-Based Accountability
The purpose of this session is sharing practical risk-based compliance tips, by using the FAIR model in order to fix Impact Assessments. The presentation will show convenient tactics for adapting several concepts such as primary and secondary losses, and temporary-bound probability, all in a multidimensional compliance environment. Welcome to the stage Luis Enriquez, Professor at Université de Lille (France), and Universidad Andina Simón Bolivar (Ecuador)!
Learn MoreMeasuring Controls Effectiveness and Risk with FAIR-CAM™
Join our speakers Bryan Smith, VP Product Management at Safe Security and Tyler Britton, Security Engineer at Dropbox as we dive into measuring controls effectiveness and risk with FAIR-CAM™
Learn MoreDeriving Probability Distributions with Pairwise Relative Comparisons
This presentation supports the FAIR contention that we need to use ranges or distributions for probability and impact in FAIR for risk management. More importantly, this presentation shows how the PERT-styled distributions used in FAIR analyses can be supplemented with pairwise comparisons that can reduce ‘noise’ inherent in measuring uncertainty, thus producing more accurate distributions based on individual judgments as well as judgments from groups of individuals. The process is based on pairwise comparisons of a range of uncertain outcomes, such as the frequencies of an event.
Learn MoreMeasuring Real Life Cyberattacks on Enterprise Networks
Our next session will explore a novel approach to measuring loss events of realistic cyberattacks, empowering organizations to assess their security resilience based on changing threat landscapes and make data-driven decisions for bolstering their defenses against evolving cyber threats. Please welcome Christian Ellerhold, Lead Principle Engineer, Cyber Risk Management at Infineon Technologies to the stage!
Learn MoreThe Rising Ambition of Cyber Risk Management Programs
Now we are lucky to have a case study panorama with a stellar lineup of experts discussing the most important things facing a cyber risk management program today. Led by moderator Daniel Stone, Director at Protiviti, allow me to introduce our panelists: Meena Martin, VP, Cyber Risk and Assurance, GSK Dan Phillips, Security Risk Management Lead, Meta Robert Immella, Global Leader, CRQ, Caterpillar Valmiki Mukherjee, Chairman, Cyber Future Foundation
Learn MoreFAIRCON23 Closing Remarks
Thank you all for sharing your expertise. Let’s get ready now for the conclusion of the conference. Closing Remarks will begin momentarily as we allow the rest of the conference attendees to join us here in the Grand Ballroom.
Learn MoreFAIRCON23 Welcome Address
Now without further ado, it’s time to get FAIRCON23 kicked off! It is my pleasure to introduce Nick Sanna, Foudner of the FAIR Institute and Dave Burg, Americas Cybersecurity Leader at EY. Nick founded the FAIR Institute in 2016 as an expert non-profit organization due to a growing demand from an expanding FAIR community. The idea was to create a forum for learning about FAIR, for developing and sharing innovative best practices, and to serve as a platform and for networking with peers. Dave Burg serves as EY’s Americas Cybersecurity Leader. In this role, he assists clients in reactive and proactive consulting capacities involving the deployment of information technology solutions and their use. Please welcome Nick and Dave!
Learn MoreKeynote Panel: Navigating the Confluence of Cybersecurity and AI: Mitigating Risks for the Future
As the stage gets set to continue into our Keynote Conversation, please help me welcome two very special guests. Joining us today are Chris DeRusha, Federal Chief Information Security Officer and Deputy National Cyber Director and Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA. We are very grateful to have Chris and Eric here to be in conversation with Nick on “Navigating the Confluence of Cybersecurity and AI: Mitigating Risks for the Future.” The focus of the session will be specifically on how AI affecting cyber risk management. The panel will discuss what how to make sense of AI risk, what to do with it, and of course, the subject of AI from the Federal perspective.
Learn MorePanel: What Models Do We Need to Improve Risk Management in the 21st Century?
The next session “What Models Do We Need to Improve Risk Management in the 21st Century?” is packed with experts. We are about to get key insights, advice, and tips from C-Level experts who are leaders of this quantitative movement. Reminder to please to submit your questions using the QR code in the program. Moderated by Robert Rodriquez, Chairman and Founder of SINET, please help me welcome our esteemed panelists: Paul Selby, CISO at US Department of Energy Jennifer Buckner, SVP Technology Risk Management at Mastercard Nathaniel Davis Jr, Vice President, Corporate & Defense Security at Rolls-Royce Ian Rathie, CISO at The Fitch Group Kurt John, CSO at Expedia Group
Learn MoreImproving Cyber Visibility and Decision-Making at Maersk
Now, please allow me to introduce our next session with Neil Davis, Head of Cyber Risk Management at Maersk titled “Improving Cyber Visibility and Decision-Making at Maersk.” This case study session will provide a world class example of how Maersk is using quantification to improve cyber risk visibility and their companywide decision making. Neil leads the cyber risk team at AP Moller-Maersk, providing insight into risk exposure by identifying, assessing, and managing the cyber risks faced by Maersk and its supply chain, in support of strategic and tactical decision making - balancing risk and return.
Learn MoreWinning Over The Doubters - Cutting Through Complexity to Exceed Stakeholder Expectations
In this session, you will hear from Robert Moore, Vice President of Technology Risk at Mastercard and Tom Callaghan, Co-Founder at C-Risk as they give a case study presentation on winning over the doubtes. These tips will help you to get through the perceived complexity of quantification in order to effectively communicate to the business and exceed stakeholder expectations.
Learn MoreLeveraging Risk Quantification to Build An Integrated Risk Management Program
Our last session in Track 2 today is presented by Damian Apone, Global Director, Governance, Risk & Compliance at Genuine Parts Company and Chris Correia, Associate Partner at IBM. They will discuss the journey that GPC has undertaken with IBM’s support to build a holistic risk management program. They will discuss how GPC decided to use risk quantification as a foundational capability to enhance risk identification, risk reporting and prioritization of security projects to optimize GPC’s security operations. Damian will share his experiences working with leadership to demonstrate the value of risk quantification along with some of the challenges and early successes the organization faced in the adoption of risk quantification. In addition, Damian and Chris will discuss how risk quantification is supporting GPC as in their review of risk appetite, executive level reporting and cybersecurity insurance.
Learn MoreConnecting Cyber Risk Assessment to Integrated Decision Management
I am sure that many of you started making great connections during the networking break. Now, please allow me to introduce our next session with Doug Hubbard titled “Presentation: Connecting Cyber Risk Assessment to Integrated Decision Management” Quantitative risk analysis in cyber is only part of enterprise risk and risk is only part of quantitative decision making. Integrated decision management involves utilizing methods tested in large clinical trials and improving and tracking the performance of models, measurement methods, and even expert judgement. Measuring the performance of decision making itself is the most important - and yet apparently among the last – of critical measurements for organizations to conduct. This session will propose a framework for how we may integrate the empirical methods, new algorithms, and even the psychology of decisions and estimates to improve one of the last and most important frontiers of organizational management.
