resources-banner

Resources

Filter Resources


Resource Types

Resource Topics

Resource Tags

Video with Slides

NIST CSF Effectiveness: Controls & Quantification – Sponsored Webinar with Ostrich Cyber-Risk

In this webinar, Greg Spicer, Co-Founder and CRO of Ostrich Cyber Risk, along with Kevin Gelsthorpe and John Feezell of Kyndryl, will dive into the intricacies of identifying your biggest cyber risks using NIST Cybersecurity Framework (NIST CSF). We then will explore how to determine which controls most effectively mitigate these risks and how to quantify their effectiveness in financial terms, and influence decisions with stakeholders in your business. Sponsored by Ostrich Cyber-Risk.

Learn More
PDF

FAIR-CAM Controls Library

The FAIR Institute, with the assistance of technical adviser Safe Security, is creating a draft Cybersecurity Controls Library, informed by FAIR-CAM, the FAIR Controls Analytics Model. Now, we are inviting the FAIR community to support this project to develop a highly useful resource for FAIR practitioners looking to assess their controls based on FAIR-CAM. The Controls Library categorizes controls according to their functions as described by FAIR-CAM, and each with an extensive description of how they operate and their value in a cyber risk management program.

Learn More
PDF

FAIR Standards Booklet

A new and complete guide to the FAIR model and standard extensions, FAIR-CAM, FAIR-MAM, FAIR-TAM, FAIR AIR, and FAIR Automation. 

Learn More
PDF

RSAC24 Seminar: Mastering Cybersecurity Risk with FAIR: An Introduction and Case Study

Join the FAIR Institute for a two-part seminar that will demystify the world of FAIR™ (Factor Analysis of Information Risk). In the first session, we'll provide an in-depth introduction to FAIR™, equipping you with the knowledge needed to tackle cyber risk effectively. In the second session, we'll dive into a compelling case study that showcases the practical application of FAIR™ principles.

Learn More
Video with Slides

The Future of AI Risk Management: A Deep Dive with the FAIR Institute AI Workgroup

Join the FAIR Institute AI Workgroup as we navigate the evolving world of AI risks. We'll introduce the workgroup, its members, and exciting 2024/25 initiatives. In this webinar, the Workgroup members will share their insights on: Building trust in the age of AI Navigating recent hot-button topics like illegal AI robocalls, a use case with Rite Aid, and the EU Act Mitigating model development risks and ensuring materiality We will learn how to navigate these complexities and build trustworthy AI for your organization.

Learn More
PDF

Financial Impact Questionnaire (FIQ) - Customize FAIR-MAM for Your Most Accurate Cyber Loss Data

The FAIR Institute introduced in 2023 the FAIR Materiality Assessment Model (FAIR-MAM ™) a step change in quantifying loss magnitude for FAIR cyber risk analysis. FAIR-MAM enabled analysts to gather loss data at a granular level that ensured a high level of accuracy – and store it in an always available repository, ready for reporting out the impact of a data breach or other loss event in a defensible format that could stand up to scrutiny by regulators. We’re now introducing a tool to help further sharpen loss data for analysis: the Financial Impact Questionnaire (FIQ).

Learn More
Video with Slides

Managing Cyber Risk in a Time of New Incident Disclosure Rules Welcome Address

Without further ado, please join me in welcoming our esteemed keynote speaker, Nick Sanna, Founder of the FAIR Institute. Speaking today on “Managing Cyber Risk in a Time of New Incident Disclosure Rules” and how FAIR plays a necessary part. Welcome Nick!

Learn More
Video with Slides

Case Study Panorama with Richemont and Econocom

Speaking about real life examples, next up today is our first of two Case Study Panorama sessions with Pierre Olodo, Senior Lead Cyber Risk, Richemont and Anne Lupfer, Deputy CSO, Econocom who will both give us examples of deploying quantification at their organizations.

Learn More
Video with Slides

Meeting Regulatory Compliance - How to Think About Materiality with FAIR

Our session now is “Meeting Regulatory Compliance - How to Think About Materiality with FAIR” that will discuss real life examples at companies using FAIR and also give insight into the research that the Institute is planning this year. Welcome Mouhamad el Houssaini, Risk Director, ADP and Pankaj Goyal, Director of Standards and Research, FAIR Institute.

Learn More
Video

The Significance of the NIS2 Directive and of the Digital Operational Resilience Act DORA

Next up, we have an esteemed panel of experts who will deep dive into “The Significance of the NIS2 Directive and of the Digital Operational Resilience Act (DORA).” Welcome to the stage: Moderator: Anne Leslie, Cloud Risk & Controls Leader EMEA, Financial Services, IBM Cathie-Rosalie Joly, Partner, Bird & Bird Law Firm Martina Dvar, Advisor, European Central Bank Iva Tasheva, Co-founder & Cybersecurity Lead, CYEN; Working Group Member, ENISA

Learn More
Video with Slides

Re-thinking Third Party Risk Management

Wrapping up our morning sessions today, we will turn our focus to another research initiative of the FAIR Institute, how to re-thinking third party risk management with quantification. Here to discuss and present are Meena Martin, VP Cyber Risk and Assurance, GSK and Pankaj Goyal, Director of Standards and Research, FAIR Institute.