Learn MoreIs It Raining Risk? What Data says about Cyber Risk in the Cloud
We begin this track with a session by Wade Baker, Co-Founder of Cyentia Institute and Professor at Virginia Tech. Over the years, the Cyentia Institute has published quite a few reports that analyze various aspects of risk in the cloud. Wade is going to provide a a “Greatest Hits” presentation todaywith the goal being to answer questions like “Is cyber risk in cloud environments measurably different than on-prem and, if so, how?” all while tying it back to the FAIR framework.
Learn MoreHow to Re-think Third-Party Risk with FAIR-TAM™?
We are launching into new waters here as we discuss how to re-think third party risk with FAIR-TAM, the new FAIR extension for third party risk. Leading this session is Pankaj Goyal, Director for Standards & Research at the FAIR Institute. Joining Pankaj are Sarah Sullivan, Director IS&T Security Performance at Thomas Jefferson University Hospitals and Adam Wells, Senior Manager for Cyber Risk Services at Yum! Brands.
Learn MoreThe 2024 Annual Cybersecurity Risk Report
The FAIR Institute Cyber Risk Report is designed to provide reference estimates for the probability, loss, and loss exposure of common cyber events. It summarizes the findings by industry and event themes and details how actionable variables, such as security stance and data retention management, can reduce risk exposure. This year, we are pleased to present original research from EY on the challenges of implementing a cybersecurity program, a survey that revealed the structural problems that hold back many programs and the attributes of the most effective CISOs – as EY calls them, “Secure Creators.” At the FAIR Institute, we believe that transparency and accountability in cyber risk management are best served through cyber risk quantification (CRQ) – with Factor Analysis of Information Risk (FAIR™), the international standard for CRQ, built on a foundation of carefully curated data. We based our 2024 Cybersecurity Risk Report on FAIR analyses and extensive research by our data science advisors. We invite you to discover the most relevant cyber risk data for your organization and benchmark your performance against peers in your industry and others.
Learn MoreThe CRQ Program Development Lifecycle
This next case study session will focus on best practices for enterprise- level FAIR-based CRQ program development. From the initial development of a program charter to the measurement and monitoring of program performance and optimization, the well-established phases and processes of the CRQ Program Development Lifecycle provide a proven methodology to ensure productive outcomes including executive-level engagement, analyst proficiency, use case selection, powerful storytelling, business alignment, and higher levels of program success. Join me in welcoming Zach Cossairt, Integrated Risk Program Senior Manager at Equinix and Jon Oppenhuis, Director, Risk Strategy and Success at Safe Security.
Learn MoreUsing Cyber Risk Intelligence to Scale Third Party FAIR Assessments
This next case study session is titled Using Cyber Risk Intelligence to Scale Third Party FAIR Assessments with John Feezell, Assoc. Director, Security Counseling at Kyndryl and Bob Maley, Chief Security Officer at Black Kite. In this session, Bob and John will discuss how the additional context of cyber ratings, compliance assessments, ransomware and data breach intelligence and other cyber risk information can help scale your FAIR assessments.
Learn MoreScenario Planning for Effect
Our last session in Track 1 today is presented by Aaron McKay, Cybersecurity Engineer at SCRAM Systems and Jack Whitsitt, Director of CRQ at Ostrich Cyber-Risk discussing a case study on scenario planning for effect.
Learn MoreFireside Chat: Incident Response and Materiality
I’m happy to introduce our participants in conversation today discussing Incident Response and Materiality, Kevin Mandia, CEO of Mandiant and Saket Modi, CEO of Safe Security, Technical Advisor to the FAIR Institute. Kevin is the Chief Executive officer of Mandiant at Google Cloud. He has served as the company’s Chief Executive Officer since June 2016, including as Chief Executive Officer of FireEye, Inc. until its corporate name change to Mandiant, Inc. in October 2021. Kevin served as a member of the company’s Board of Directors from February 2016 until September 2022, when Mandiant became a part of Google Cloud. Saket Modi is the Co-Founder and CEO of Safe Security, a Cybersecurity and Digital Business Risk Quantification platform company. A computer science engineer by education, he founded Safe Security in 2012 while in his final year of engineering. Safe Security protects the digital infrastructure of multiple Fortune 500 companies around the world.
Learn More"Understanding Cyber Risk Quantification: The Buyer’s Guide" by Jack Jones - V2 Published 2023
From Jack Jones, Chairman of the FAIR Institute and creator of the FAIR model for cyber risk quantification (CRQ) — the definitive guide to understanding CRQ: What it is (and isn't), its value proposition and limitations, and facts regarding the misperceptions that are commonplace.
Learn MoreWebinar: Protiviti Experts Break Down NISTIR 8286 – Perspectives from the Field - Protiviti Sponsor
Slides and recording available below
Learn MoreAutomating and Scaling FAIR Quantitative Risk Analysis Sponsored by Safe Security
Enterprises adopting FAIR face a critical hurdle in scaling operations due to the manual nature of the process. Recognizing this gap, FAIR has introduced two extensions: FAIR-CAM, the controls analytics model, and FAIR-MAM, the materiality assessment model.
Learn MoreThrowing the 'Bad' Data in With the Good – Sponsored Webinar with Ostrich Cyber-Risk
In this webinar, participants will be introduced to a simple way to think about and communicate the relative value of data inputs to FAIR analysis and learn about the concept of a “risk information classification framework”. Attendees will also hear about how such a framework may be used for reducing the likelihood of “analysis data rejection” from the business and how to implement a managed approach for improving precision, visibility, and confidence in analysis.
Learn More4 Steps To SEC Compliance – Sponsored Webinar with Ostrich Cyber-Risk
As the December 2023 SEC deadline approaches, it is crucial for organizations to prepare for changes effectively. Join this webinar with Jack Whitsitt, Director of Cyber Risk Quantification (CRQ) at Ostrich Cyber-Risk, where he will cover: Materiality & Risk: Understand the importance of materiality, risk appetite, tolerance, thresholds, and how to assess and quantify them. CRQ Integration: Learn how CRQ seamlessly measures these concepts, facilitating clear communication with the SEC and your Board. Implementation Steps: Discover actionable steps you can take today.
Learn MoreHow to Achieve SEC Compliance with Real-time and Automated FAIR Solution - Safe Security Sponsored Webinar
New SEC Cyber Risk Disclosure Rules mandate transformation in how publicly traded companies identify, measure, and report on the cyber risks that hit the level of material impact. Businesses need to develop frameworks and processes to make this fundamental shift swiftly. But how? Join this sponsored webinar with Molly Slocum, Director of Product Management from our Technical Advisor, Safe Security, moderated by Jack Jones, author of the FAIR™ methodology and Chairman of FAIR Institute. Molly will present on how you can provide your organization with automated, real-time, and quantitative risk management program based on FAIR™. Get actionable insights on how to: Automate FAIR™ to measure the probable material impact of cyber risk Report on material cyber risks in financial terms that satisfy regulators and your Board Demonstrate a transparent cybersecurity strategy protecting investor interests using the most advanced, AI-driven solution. Plus, hear real customer use cases of how AI-driven Cyber Risk Quantification has equipped businesses to identify, measure, and communicate cyber risk in real-time.