Learn More
Video

GenAI Related Risk and Opportunities

Moving on to the next panel focusing on managing new risks and opportunities in the rapidly growing world of AI, please help me welcome our panel today: Moderator: Pankaj Goyal, Director of Standards and Research, FAIR Institute Gérôme Billois, Partner, Wavestone Sabine Marcellin, Lawyer, Digital Law, Oxygen+; Professor, AI, KEDGE Business School Jacqueline Lebo, Risk Advisory Manager in Security Services, Safe Security

Learn More
Video with Slides

The Future of the Cyber Risk Management Profession with Jack Jones

As we advance into the day, so we advance into the further of our profession. Join me in welcoming Jack Jones, Chairman Emeritus of the FAIR Institute and author of FAIR and FAIR-CAM for his talk on “The Future of the Cyber Risk Management Profession!”

Learn More
Video

CxO Panel - Managing Cyber Risk in a Time of New Incident Disclosure Rules

Next up we have a very special CxO panel for you to share how executives can more effectively manage cyber risk in this time of new incident disclosure rules. Please welcome: - Moderator: Thiébaut Meyer, Director, Office of CISO, Google Cloud - Benoit Fuzeau, CISO, CASDEN; President, CLUSIF - Aljona Reiser, Head of Cyber Business Risk, Commerzbank AG - Ariane Chapelle, Partner, BDO Chapelle

Learn More
Video with Slides

Optimizing Cyber Insurance with Risk Quantification

Our next panel will dive deep into optimizing cyber insurance with risk quantification, help me welcome our moderator and panelists: - Moderator: Christopher Khadan, Chief Customer Officer, Safe Security - Leopold Larios, Director of Cyber Insurance Offering, Descartes Underwriting - Andreas Schmitt, Global Cyber Underwriting Manager, Zurich Insurance - Thierry Zucchi, Head of Cyber Activity, Relyens - Patrick Montagner, Deputy Secretary General, ACPR (French Prudential and Resolution Authority)

Learn More
Video with Slides

Case Study Panorama with Mastercard and Fresenius

Kicking off our last segment of sessions today is our final case study panorama session, moderated by Greg Spicer, Co-Founder and CRO at Ostrich Cyber-Risk. Join me in welcoming two expert FAIR professionals, Rob Moore, VP, Technology Risk, Mastercard and David Steng, Director, Cyber Risk & Economics, Group Cybersecurity Office, Fresenius Group.

Learn More
Video with Slides

Using FAIR and MITRE to Understand How Controls Impact Risk

The next session shifts focus to controls and FAIR-CAM as we understand how using FAIR and MITRE Controls Impact Risk. Welcome back Tom as moderator and our panelists, Frédéric Bouveresse, IS&T Cyber Risks Governance Specialist, Alstom and Francesco Chiarini, Global Head - Technology Resilience, Sandoz.

Learn More
PDF

A FAIR Artificial Intelligence (AI) Cyber Risk Playbook

The FAIR Institute presents FAIR-AIR, a FAIR-inspired approach to help you identify your AI-related loss exposure and make risk-based decisions on treating this new category in cyber risk management – new but a puzzle to be solved using the FAIR techniques of modeling and quantifying cyber risk that our community has validated for years.

Learn More
PDF

CIS 8.0 to FAIR-CAM Mapping V1

A team of FAIR Institute members led by FAIR creator Jack Jones have mapped the CIS Critical Security Controls v. 8.0 to the new FAIR Controls Analytics Model (FAIR-CAM™). The CIS Controls are a popular 18-category set of best practices that, like other cybersecurity frameworks, tell you what controls to implement but not what measurable effect they have on reducing cyber risk singly or as an interdependent system. Jack developed FAIR-CAM to make compliance with frameworks more about mitigating risk than checking off boxes on a list.

Learn More
PDF

NIST CSF 1.1 to FAIR-CAM 1.0 Mapping

NIST CSF 1.1 to FAIR-CAM 1.0 Mapping

Learn More
Video with Slides

Webinar: The NIST Artificial Intelligence Risk Management Framework (AI RMF)

The NIST Trustworthy and Responsible AI Resource Center published the Artificial Intelligence Risk Management Framework (AI RMF) in early 2023 to support the responsible adoption of trustworthy AI systems. The voluntary, risk-based, rights-preserving, and flexible framework provides an approach for organizations to manage the benefits and risks of AI through specific approaches outlined in the AI RMF. The AI RMF is designed to function as part of a larger organizational risk management program specifically to mitigate the potential of harms to people, organizations, and ecosystems (people & planet) unique to AI systems. Today, Martin Stanley will provide an overview of the AI RMF and supporting NIST resources available to assist organizations in responsibly adopting AI. Martin Stanley is the Strategic Technology Branch Chief and leads the research and development program for the Cybersecurity and Infrastructure Security Agency (CISA/DHS). Martin previously led the Cybersecurity Assurance Program at CISA and the Enterprise Cybersecurity Program at the U.S. Food and Drug Administration. Prior to his federal service Martin held executive leadership positions at Vonage and UUNET Technologies. Martin recently co-authored “Digital Health”, an Oxford University Press Publication in 2021. Martin is currently assigned to NIST to advance adoption of the NIST Artificial Intelligence Risk Management Framework.

Learn More
Video with Slides

Keynote Address: The Future of Risk Analysis in an AI and Automation World

I am very honored to present our Day 2 Keynote Speaker this morning, Jack Jones, author of the FAIR model and Chairman of the FAIR Institute presenting the Keynote Address today, “The Future of Risk Analysis in an AI and Automation World.” Jack has worked in information security for over thirty-five years, ten years of which as a CISO with three different companies, including a Fortune 100 company. In 2012 Jack received the CSO Compass award for risk management leadership. An adjunct professor at Carnegie Mellon University, he teaches in the CRO and CISO executive programs. Jack created the “Factor Analysis of Information Risk” (FAIR) model which has been adopted as an international standard. Currently, Jack is the Chairman of the FAIR Institute and the Chief Research Scientist at Safe Security. He has also co-authored a book on FAIR entitled “Measuring and Managing Information Risk, a FAIR Approach” which was inducted into the Cyber Security Canon in 2016.

Learn More
Video

Panel: How to Get Ready for the New SEC Rule on Cybersecurity

I am excited for our first panel today titled “Panel: How to Get Ready for the New SEC Rule on Cybersecurity”. Nothing has pushed CRQ more front and center than the release of new rules from the Securities and Exchange Commission (SEC) on cyber risk disclosure – and the concern and confusion around what’s a material cyber risk. Together, we will tackle the issue head-on with expert panelists, including the SEC’s cyber enforcement chief. Led by moderator Kim Nash, Deputy Bureau Chief, WSJ Pro Cybersecurity, please help me welcome the panelists to the stage: • David Hirsch, Chief, Crypto Asset and Cyber Unit in the Division of Enforcement, SEC • Brian Walker, CEO, The CAP Group • Kurt John, CSO, Expedia Group • Richard Borden, Cybersecurity and Privacy Partner, Frankfurt, Kurnit, Klein, & Selz

Learn More
Video

Quantifying Multi-Product Security and Privacy AI Risk with FAIR and NIST AI RMF

This track is focused on one of the hottest topics in our industry right now, AI. How can organizations balance the opportunities that arise from AI adoption while managing its risk? What does AI risk actually mean? How can we best manage it? Those questions are coming fast, and FAIR practitioners of quantitative cyber risk management are adapting rapidly. First up in our track today are Tyler Britton, Security Engineer and Taylor Maze, Risk & Governance Manager at Dropbox. They will be presenting on their work with this case study session titled “Quantifying Multi-Product Security and Privacy AI Risk with FAIR and NIST AI RMF.”

Learn More
Video

Challenges and Opportunities of Moving to Quantitative Risk Management in ERM

Help me welcome our panelists today: Evan Wheeler, Senior Director, Technology Risk Management at Capital One and FAIR Institute Advisory Board Member Ted Webster, Chief Security and Privacy Officer,

Learn More
Video with Slides

Accelerating your GenAI Adoption Through AI Risk Posture Management

Presenting today is Pankaj Goyal, Director of Standards & Research at the FAIR Institute, joined by Brandon Sloane in AI Governance at Meta.

Learn More
Video with Slides

Patch Prioritization with FAIR-CAM™

Next we have Denny Wan, Co-Chair, Sydney Chapter and the FAIR-CAM Workgroup, John Linford, Forum Director at The Open Group, and Sasha Romanosky, Senior Policy Researcher at RAND. The timely application of software patches is the first line of defense against malware by reducing the attack surface. This presentation will discuss how to apply the FAIR-CAM model to inform on the effectiveness of a patch prioritization policy.

Learn More
Video with Slides

The State of the CRQ Market

Here to give a view of the entire state of the CRQ Market, please welcome to the stage, Cody Scott, Senior Analysts for Security and Risk at Forrester Research. Cody will be focusing on what users are asking for and where the market is now, including both the positives and the challenges, and where the industry research needs to focus moving forward.

Learn More
Video

How is the Discussion About Cyber Risk Changing at the Board Level?