Learn MoreAn Introduction to the FAIR Materiality Assessment Model (FAIR-MAM™)
The FAIR Institute is releasing a new standard to help organizations assess the materiality of cybersecurity risk and incidents, called FAIR Materiality Assessment Model (FAIR-MAMTM). FAIR-MAM expands the loss magnitude factor of the FAIR model, and provides a more detailed taxonomy and breakdown of loss categories driven by cybersecurity incidents.
Learn MoreWhat the New SEC Regulation on Cyber Reporting Means for the Risk Management Profession - Webinar
As many of us know, the SEC Commissioners voted to adopt the proposed rule on cyber security. This rule aims to elevate the cyber risk reporting and management practices for public companies (registrants) in the US, to help investors in such companies consider the probable impact of cyber risk as they make investment decisions. This will be a forcing function for companies to adopt trusted cyber risk quantification (CRQ) models such as FAIR™ and adopt processes and tools that provide them with visibility into their material risks and incidents. Tune in to hear industry experts as they explain and discuss what this all means for the risk management profession. Key advice will be shared on how to navigate these new rules together and how CRQ is the top way you can help your organizations be compliant.
Learn MoreGRC and CRQ - A (Good) Story of Codependency - Sponsored Webinar with Ostrich Cyber-Risk
In order to understand how best to plan for and execute Cyber Risk Quantification (CRQ) as a practice and a program, it’s best to start by understanding how it fits into more traditional Governance Risk Compliance (GRC). Leveraging a CRQ tool in a GRC program provides a means to measure cyber risk levels objectively. CRQ is not intended to ‘replace’ or ‘bolt on’ to an existing GRC program. Instead, CRQ informs an evolution of existing practices, and those practices plus CRQ must be taken into consideration as they blend into an enhanced approach to decision-making by leveraging the common ground: METRICS. In this webinar, you will learn how GRC programs and CRQ tools together will help you: More accurately estimate and track exposure of financial losses Prioritize between compliance and regulation requirements Prioritize cyber investments, allocate budget and adjust strategy Highlight the decrease in potential financial losses to determine which regulatory or compliance requirement is worth investing in Inform stakeholders how you are meeting new cyber regulations
Learn MoreCase Study- Improving Cyber Risk Visibility and Decision-Making with Maersk
Moving right along to our next session, allow me to introduce the Cyber Security Risk Team from Maersk. This case study session will provide a world class example of how Maersk is using quantification to improve cyber risk visibility and their companywide decision making. Here to present today are Pooya Alai and Rebekka Kurland!
Learn MoreKeynote by Jack Jones - The Future of Cybersecurity Risk Measurement
Next up, we have the author and creator of the FAIR Model, Jack Jones with a new and forward-looking presentation on The Future of Cybersecurity Risk Measurement. Jack has worked in information security for over thirty-five years, ten years of which as a CISO with three different companies, including a Fortune 100 company. In 2012 Jack received the CSO Compass award for risk management leadership. An adjunct professor at Carnegie Mellon University, he teaches in the CRO and CISO executive programs. Jack created the “Factor Analysis of Information Risk” (FAIR) model which has been adopted as an international standard. Currently, Jack is the Chief Risk Scientist at RiskLens and Chairman of the FAIR Institute, our award-winning global non-profit organization with over 13,000 members worldwide. He has also co-authored a book on FAIR entitled “Measuring and Managing Information Risk, a FAIR Approach” which was inducted into the Cyber Security Canon in 2016.
Learn MoreKeynote by Nick Sanna - How Risk Economics Can Help Us Win the Battle in Cyberspace
For our Opening Keynote, “How Risk Economics Can Help Us Win the Battle in Cyberspace”, it is my pleasure to introduce Nick Sanna, FAIR Institute Founder and President. Nick founded the FAIR Institute in 2016 as an expert non-profit organization due to a growing demand from an expanding FAIR community. The idea was to create a forum for learning about FAIR, for developing and sharing innovative best practices, and to serve as a platform and for networking with peers. He was supported in this effort by the author of FAIR – Jack Jones, the Institute's Chairman - and industry representatives from companies such as Fannie Mae, Cisco, Bank of America, and Northern Trust. Outside of his volunteer work at the FAIR Institute, Nick is the CEO of RiskLens, a software company that has developed an enterprise platform based on FAIR and that acts as the Institute's Technical Advisor. Please welcome Nick Sanna!
Learn MoreCase Study for Cyber Risk Quantification in Luxury Watchmaking with Richemont
Next up is our final case study for the day from Pierre Olodo, Cyber Risk Specialist at Richemont. Pierre will share two scenarios having to deal with CRQ when it comes to luxury watchmaking. A unique take on the craft! Help me welcome Pierre to the stage
Learn MorePanel - What Does Effective Cyber Risk Oversight Look Like?
We have a stellar panel lined up. This session is titled “What Does Effective Cyber Risk Oversight Look Like?” and it will dive deeper into Nick’s presentation, and you will hear some real-life examples. The group will discuss the different roles around oversight and share leading practices on what works and works well. Help me welcome to the stage our panel moderated by Julian Meyrick: • Phil Huggins, CISO, NHS England • Jo Armstrong, Head of UK Card Technology Risk Management, Capital One • Naomi Gilbert, Head of Cyber Resilience Policy, Dept. for Digital, Culture, Media and Sport • Daniel May, Regional CISO, Commerzbank
Learn MorePanel - Communicating Cyber Risk to Management and the Board
Welcome back for our next panel session of the day focused on “Communicating Cyber Risk to Management and the Board. We will be discussing the ever present and important topic of communication and will hear the best tips for performing it successfully. Joining us today are our panelists: • Moderator: Jack Whitsitt, Director of Cyber Risk Quantification, Ostrich Cyber-Risk • Keyun Ruan, Risk Economics and Quantification Lead, Google Cloud • Cedric De Carvalho, Head of Group Cyber Risk & Advisory, Richemont
Learn MorePanel - Moving from a Compliance-Based to a Risk-Based Approach to Cybersecurity
I’m going to invite Jack Jones back to the stage to moderate a panel on “Moving from a Compliance-Based to a Risk-Based Approach to Cybersecurity” that will focus on the benefits and the how-tos of creating an effective strategy around this. Also help me welcome our panelists: • Paul de Luca, Head of Cyber Risk, HPE • Laura Voicu, Manager Security Assurance and Risk Management, InfoSec, Elastic • Hardip Bharj, Head of Security Risk Management, SAP
Learn MoreApproach and Lessons Learned From Building a Cyber Risk Quantification Program with Fresenius
Rolling right into our next case study session from the Fresenius Group. These presenters are going to talk about their experiences and share what they have learned from building a CRQ program. Let’s now welcome to the stage, David Steng, Director, Cyber Risk & Economics, Group Cybersecurity Office and Ferhat Yazgili, Senior Cyber Risk Manager from Fresenius Group.