We are lucky to have with us today a superstar panel on “How the Discussion About Cyber Risk is Changing at the Board Level?”. Reminder to please use the QR code and follow the instructions on page 2 in your program to submit questions. Led by moderator Larry Clinton, President of the Internet Security Alliance (ISA), please help me welcome the panelists to the stage: • Elias Oxendine IV, CISO, Yum Brands • Kevin McCarty, CISO, Cigna US Healthcare • Kris Lovejoy, Board Member, Dominion Energy and Global Security and Resilience Practice Leader, Kyndryl • David Burg, Americas Cybersecurity Leader, EY

Learn More
Video with Slides

Connecting Threat Intel to risk with MITRE ATT&CK and FAIR™

We are lucky to have with us today a great session on “Connecting Threat Intel to risk with MITRE ATT&CK and FAIR™”. Reminder to please use the QR code and follow the instructions on page 2 in your program to submit questions. Please help me welcome the panelists to the stage: • Jon Baker, Director, MITRE Center for Threat-Informed Defense • Stephen Bartolini, Executive Director, Cybersecurity & Technology, JPMorgan Chase • Vidit Baxi, CISO, Safe Security

Learn More
Video with Slides

Introducing FAIR-MAM™ - A Comprehensive Approach to Loss Modeling in FAIR™

This track is focuses on way in which we can build on the FAIR model, making improvements and advancement to our risk management practices. Starting today with an introduction in FAIR-MAM, FAIR Materiality Assessment Model. Join me in welcoming: • Erica Eager, Senior Director, Risk Quantification, Safe Security • Filippo Curti, Financial Economist, Federal Reserve Board of Richmond • Tom Macphee, Cyber Risk Senior Manager, Cigna

Learn More
Video

Cyber Insure or Self Insure?

My name is Arturo Perez-Reyes Strategist, SVP, Cyber and Technology at Newfront. Welcome to our session today that will ask the question “to cyber insure, or to self-insure?”! Joining me on stage are my esteemed colleagues: • Tom Srail, EVP Cyber Risk, Willis Tower Watson • Brandon Pinzon, SVP, Chief Security Officer, Argo Group Insurance • Mayur Patel, VP, Senior Cyber Underwriter, Munich Re

Learn More
Video with Slides

Using the FAIR Model for AI Risk-Based Accountability

The purpose of this session is sharing practical risk-based compliance tips, by using the FAIR model in order to fix Impact Assessments. The presentation will show convenient tactics for adapting several concepts such as primary and secondary losses, and temporary-bound probability, all in a multidimensional compliance environment. Welcome to the stage Luis Enriquez, Professor at Université de Lille (France), and Universidad Andina Simón Bolivar (Ecuador)!

Learn More
Video with Slides

Measuring Controls Effectiveness and Risk with FAIR-CAM™

Join our speakers Bryan Smith, VP Product Management at Safe Security and Tyler Britton, Security Engineer at Dropbox as we dive into measuring controls effectiveness and risk with FAIR-CAM™

Learn More
Video with Slides

Deriving Probability Distributions with Pairwise Relative Comparisons

This presentation supports the FAIR contention that we need to use ranges or distributions for probability and impact in FAIR for risk management. More importantly, this presentation shows how the PERT-styled distributions used in FAIR analyses can be supplemented with pairwise comparisons that can reduce ‘noise’ inherent in measuring uncertainty, thus producing more accurate distributions based on individual judgments as well as judgments from groups of individuals. The process is based on pairwise comparisons of a range of uncertain outcomes, such as the frequencies of an event.

Learn More
Video with Slides

Measuring Real Life Cyberattacks on Enterprise Networks

Our next session will explore a novel approach to measuring loss events of realistic cyberattacks, empowering organizations to assess their security resilience based on changing threat landscapes and make data-driven decisions for bolstering their defenses against evolving cyber threats. Please welcome Christian Ellerhold, Lead Principle Engineer, Cyber Risk Management at Infineon Technologies to the stage!

Learn More
Video

The Rising Ambition of Cyber Risk Management Programs

Now we are lucky to have a case study panorama with a stellar lineup of experts discussing the most important things facing a cyber risk management program today. Led by moderator Daniel Stone, Director at Protiviti, allow me to introduce our panelists: Meena Martin, VP, Cyber Risk and Assurance, GSK Dan Phillips, Security Risk Management Lead, Meta Robert Immella, Global Leader, CRQ, Caterpillar Valmiki Mukherjee, Chairman, Cyber Future Foundation

Learn More
Video

FAIRCON23 Closing Remarks

Thank you all for sharing your expertise. Let’s get ready now for the conclusion of the conference. Closing Remarks will begin momentarily as we allow the rest of the conference attendees to join us here in the Grand Ballroom.

Learn More
Video with Slides

FAIRCON23 Welcome Address

Now without further ado, it’s time to get FAIRCON23 kicked off! It is my pleasure to introduce Nick Sanna, Foudner of the FAIR Institute and Dave Burg, Americas Cybersecurity Leader at EY. Nick founded the FAIR Institute in 2016 as an expert non-profit organization due to a growing demand from an expanding FAIR community. The idea was to create a forum for learning about FAIR, for developing and sharing innovative best practices, and to serve as a platform and for networking with peers. Dave Burg serves as EY’s Americas Cybersecurity Leader. In this role, he assists clients in reactive and proactive consulting capacities involving the deployment of information technology solutions and their use. Please welcome Nick and Dave!

Learn More
Video

Keynote Panel: Navigating the Confluence of Cybersecurity and AI: Mitigating Risks for the Future

As the stage gets set to continue into our Keynote Conversation, please help me welcome two very special guests. Joining us today are Chris DeRusha, Federal Chief Information Security Officer and Deputy National Cyber Director and Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA. We are very grateful to have Chris and Eric here to be in conversation with Nick on “Navigating the Confluence of Cybersecurity and AI: Mitigating Risks for the Future.” The focus of the session will be specifically on how AI affecting cyber risk management. The panel will discuss what how to make sense of AI risk, what to do with it, and of course, the subject of AI from the Federal perspective.

Learn More
Video

Panel: What Models Do We Need to Improve Risk Management in the 21st Century?

The next session “What Models Do We Need to Improve Risk Management in the 21st Century?” is packed with experts. We are about to get key insights, advice, and tips from C-Level experts who are leaders of this quantitative movement. Reminder to please to submit your questions using the QR code in the program. Moderated by Robert Rodriquez, Chairman and Founder of SINET, please help me welcome our esteemed panelists: Paul Selby, CISO at US Department of Energy Jennifer Buckner, SVP Technology Risk Management at Mastercard Nathaniel Davis Jr, Vice President, Corporate & Defense Security at Rolls-Royce Ian Rathie, CISO at The Fitch Group Kurt John, CSO at Expedia Group

Learn More
Video with Slides

Improving Cyber Visibility and Decision-Making at Maersk

Now, please allow me to introduce our next session with Neil Davis, Head of Cyber Risk Management at Maersk titled “Improving Cyber Visibility and Decision-Making at Maersk.” This case study session will provide a world class example of how Maersk is using quantification to improve cyber risk visibility and their companywide decision making. Neil leads the cyber risk team at AP Moller-Maersk, providing insight into risk exposure by identifying, assessing, and managing the cyber risks faced by Maersk and its supply chain, in support of strategic and tactical decision making - balancing risk and return.

Learn More
Video with Slides

Winning Over The Doubters - Cutting Through Complexity to Exceed Stakeholder Expectations

In this session, you will hear from Robert Moore, Vice President of Technology Risk at Mastercard and Tom Callaghan, Co-Founder at C-Risk as they give a case study presentation on winning over the doubtes. These tips will help you to get through the perceived complexity of quantification in order to effectively communicate to the business and exceed stakeholder expectations.

Learn More
Video with Slides

Leveraging Risk Quantification to Build An Integrated Risk Management Program

Our last session in Track 2 today is presented by Damian Apone, Global Director, Governance, Risk & Compliance at Genuine Parts Company and Chris Correia, Associate Partner at IBM. They will discuss the journey that GPC has undertaken with IBM’s support to build a holistic risk management program. They will discuss how GPC decided to use risk quantification as a foundational capability to enhance risk identification, risk reporting and prioritization of security projects to optimize GPC’s security operations. Damian will share his experiences working with leadership to demonstrate the value of risk quantification along with some of the challenges and early successes the organization faced in the adoption of risk quantification. In addition, Damian and Chris will discuss how risk quantification is supporting GPC as in their review of risk appetite, executive level reporting and cybersecurity insurance.

Learn More
Video with Slides

Connecting Cyber Risk Assessment to Integrated Decision Management

I am sure that many of you started making great connections during the networking break. Now, please allow me to introduce our next session with Doug Hubbard titled “Presentation: Connecting Cyber Risk Assessment to Integrated Decision Management” Quantitative risk analysis in cyber is only part of enterprise risk and risk is only part of quantitative decision making. Integrated decision management involves utilizing methods tested in large clinical trials and improving and tracking the performance of models, measurement methods, and even expert judgement. Measuring the performance of decision making itself is the most important - and yet apparently among the last – of critical measurements for organizations to conduct. This session will propose a framework for how we may integrate the empirical methods, new algorithms, and even the psychology of decisions and estimates to improve one of the last and most important frontiers of organizational management.

Learn More
Video with Slides

Is It Raining Risk? What Data says about Cyber Risk in the Cloud

We begin this track with a session by Wade Baker, Co-Founder of Cyentia Institute and Professor at Virginia Tech. Over the years, the Cyentia Institute has published quite a few reports that analyze various aspects of risk in the cloud. Wade is going to provide a a “Greatest Hits” presentation todaywith the goal being to answer questions like “Is cyber risk in cloud environments measurably different than on-prem and, if so, how?” all while tying it back to the FAIR framework.

Learn More
Video with Slides

How to Re-think Third-Party Risk with FAIR-TAM™?

We are launching into new waters here as we discuss how to re-think third party risk with FAIR-TAM, the new FAIR extension for third party risk. Leading this session is Pankaj Goyal, Director for Standards & Research at the FAIR Institute. Joining Pankaj are Sarah Sullivan, Director IS&T Security Performance at Thomas Jefferson University Hospitals and Adam Wells, Senior Manager for Cyber Risk Services at Yum! Brands.