Learn MoreEurope Summit Closing Remarks with Tony Morbin, News Editor EU, Information Security Media Group
Finally, I am going to hand over the stage to Tony Morbin, Executive News Editor for the EU at Information Security Media Group. Tony has been working and writing in the information security space for years and was previously editor at IT Security Guru and SC Media UK. Tony has been speaking with you all today and listening to the presentations and will now help us close out the day with summary thoughts while relaying them to industry trends.
Learn MoreMeasurement Planning Webinar - Sponsored Webinar with Ostrich Cyber-Risk
Often, when getting started with CRQ, organizations tend to focus on how to quantify individual scenarios. While this is an important step, it soon becomes clear that measuring risk for decision support purposes requires a suite of scenarios working in combination to suit a variety of purposes. This “scenario suite” should be treated as one entity composed of individual scenarios that are collectively comparable, fit for purpose, re-useable, and sustainable. At this webinar, we will introduce the concept of developing a “Measurement Plan” to support this concept and we will touch on several techniques that can be used to assure your Cyber Risk Quantification work meets both current and future needs.
Learn MoreToday’s Best Practices for Cybersecurity Risk Measurement - FAIR Institute Seminar at RSAC23
At RSAC23 this week, FAIR Institute Chairman Jack Jones challenged an audience of 400 in two seminars to move beyond today’s common cyber risk measurement practices that don’t reliably measure risk and re-focus on some basic techniques advanced in Factor Analysis of Information Risk (FAIR™).
Learn MoreHow Government Can Help Manage Cyber Risk-The Example of the New Cybersecurity Framework in Jordan
H.E. Eng. Bassam Maharmeh, President, National Cyber Security Center of Jordan
Learn MoreHow to Address Common Cyber Risk Management Challenges with FAIR™
Osama Salah, Head of IT Information Security Transformation Program, Abu Dhabi Department of Finance
Learn MoreHow Risk Economics Can Help Us Win the Battle in Cyberspace
Nick Sanna, President, FAIR Institute, CEO, RiskLens, Board Member, ISA
Learn MoreAdvancing Cyber Risk Management Practices in Your Organization-Practical Tips an Next Steps
Mohamed Adbulrahim, Managing Director, Octopian Security, Co-Chair FAIR Chapter Jordan
Learn MoreImproving Cyber Risk Visibility and Decision-Making-Practical Use Cases
Iman Khalid Al Marzouqi, Group Support Services Director, Alpha Dhabi Holding
Learn MoreMeasuring and Managing Cyber Risk Effectively-A FAIR Approach
Jack Jones, 3x CISO, Award-winning Author of the FAIR Model, Chairman, FAIR Institute, Chief Risk Scientist, RiskLens
Learn MoreCreating National Cyber Risk and Governance Culture
Ahmed Al-Qawasmi, Chief Internal Audit Officer, MEPS Majdi Armouti, CEO, Digital Haze Ismael Al-Hinti, Pres., Al Hussein Technical University Iyad Khorma, CEO, Aqaba Digital Hub
Learn MoreWebinar - Understanding CRQ - A Buyers Guide Review V2
Jack Jones, Chairman, FAIR Institute; Author, FAIR™ Model
Learn MoreGetting Your Money's Worth: Putting Your Controls Inventory to Work
Marta Palanques, Director of Risk Methodologies in Technology Risk Management at Capital One
Learn MoreCase Study: Quantifying the Control and Risk Landscape Using FAIR-CAM
Tyler Britton, Quantitative Cyber Risk Manager at DropBox
Learn MoreNew Member Engagement Packet
A quick overview of the FAIR Institute to get you started.
Learn MoreFireside Chat-A Legislative and Policy Update on Cybersecurity and Risk Management
Moderator: Larry Clinton, President, Internet Security Alliance (ISA) Mark Montgomery, Executive Director, CyberSolarium.org Frank Cilluffo, Commissioner, CSC
Learn MoreFireside Chat-What the Revised SEC Guidance on Cyber Risk Disclosures Means for You
David Hirsch, Chief of the Crypto Asset and Cyber Unit, Division of Enforcement, SEC Kristy Littman, Fmr. Chief of Enforcement - Cyber Unit, SEC
Learn MorePanel: Driving Culture Change - From a Compliance to a Risk-based Approach to Cybersecurity
Moderator: Omar Khawaja, CISO, Highmark Health Mark Tomallo, SVP, CISO, Victoria’s Secret Mary Elizabeth Faulkner, CISO, Thrivent Financial Jeff Norem, Deputy CISO, Freddie Mac
Learn MorePanel: Communicating Cyber Risk to the Board and the Business: How Is It Changing?
Moderator: Julian Meyrick, Managing Partner & Vice President, Security Strategy Risk & Compliance, Security Services, IBM James Lam, Board Director & ERM Author Evan Wheeler, Sr. Director, Technology Risk Management, Capital One Michael Meis, Associate CISO, KU Health
Learn MoreFAIR, Okay, Now What-Steps to Set Up a Quantitative Risk MGT Program at Any Org with Michael Meis
Michael Meis, Associate CISO, KU Health
Learn MoreManaging Cyber Risk as a Strategic Enterprise Risk - John Button, Gartner
John Button, Principal Enterprise Risk Advisor, Gartner
Learn MoreCase Study-Five Objections to FAIR and How to Overcome Them with Netflix
Tony Martin-Vegue, Senior Information Security Risk Engineer, Netflix Prashanthi Koutha, Senior Risk Engineer, Netflix
Learn MorePresentation-Expedia Groups’ Approach to Build an Effective Security Risk MGT Program using FAIR
Krishna Sheshabhattar, Director, Security, Risk, and Compliance, Expedia Group Randy Spusta, Global Competency Leader, Security Strategy Risk & Compliance Practice, IBM Security
Learn MoreCase Study-Refining the “R” in GRC at Scale with Mike Radigan, Cisco
Michael Radigan, Cyber Risk Advisor, Cisco
Learn MoreCase Study-Scaling FAIR for M&A & Beyond-Combining Bottom-Up and Top-Down Approaches with Richemont
Cedric de Carvalho, Head of Group Cyber Risk & Advisory, Richemont
Learn MorePresentation-Justifying the Value of Cybersecurity to the Business with Omar Khawaja
Omar Khawaja, CISO at Highmark Health on their BOSITE Framework
Learn MoreCase Study-Harnessing The Voltage Effect to Scale our FAIR Risk Programs with Zach Cossairt, Equinix
Zach Cossairt, Information Risk Program Manager, Equinix
Learn MoreCase Study-Embedding CRQ in the Infosec Governance Process of a Fast-Growing Pop Culture Retail Org.
Markus Kaufmann, CISO, Senior Director of Information Security, Funko Tom Callaghan, Co-Founder, C-Risk
Learn MoreCase Study-Building a Strong Foundation for your Quantitative Risk MGT Program with Tim Wynkoop
Tim Wynkoop, Sr. Information Security Risk Engineer, Equinix
Learn MorePanel-Scaling a Quantitative Risk Management Program
Andrew Retrum, Managing Director, US Security Program & Strategy Practice Lead, Protiviti Brenda Thayer, Senior Manager, Technology Risk, Fannie Mae David Severski, Senior Security Data Scientist, Cyentia Institute, Brenda Thayer, Senior Manager of Technology Risk, Fannie Mae, Tim Kelly, Senior Manager, Protiviti
Learn MorePresentation-Unveiling the IRIS 2022-Bigger Scale, Greater Depth, and More Data for Your CRQ Program
Wade Baker, Partner, Cyentia Institute David Severski, Senior Security Data Scientist, Cyentia Institute
Learn MorePresentation-Trends in Determining Systemic Cyber Risk for the Financial Services Industry
Matthew Tolbert, Sr. Cybersecurity Specialist, Supervision and Regulation, Fed Reserve Bank of Cleveland
Learn MoreClosing Remarks with Derek Johnson and Jack Jones
Jack Jones, Chairman, FAIR Institute and Derek Johnson, Senior Reporter, SC Media
Learn MorePresentation-Scaling FAIR for Third Party Risk Management with Black Kite
Bob Maley, Chief Security Officer, Black Kite
Learn MoreKeynote Address: Trusting Risk-Informed Decisions with Jack Jones
Jack Jones, Chairman, FAIR Institute
Learn MoreKeynote - How Risk Economics Can Help Us Win the Battle in Cyberspace with Larry Clinton
Larry Clinton, President, Internet Security Alliance (ISA)
Learn MorePresentation: Subjective Judgements: Outperforming Your Current Best Experts with Doug Hubbard
Douglas Hubbard, President, Hubbard Decision Research
Learn MorePanel-CIS, NIST 800-53, ISO27000-Mapping Leading Control Frameworks to FAIR-CAM™
Moderator: Jack Jones, Chairman, FAIR Institute Daniel Stone, Associate Director, Security & Privacy, Protiviti Erin Macuga, Manager Risk and Information Security, Thrivent Financial Robert Immella, Global Leader of Cyber Risk Quantification, Caterpillar Inc Tyler Britton, Quantitative Cyber Risk Manager, DropBox Drew Brown, Information System Security Developer, FAA
Learn MorePresentation-How to Scale FAIR Programs with Controls Analytics with RiskLens
Jack Jones, Chairman FAIR Institute, Chief Risk Scientist, RiskLens Bryan Smith, CTO, RiskLens
Learn MorePreparing for the Quantum Threat to Cryptocurrency and Cryptography - Protiviti Sponsored Webinar
Preparing for the Quantum Threat to Cryptocurrency and Cryptography - Protiviti Sponsored Webinar
Learn MoreThe Future of Cybersecurity Risk Measurement at RSAC22 - Slide Deck
Hello and good morning. Welcome to our seminar today from the FAIR Institute where we will be diving into the Future of Cybersecurity Risk Measurement.
Learn MoreMaturing A Quantitative Risk Management Program in the Federal Government
Maturing A Quantitative Risk Management Program in the Federal Government
Learn MoreOvercoming the Challenges of Mapping NIST CSF to FAIR-CAM™
Overcoming the Challenges of Mapping NIST CSF to FAIR-CAM™
Learn MoreUnveiling My Cyber Risk Benchmark: Risk Quantification for All
Unveiling My Cyber Risk Benchmark: Risk Quantification for All
Learn MoreCritical Do’s and Don’ts of Cyber Risk Board Reporting
Critical Do’s and Don’ts of Cyber Risk Board Reporting
Learn MoreBuilding a Quantitative Cyber Risk Program Based on FAIR
Building a Quantitative Cyber Risk Program Based on FAIR
Learn MoreNew study demonstrating CRQ parameters
The Cyentia Institute just released a new study that analyzes 2000 incidents affecting nonprofit organizations to derive estimates and parameters for loss event frequency, loss magnitude, common incident patterns, etc.
Learn MoreAn Overview of the FAIR Controls Analytics Model (FAIR-CAM™)
Click below to download the white paper "An Overview of the FAIR Controls Analytics Model (FAIR-CAM™)"
Learn MoreOperationalizing FAIR at a Healthcare Insurer and Provider - Advanced Track Meeting - Sept 23, 2021
In the webinar “Operationalizing FAIR at a Healthcare Insurer and Provider: Initial Mis-Steps, Current Use Cases, and Future State," Greg and Jason will discuss how Highmark Health took the next steps after identifying Top Risks, some of the challenges they have faced, how they are currently using FAIR to drive decision-making, and what their vision for FAIR at Highmark looks like.
Learn MoreCommon Uses Cases of FAIR Analysis - Beginner Chapter Meeting #3 - September 15, 2021
FAIR is the most common quantitative methodology in the technology and operational risk field, enjoying wide adoption and abundant resources to help those getting started.
Learn MoreProtiviti Sponsored Webinar - Establish Your Cyber Risk Management Baseline
After an organization has successfully conducted FAIR analyses*, many wonder how they can expand their use of risk quantification to better understand their overall cyber risk exposure.
Learn More2019 Cyber Risk Management Maturity Benchmark Survey
The FAIR™ Institute’s third annual Cyber Risk Management Maturity Benchmark Survey results are in, and show “a lot of opportunity left in the risk management space for improvement,” says survey report author and FAIR Institute Fellow Jack Freund, PhD.
Learn MoreFAIR Institute Chapter Meeting - Advanced Track Meeting 1 - Reporting Risk to the Board
Presenters: Matt Kruse, FIS Global, Senior Director - Risk, Information Security and Compliance (RISC), FIS Global, Nick Corzine, Manager, Quantitative Cyber Risk Analysis, Centene
Learn MoreFAIR Institute Chapter Meeting - Incentivizing Better Risk Decisions: Lesson From Rogue Actuaries
Presenter: Tony Martin-Vegue - Sr. Information Security Risk Engineer/Netflix
Learn MoreHow to Manage and Communicate Cyber Risk in Business Terms - Association Seminar at RSAC21
Here is the FAIR Institute's 3-part seminar on the business benefits of cyber risk quantification at RSA Conference 2021.
Learn MoreFAIR Institute Chapter Meeting - What They Didn't Teach You In Fair School
Presenter: Jack Whitsitt - FAIR Institute Board Member, SIRA Board Member, Cybersecurity Psychologist
Learn MoreFAIR Institute Chapter Meeting - Beginner Track Meeting 1 - FAIR Overview
Recording and slide deck below.
Learn MoreWEBINAR: Presentación de caso de uso sobre el uso de FAIR para la implementación de un nuevo sistema
Únase a nosotros para la presentación del seminario web de casos de uso, organizada por el Instituto FAIR en español, para aprender sobre el uso de FAIR para la implementación de un nuevo sistema de TI en Ascena Retail Group, una empresa de Fortune 500 en los Estados Unidos.
Learn MoreMeasuring the Cyber Attack Surface - RiskRecon Sponsored Webinar Recording
Webinar recording and slide deck below.