Learn More
Video with Slides

The 2024 Annual Cybersecurity Risk Report

The FAIR Institute Cyber Risk Report is designed to provide reference estimates for the probability, loss, and loss exposure of common cyber events. It summarizes the findings by industry and event themes and details how actionable variables, such as security stance and data retention management, can reduce risk exposure. This year, we are pleased to present original research from EY on the challenges of implementing a cybersecurity program, a survey that revealed the structural problems that hold back many programs and the attributes of the most effective CISOs – as EY calls them, “Secure Creators.” At the FAIR Institute, we believe that transparency and accountability in cyber risk management are best served through cyber risk quantification (CRQ) – with Factor Analysis of Information Risk (FAIR™), the international standard for CRQ, built on a foundation of carefully curated data. We based our 2024 Cybersecurity Risk Report on FAIR analyses and extensive research by our data science advisors. We invite you to discover the most relevant cyber risk data for your organization and benchmark your performance against peers in your industry and others.

Learn More
Video with Slides

The CRQ Program Development Lifecycle

This next case study session will focus on best practices for enterprise- level FAIR-based CRQ program development. From the initial development of a program charter to the measurement and monitoring of program performance and optimization, the well-established phases and processes of the CRQ Program Development Lifecycle provide a proven methodology to ensure productive outcomes including executive-level engagement, analyst proficiency, use case selection, powerful storytelling, business alignment, and higher levels of program success. Join me in welcoming Zach Cossairt, Integrated Risk Program Senior Manager at Equinix and Jon Oppenhuis, Director, Risk Strategy and Success at Safe Security.

Learn More
Video with Slides

Using Cyber Risk Intelligence to Scale Third Party FAIR Assessments

This next case study session is titled Using Cyber Risk Intelligence to Scale Third Party FAIR Assessments with John Feezell, Assoc. Director, Security Counseling at Kyndryl and Bob Maley, Chief Security Officer at Black Kite. In this session, Bob and John will discuss how the additional context of cyber ratings, compliance assessments, ransomware and data breach intelligence and other cyber risk information can help scale your FAIR assessments.

Learn More
Video with Slides

Scenario Planning for Effect

Our last session in Track 1 today is presented by Aaron McKay, Cybersecurity Engineer at SCRAM Systems and Jack Whitsitt, Director of CRQ at Ostrich Cyber-Risk discussing a case study on scenario planning for effect.

Learn More
Video

Fireside Chat: Incident Response and Materiality

I’m happy to introduce our participants in conversation today discussing Incident Response and Materiality, Kevin Mandia, CEO of Mandiant and Saket Modi, CEO of Safe Security, Technical Advisor to the FAIR Institute. Kevin is the Chief Executive officer of Mandiant at Google Cloud. He has served as the company’s Chief Executive Officer since June 2016, including as Chief Executive Officer of FireEye, Inc. until its corporate name change to Mandiant, Inc. in October 2021. Kevin served as a member of the company’s Board of Directors from February 2016 until September 2022, when Mandiant became a part of Google Cloud. Saket Modi is the Co-Founder and CEO of Safe Security, a Cybersecurity and Digital Business Risk Quantification platform company. A computer science engineer by education, he founded Safe Security in 2012 while in his final year of engineering. Safe Security protects the digital infrastructure of multiple Fortune 500 companies around the world.

Learn More
PDF

"Understanding Cyber Risk Quantification: The Buyer’s Guide" by Jack Jones - V2 Published 2023

From Jack Jones, Chairman of the FAIR Institute and creator of the FAIR model for cyber risk quantification (CRQ) — the definitive guide to understanding CRQ: What it is (and isn't), its value proposition and limitations, and facts regarding the misperceptions that are commonplace.

Learn More
PDF

The FAIR Model

Download the internationally recognized standard FAIR model.

Learn More
PDF

FAIR Model in Traditional Chinese

FAIR Model in Traditional Chinese

Learn More
Video with Slides

Automating and Scaling FAIR Quantitative Risk Analysis Sponsored by Safe Security

Enterprises adopting FAIR face a critical hurdle in scaling operations due to the manual nature of the process. Recognizing this gap, FAIR has introduced two extensions: FAIR-CAM, the controls analytics model, and FAIR-MAM, the materiality assessment model.

Learn More
Video with Slides

Throwing the 'Bad' Data in With the Good – Sponsored Webinar with Ostrich Cyber-Risk

In this webinar, participants will be introduced to a simple way to think about and communicate the relative value of data inputs to FAIR analysis and learn about the concept of a “risk information classification framework”. Attendees will also hear about how such a framework may be used for reducing the likelihood of “analysis data rejection” from the business and how to implement a managed approach for improving precision, visibility, and confidence in analysis.

Learn More
Video with Slides

4 Steps To SEC Compliance – Sponsored Webinar with Ostrich Cyber-Risk

As the December 2023 SEC deadline approaches, it is crucial for organizations to prepare for changes effectively. Join this webinar with Jack Whitsitt, Director of Cyber Risk Quantification (CRQ) at Ostrich Cyber-Risk, where he will cover: Materiality & Risk: Understand the importance of materiality, risk appetite, tolerance, thresholds, and how to assess and quantify them. CRQ Integration: Learn how CRQ seamlessly measures these concepts, facilitating clear communication with the SEC and your Board. Implementation Steps: Discover actionable steps you can take today.

Learn More
Video with Slides

How to Achieve SEC Compliance with Real-time and Automated FAIR Solution - Safe Security Sponsored Webinar

New SEC Cyber Risk Disclosure Rules mandate transformation in how publicly traded companies identify, measure, and report on the cyber risks that hit the level of material impact. Businesses need to develop frameworks and processes to make this fundamental shift swiftly. But how? Join this sponsored webinar with Molly Slocum, Director of Product Management from our Technical Advisor, Safe Security, moderated by Jack Jones, author of the FAIR™ methodology and Chairman of FAIR Institute. Molly will present on how you can provide your organization with automated, real-time, and quantitative risk management program based on FAIR™. Get actionable insights on how to: Automate FAIR™ to measure the probable material impact of cyber risk Report on material cyber risks in financial terms that satisfy regulators and your Board Demonstrate a transparent cybersecurity strategy protecting investor interests using the most advanced, AI-driven solution. Plus, hear real customer use cases of how AI-driven Cyber Risk Quantification has equipped businesses to identify, measure, and communicate cyber risk in real-time.

Learn More
PDF

An Introduction to the FAIR Materiality Assessment Model (FAIR-MAM™)

The FAIR Institute is releasing a new standard to help organizations assess the materiality of cybersecurity risk and incidents, called FAIR Materiality Assessment Model (FAIR-MAMTM). FAIR-MAM expands the loss magnitude factor of the FAIR model, and provides a more detailed taxonomy and breakdown of loss categories driven by cybersecurity incidents.

Learn More
Video

What the New SEC Regulation on Cyber Reporting Means for the Risk Management Profession - Webinar

As many of us know, the SEC Commissioners voted to adopt the proposed rule on cyber security. This rule aims to elevate the cyber risk reporting and management practices for public companies (registrants) in the US, to help investors in such companies consider the probable impact of cyber risk as they make investment decisions. This will be a forcing function for companies to adopt trusted cyber risk quantification (CRQ) models such as FAIR™ and adopt processes and tools that provide them with visibility into their material risks and incidents. Tune in to hear industry experts as they explain and discuss what this all means for the risk management profession. Key advice will be shared on how to navigate these new rules together and how CRQ is the top way you can help your organizations be compliant.

Learn More
Video with Slides

GRC and CRQ - A (Good) Story of Codependency - Sponsored Webinar with Ostrich Cyber-Risk

In order to understand how best to plan for and execute Cyber Risk Quantification (CRQ) as a practice and a program, it’s best to start by understanding how it fits into more traditional Governance Risk Compliance (GRC). Leveraging a CRQ tool in a GRC program provides a means to measure cyber risk levels objectively. CRQ is not intended to ‘replace’ or ‘bolt on’ to an existing GRC program. Instead, CRQ informs an evolution of existing practices, and those practices plus CRQ must be taken into consideration as they blend into an enhanced approach to decision-making by leveraging the common ground: METRICS. In this webinar, you will learn how GRC programs and CRQ tools together will help you: More accurately estimate and track exposure of financial losses Prioritize between compliance and regulation requirements Prioritize cyber investments, allocate budget and adjust strategy Highlight the decrease in potential financial losses to determine which regulatory or compliance requirement is worth investing in Inform stakeholders how you are meeting new cyber regulations

Learn More
Video with Slides

Case Study- Improving Cyber Risk Visibility and Decision-Making with Maersk

Moving right along to our next session, allow me to introduce the Cyber Security Risk Team from Maersk. This case study session will provide a world class example of how Maersk is using quantification to improve cyber risk visibility and their companywide decision making. Here to present today are Pooya Alai and Rebekka Kurland!

Learn More
Video with Slides

Keynote by Jack Jones - The Future of Cybersecurity Risk Measurement

Next up, we have the author and creator of the FAIR Model, Jack Jones with a new and forward-looking presentation on The Future of Cybersecurity Risk Measurement. Jack has worked in information security for over thirty-five years, ten years of which as a CISO with three different companies, including a Fortune 100 company. In 2012 Jack received the CSO Compass award for risk management leadership. An adjunct professor at Carnegie Mellon University, he teaches in the CRO and CISO executive programs. Jack created the “Factor Analysis of Information Risk” (FAIR) model which has been adopted as an international standard. Currently, Jack is the Chief Risk Scientist at RiskLens and Chairman of the FAIR Institute, our award-winning global non-profit organization with over 13,000 members worldwide. He has also co-authored a book on FAIR entitled “Measuring and Managing Information Risk, a FAIR Approach” which was inducted into the Cyber Security Canon in 2016.