Learn MoreWebinar - Discussion on New Whitepaper - "Building a Program with HITRUST & FAIR"
WEBINAR RECORDING AND SLIDE DECK BELOW
Learn MoreFAIR Institute and HITRUST Plan Integration of FAIR Standard and HITRUST CSF
The FAIR Institute and HITRUST® launched an effort to integrate FAIR™, the international standard for cyber risk quantification, with the HITRUST CSF, the cybersecurity controls framework in use at hundreds of thousands of organizations, including 75% of Fortune 200 companies.
Learn MoreC-Level Panel - Improving Decision Making through the Adoption of FAIR
Frank Kim, Curriculum Director, SANS Institute
Learn MoreClarifying SEC’s Expectations for Cyber Risk Disclosures
Kristy Littman, Chief, Cyber Unit, Division of Enforcement, U.S. Securities and Exchange Commission (SEC)
Learn MoreRoundtable - A Strategic Approach to Defending the U.S. in Cyberspace
Moderator: Nick Sanna, President, FAIR Institute
Learn MoreUse Case Panorama - How FAIR Analysis Improves Risk Communication and Decision Making
Moderator: Donna Gallaher, Board of Advisors, FAIR Institute
Learn MoreRoundtable - Helping the Board Exercise Proper Cyber Risk Oversight
Larry Clinton, President, ISA
Learn MoreCase Study - How FAIR Analyses Support Decision-Making at Netflix
Tony Martin-Vegue, Sr. Information Security, Risk Engineer, Netflix
Learn MorePresentation - Improving DevSecOps with FAIR at Doordash
Sarina Hothi, Security Project Manager, DoorDash
Learn MorePresentation - Updates to the Open FAIR Standards
John Linford, Forum Director, Security Forum & Open Trusted Technology Forum (OTTF), The Open Group
Learn MoreKeynote Conversation-How to Help the Business Make the Right Decisions on Risks They Struggle to See
Michele Wucker, Author, "The Gray Rhino: How to Recognize and Act on the Obvious Dangers We Ignore"
Learn MoreCase Study - Decision Making with FAIR - Quantification and The Rise of Class Action Lawsuits
We have all seen the value of running FAIR analysis across a number of business situations. But how can the output of FAIR analyses be applied to everyday business decisions?
Learn MorePresentation - The Team as a Measurement Instrument
Douglas Hubbard, Author, "How to Measure Anything in Cybersecurity Risk"
Learn MorePanel - How FAIR Can Help Better Integrate Cyber Risk with ERM
Moderator: James Lam
Learn MoreCase Study - Building a Program with HITRUST & FAIR
Marshall Lambert, Team Lead, Cyber Risk Quantification, Highmark Health
Learn MoreCase Study - Protecting Government Information and Assessing Controls at Scale
Anthony Corso, Assistant Commission, Office of the Victorian Information Commissioner
Learn MoreConversation - OCC Insights for Cyber Risk Assessments
Bill Barouski, Chief Information Risk Officer, Northern Trust Corporation
Learn MorePresentation - Drivers for IRM, Digital Transformation & Cost Optimization
Moderator: Sounil Yu, CISO, YL Ventures & Board of Advisor Member, FAIR Institute
Learn MoreOpening Keynote: Factoring Risk in Decision Making: Better Risk Measurement Enables Better Decisions
Welcome Remarks and Opening Keynote: Factoring Risk in Decision Making: How Better Risk Measurement Enables Better Decision-Making
Learn MorePresentation - How to Rapidly Triage Issues and Findings to Focus on What Matters Most
David Elfering, Senior Director of Information Security
Learn MorePres.-Managing Risk in Times of Crisis: Applying FAIR to Become More Business-Centric during COVID
Omar Khawaja, CISO, Highmark Health
Learn MorePresentation - How Better Data Can Help Executives Make Better Decisions
Wade Baker, Partner & Co-Founder, Cyentia Institute; Member, Board of Advisors, FAIR Institute
Learn MoreCase Study - Reporting Cyber Risk to the Board: Real Life Examples
Matt Kruse, Senior Director - Risk, Information Security and Compliance (RISC), FIS Global
Learn MorePresentation - Prioritizing NIST CSF Activities with FAIR
Richard Barretto, Security Operations Manager, Cimpress Jack Freund, Fellow, FAIR Institute
Learn MoreCase Study - Enhancing HIPAA Risk Assessment with FAIR
Reny Mathew, InfoSec Analyst, Cambia Health Solutions
Learn MoreCase Study - Building A Quantitative Risk Management Program in the Federal Government
Emery Csulak, Principal Deputy Chief Information Officer, U.S. Department of Energy (DOE)
Learn MorePresentation - Support Your Company’s Digital Transformation during Times of Crisis
Harold Marcenaro, Digital Risk Officer, Banco de Credito del Peru (BCP)
Learn MoreSeminario web introductorio de FAIR Institute para América Latina y América del Sur
Estimados especialistas de América Latina, La Conferencia FAIR 2020 (FAIRCON2020), la principal conferencia global de gestión de riesgos cuantitativos, se llevará a cabo digitalmente los días 6 y 7 de octubre (martes y miércoles).
Learn MoreWeaving a Safer Web: Significant Risks from Insignificant Details - RiskRecon Sponsored Webinar
As organizations continue to adjust to the current digital climate security teams have had to shift their focus - enhancing work-from-home security measures, managing changes to the digital supply chain, monitoring the ever-expanding data universe - but recent research has shown that some businesses are ignoring some basic security principles, thus leaving themselves exposed to serious threats.
Learn MoreRapid Risk Assessments: Identifying and Prioritizing Risks in Minutes Instead of Months - RiskLens
Many information security teams are running risk assessments that are qualitative in nature and do not provide results in terms business leaders and decision makers can understand.
Learn MoreUsing FAIR to Understand Change in Resilience Risk - Protiviti Sponsored Webinar
This webinar is a step-by-step walk-through from the primary authors of Protiviti’s latest thought leadership piece, “Understanding Changes in Resilience Risks From Technology Advancements.”
Learn MoreHow Financial Risk Quantification Can Help Federal Agencies Better Integrate Cybersec. Risk & ERM
Listen in to learn how Financial Risk Quantification can assist in integration of Cybersecurity Risk and ERM.
Learn MoreReducing Cybersecurity Risk by Automating Continuous Vendor Assessment - Sponsored by RiskRecon
Assessing cybersecurity risk has taken on a new meaning as organizations shift toward virtual, and companies focusing on maintaining operations.
Learn MoreMaking Better Cyber and Technology Risk Decisions - Part 3 Webinar with Jack Jones
How to Get Started with Quantification & FAIR
Learn MoreISACA Journal Case Study: ‘Building a Rock-Solid ERM Culture on FAIR™’
The latest issue of the ISACA Journal) presents a detailed case study on the long-running FAIR™ program at Rock Holdings, Inc. (parent company of Quicken Loans and Rocket Loans), and how “FAIR implementation transformed the business’ enterprise risk management (ERM) program and risk culture.”
Learn MoreMaking Better Cyber and Technology Risk Decisions - Part 2 Webinar with Jack Jones
Advantages of a Quantitative Approach to Cyber Risk
Learn MoreMaking Better Cyber and Technology Risk Decisions - Part 1 Webinar with Jack Jones
Successfully managing today’s complex and dynamic cyber and technology risk landscape requires being able to prioritize well and communicate effectively to executive stakeholders.
Learn More"Use Risk Quantification to Change Executive Priorities and Investments in Security" Webinar
Security and Risk Management leaders are exploring various methodologies in measuring information risk.
Learn MoreCyber Risk Through a Cyber Situational Awareness Lens - Webinar with Jack Jones
The military has leveraged the concept of situational awareness to improve decision-making, particularly in the face of uncertainty.
Learn MoreManaging Cyber Risk with FAIR and NIST CSF - Webinar with Jack Jones
NIST CSF is intended to help organizations become more risk-focused.
Learn MoreWEBINAR: Reducing Cyber Risk from Employees Working at Home Case Study
Many companies are currently looking at work from home options for employees in response to the Coronavirus pandemic, while still maintaining control over sensitive corporate data.
Learn MoreRSAC20 Seminar Slides - A FAIR Approach to Cyber and Technology Risk Measurement
Risk management expectations are evolving, especially with regards to how risk is being measured and communicated.
Learn MoreFAIR Institute Interview with Jack Jones and Michele Wucker, author of "The Gray Rhino"
It was a meeting of the minds: FAIR model creator Jack Jones, who’s dedicated his career advocating for quantitative, critical thinking against the easy-button practices of conventional cyber risk management—and Michele Wucker, author of The Gray Rhino: How to Recognize and Act on the Obvious Dangers We Ignore, a highly acclaimed book that’s getting renewed buzz as a result of the “unforeseen” coronavirus crisis that was all along like a snorting gray rhino about to charge.
Learn MoreFAIR Breakfast Meeting During RSAC20 - Building Effective Cyber Risk Management Programs that Work
Key Points from Jack Jones and CISOs on Adopting FAIR
Learn MoreFAIR Breakfast Meeting During RSAC20 - Building Effective Cyber Risk Management Programs that Work
All slide decks are attached for download below.
Learn MoreWebinar Recording-Fannie Mae Cyber Intelligence Team Drives Culture Change Around Risk Using FAIR
Organizations starting out on their FAIR journey have probably heard the pitch several times by now: the qualitative High Medium Low “risk ratings” don’t cut it anymore.
Learn MoreCombining NIST CSF and FAIR to Drive Better Cyber Risk Decisions - RiskLens Sponsored Webinar
If you are a private sector organization driving your security program forward with the NIST-CSF framework, or a U.S. Government Agency working to adhere to the NIST Framework for Improving Critical Infrastructure Cybersecurity, you're on the right track to better outcomes.
Learn More2019 Risk Management Maturity Benchmark Survey Results Webinar
Join Jack Freund, PhD. and co-author of the FAIR Book “Measuring and Managing Information Risk: A FAIR Approach” and our expert panel for this engaging webinar on Thursday, December 19 at 11 AM EST.
Learn MoreWebinar: Quantified Cyber Risk Management: Three steps to success with Highmark Health
Interactive discussion focusing on Highmark Health's two-year journey to implement quantitative cyber risk management methods.
Learn MoreProfiling organisation - FAIR Analysis - post by Denny Wan, Chair of the Sydney Local Chapter
The Open Group FAIR cyber risk quantification framework aims to create a common risk language that all can understand across an organisation.
Learn MoreAm I Mature Enough to Adopt FAIR? - Uncovering the True Success Factors
Finding your team's "True North" when starting a FAIR program can be overwhelming.
Learn MoreVarious Stages of FAIR Adoption - Geoji Paul, Centene and Nathan Thomack, Emerson
Please welcome to the stage Geoji Paul, Director of Information Security Risk at Centene and Nathan Thomack, Manager of Cybersecurity Risk Management at Emerson for their session “Various Stages of FAIR Adoption.”
Learn MoreIntegrating Cyber Into ERM
Thank you all for joining our panel session “Integrating Cyber Into ERM.”
Learn MoreWhy Digital Business Needs IRM & Risk Quantification by John Wheeler, Gartner
Day 2 Keynote Speaker, John Wheeler, Global Research Leader - Risk Management Technology at Gartner.
Learn MoreUsing FAIR to take the Headache out of considering Cyber Insurance for your Business - Walmart
At Walmart, the use of FAIR-based risk quantification methods enable decision makers to effectively evaluate cyber-insurance policies.
Learn MoreA Crash Course on Quantitative vs. Qualitative with Evan Wheeler
The title of this presentation is “A Crash Course on Quantitative vs. Qualitative.” This presentation will help us answer the questions of should I adopt a formal risk model, and should I quantify risk.
Learn MorePen Testing Your Board Pitch: An Interactive Exercise
This session will provide actionable advice on satisfying board members’ appetite for cyber risk analysis on an equal, quantitative footing with enterprise risk analysis (ERM).
Learn MoreIntegrating Strategic Cyber Threat Intel and FAIR, Musso Shaikh, Cyber Threat Intel, Fannie Mae
A mutually beneficial relationship exists between threat intelligence and quantitative risk assessments via FAIR.
Learn MoreScoping Enterprise Risk Assessments - Keith Weinbaum, Quicken Loans
Please welcome Keith Weinbaum, Enterprise Risk Management Architect at Quicken Loans.
Learn MoreOperationalizing Risk Quantification in Business Processes with Jack Whitsitt
So, you’ve brought in FAIR into your organization. You got the executive buy-in, were trained, and are now a FAIR-shop.
Learn MoreClosing the Risk Management Loop with Cyber Risk Quantification with Greg Rothauser
A growing list of financial services organizations are using FAIR to mature information risk management function and effectively address the most significant risks.
Learn MoreBuilding a Cybersecurity Program with a Risk Management Framework & FAIR
Many organizations rely on risk management frameworks such as NIST CSF and HITRUST as guidance for building best practice cybersecurity programs.
Learn MoreCISO Panel: Defining the Goals of an Effective Risk Management Program
The next session “Defining the Goals of an Effective Risk Management Program” will include expert CISOs who are leaders of this movement and who will share their experience with us.
Learn MoreHow to Measure Risk with Limited and Messy Data: Overcoming the Myths by Doug Hubbard
Doug is the author of the books How to Measure Anything, How to Measure Anything in Cybersecurity Risk and The Failure of Risk Management and a consultant through Hubbard Decision Research.
Learn MoreThe View from U.S. Congress Cong. Jim Langevin, Co-Chair Congressional Cybersecurity Caucus
Securing our nation’s technology infrastructure against cyber-attacks is a top priority for Rep. Langevin.
Learn MoreManaging Organizational and Third-party Risk in the Age of Digital Transformation
Managing Organizational and Third-party Risk in the Age of Digital Transformation: Practical Lessons and Data-influenced Considerations
Learn MoreUse Case Panorama - How Quantification Enables Risk-Aligned Decision Making
Real-life business decisions at some of the world's largest companies are being made every day based on quantitative risk assessments.
Learn MoreEnabling Risk Management Programs That Actually Work by Jack Jones, Chairman, FAIR Institute
For our opening keynote, I would like to introduce Jack Jones, author of FAIR and Chairman of the FAIR Institute, who will discuss , “Enabling Risk Management Programs That Actually Work.”
Learn MoreCompilation of Risk Assessment Guidelines from Various Regulatory and Compliance Entities
The Cyber Risk Management Workgroup has now published a compilation of risk assessment guidelines from various regulatory and compliance entities intended to be used as an overview for practitioners.
Learn MoreRegulatory/Compliance Risk Assessment Overview for FAIR Practitioners
Attached is the Cyber Risk Management Workgroup Deliverable "Regulatory/Compliance Risk Assessment Overview for FAIR Practitioners"
Learn MoreThe Road to Cyber Risk Maturity - 2018 Risk Management Maturity Benchmark Survey Report
Our second annual Benchmark Survey Report to provide insights into the current state of the industry and how best to move forward.
Learn MoreVideo: 2018 Risk Management Maturity Benchmark Survey Results Webinar
Video: 2018 Risk Management Maturity Benchmark Survey Results Webinar
Learn MoreMember Engagement Packet for the FAIR Institute
Have questions of where to start within the Institute? Want to find out how to best get started?
Learn MoreBoard Oversight of Cyber Risk - Baseline Diagnostic Guide
Download attachment below.
Learn MoreWheel of Fire Hits Stack - A New Way of Visualizing Effective Risk Management
"We need effective risk management to make well-informed decisions and we need effective risk management to measure those decisions and, over time, sometimes a relatively short time, to challenge the status quo as our environments change and as we know and understand more.
Learn MoreJack Jones Managing Cybersecurity Surprises - the Executives Perspective
“Executives hate surprises” begins a new white paper, Managing Cybersecurity Surprises – the Executive’s Perspective, by FAIR model creator Jack Jones, and goes on to detail the four most likely reasons that organizations get blindsided by cybersecurity failures:
Learn MorePanel: How to communicate the value of FAIR to internal and external stakeholders
Attached is the Cyber Risk Management Workgroup Deliverable "Regulatory/Compliance Risk Assessment Overview for FAIR Practitioners"
Learn MoreTechnical Advisor, RiskLens Sponsored Webinar
Seasoned risk consultant and FAIR expert, Rebecca Merritt, of RiskLens will share her personal path to enlightenment (read: FAIR model!) as a former IT Auditor for a Big 4.
Learn MoreInformation Overload - How much do boards really need to know about cyber risk
Slide presentation from Jack Jones on how to better communicate to Boards.
Learn MoreFAIR Institute Orientation Webinar for New Members
This webinar is hosted on a monthly basis for new members to the Institute. It is an overview of the offerings of the Institute and the advantages of becoming an engaged member.
Learn MoreAbout the FAIR Institute
Feel free to download and share the "About the FAIR Institute" presentation attached below to spread the word of FAIR and the FAIR Institute.
Learn MoreIndustrial Company Assesses Ransomware Threat - Sponsored by RiskLens
This case study is designed as a scenario that would help to inform management about the significance of an emerging risk, such a ransomware.
Learn MoreFinancial Institution Prepares for GDPR and NYDFS Regulations Using RiskLens - Sponsored by RiskLens
A global banking and financial services holding company with over $300B in total assets is preparing for the upcoming European Union General Data Protection Regulation (GDPR) and New York Department of Financial Services (NYDFS) cybersecurity regulations.
Learn MoreFinancial Institution calculates Risk Exposure in Moving to Office 365 - Sponsored by RiskLens
A financial services institution with $10B in total assets was trying to determine if a move to Office 365 from their internally hosted Exchange Server made sense for the organization.
Learn MoreHealthcare Supplier Uses RiskLens to Identify Business Continuity Strategy - Sponsored by RiskLens
A large healthcare supplier serving more than 150 million Americans operated a key fulfillment facility in an area threatened by natural disasters.
Learn MoreManufacturing Company CISO Confidently Justifies IP Protection Project - Sponsored by RiskLens
The CISO at a global manufacturing company with $50 billion in revenue faced an all-too common problem: intellectual property (IP), critical to their success and position in their market, was scattered throughout the organization, exposing them to grave occurrences of IP ex-filtration.
Learn MoreVideo: 2017 Risk Management Maturity Benchmark Survey Results Webinar
Our first annual Benchmark Survey Report and Webinar provide insights into the current state of the industry and how best to move forward.
Learn MoreWhere Do We Go From Here? 2017 Risk Management Maturity Benchmark Survey Results Report
Our first annual Benchmark Survey Report and Webinar provide insights into the current state of the industry and how best to move forward.
Learn MoreImproving Risk Decisions
This article will provide insight into the factors that drive risk decisions, the role of business management and security experts in decision making, as well as the information that’s necessary in order to make well-informed risk decisions.
Learn MoreThe Failure of GRC
In this white paper, Jack Jones shares five reasons why many organizations are, at best, realizing only one of many important objectives.
Learn MoreEffectively Leveraging Data in FAIR Analyses
With the advent of FAIR, organizations finally have a model that enables effective cyber risk measurement. As a result, this document will provide guidance and examples to help organizations improve their FAIR-based risk analyses using these data sources.
Learn MoreA Clarification of "Risks"?
People in the risk management profession routinely use the word “risk” in different ways. Although this may be fine in a non-professional setting, it presents significant challenges in terms of our ability to accurately and efficiently identify, measure, and communicate about risk.
Learn MoreHow You Prioritize, Matters
This paper describes at a high level a comparison of the relative efficacy of prioritizing risk remediation activities using qualitative versus quantitative methods.
Learn MoreDoes Training Help Reduce Spear Phishing Risk?
Find out if training can reduce risk associated with spear and regular phishing in this case study.
Learn MoreCost-Benefit of Implementing Credit Card Database Tokenization
Review a case study on how much credit card number tokenization can reduce the risk associated with the card datastore.
Learn MoreA Risk-Based Approach for Information Security and Fraud Analytics
Review a Big Data Case Study on Using a Risk-Based Approach for Information Security and Fraud Analytics.
Learn MoreLearning Institution Assesses Best Architecture To Secure Cloud App
Understand how much risk is associated with different security encryption strategies related to cloud data.
Learn MoreCyber Risk Management Maturity
This document describes a more fundamental approach to defining and evaluating cyber risk management maturity.
Learn MoreBuilding a Sustainable FAIR Program
Learn from one of the most successful FAIR implementation teams.
Learn MoreMapping NIST CSF & FAIR - Slides from the Data Utilization Workgroup Call (11/08/2017)
Join Jack Jones as he explains how NIST CSF and FAIR act as complements to one another.
Learn MoreRoot-Cause Analysis - Break Out of Ground Hog Day
Applying Root Cause Analysis to a portfolio of issues can help identify and resolve systemic issues within your organization.
Learn More