Learn More
Video with Slides

Keynote by Nick Sanna - How Risk Economics Can Help Us Win the Battle in Cyberspace

For our Opening Keynote, “How Risk Economics Can Help Us Win the Battle in Cyberspace”, it is my pleasure to introduce Nick Sanna, FAIR Institute Founder and President. Nick founded the FAIR Institute in 2016 as an expert non-profit organization due to a growing demand from an expanding FAIR community. The idea was to create a forum for learning about FAIR, for developing and sharing innovative best practices, and to serve as a platform and for networking with peers. He was supported in this effort by the author of FAIR – Jack Jones, the Institute's Chairman - and industry representatives from companies such as Fannie Mae, Cisco, Bank of America, and Northern Trust. Outside of his volunteer work at the FAIR Institute, Nick is the CEO of RiskLens, a software company that has developed an enterprise platform based on FAIR and that acts as the Institute's Technical Advisor. Please welcome Nick Sanna!

Learn More
Video with Slides

Case Study for Cyber Risk Quantification in Luxury Watchmaking with Richemont

Next up is our final case study for the day from Pierre Olodo, Cyber Risk Specialist at Richemont. Pierre will share two scenarios having to deal with CRQ when it comes to luxury watchmaking. A unique take on the craft! Help me welcome Pierre to the stage

Learn More
Video

Panel - What Does Effective Cyber Risk Oversight Look Like?

We have a stellar panel lined up. This session is titled “What Does Effective Cyber Risk Oversight Look Like?” and it will dive deeper into Nick’s presentation, and you will hear some real-life examples. The group will discuss the different roles around oversight and share leading practices on what works and works well. Help me welcome to the stage our panel moderated by Julian Meyrick: • Phil Huggins, CISO, NHS England • Jo Armstrong, Head of UK Card Technology Risk Management, Capital One • Naomi Gilbert, Head of Cyber Resilience Policy, Dept. for Digital, Culture, Media and Sport • Daniel May, Regional CISO, Commerzbank

Learn More
Video

Panel - Communicating Cyber Risk to Management and the Board

Welcome back for our next panel session of the day focused on “Communicating Cyber Risk to Management and the Board. We will be discussing the ever present and important topic of communication and will hear the best tips for performing it successfully. Joining us today are our panelists: • Moderator: Jack Whitsitt, Director of Cyber Risk Quantification, Ostrich Cyber-Risk • Keyun Ruan, Risk Economics and Quantification Lead, Google Cloud • Cedric De Carvalho, Head of Group Cyber Risk & Advisory, Richemont

Learn More
Video

Panel - Moving from a Compliance-Based to a Risk-Based Approach to Cybersecurity

I’m going to invite Jack Jones back to the stage to moderate a panel on “Moving from a Compliance-Based to a Risk-Based Approach to Cybersecurity” that will focus on the benefits and the how-tos of creating an effective strategy around this. Also help me welcome our panelists: • Paul de Luca, Head of Cyber Risk, HPE • Laura Voicu, Manager Security Assurance and Risk Management, InfoSec, Elastic • Hardip Bharj, Head of Security Risk Management, SAP

Learn More
Video with Slides

Approach and Lessons Learned From Building a Cyber Risk Quantification Program with Fresenius

Rolling right into our next case study session from the Fresenius Group. These presenters are going to talk about their experiences and share what they have learned from building a CRQ program. Let’s now welcome to the stage, David Steng, Director, Cyber Risk & Economics, Group Cybersecurity Office and Ferhat Yazgili, Senior Cyber Risk Manager from Fresenius Group.

Learn More
Video with Slides

Europe Summit Closing Remarks with Tony Morbin, News Editor EU, Information Security Media Group

Finally, I am going to hand over the stage to Tony Morbin, Executive News Editor for the EU at Information Security Media Group. Tony has been working and writing in the information security space for years and was previously editor at IT Security Guru and SC Media UK. Tony has been speaking with you all today and listening to the presentations and will now help us close out the day with summary thoughts while relaying them to industry trends.

Learn More
Video with Slides

Measurement Planning Webinar - Sponsored Webinar with Ostrich Cyber-Risk

Often, when getting started with CRQ, organizations tend to focus on how to quantify individual scenarios.  While this is an important step, it soon becomes clear that measuring risk for decision support purposes requires a suite of scenarios working in combination to suit a variety of purposes.  This “scenario suite” should be treated as one entity composed of individual scenarios that are collectively comparable, fit for purpose, re-useable, and sustainable.   At this webinar, we will introduce the concept of developing a “Measurement Plan”  to support this concept and we will touch on several techniques that can be used to assure your Cyber Risk Quantification work meets both current and future needs.

Learn More
PDF

Today’s Best Practices for Cybersecurity Risk Measurement - FAIR Institute Seminar at RSAC23

At RSAC23 this week, FAIR Institute Chairman Jack Jones challenged an audience of 400 in two seminars to move beyond today’s common cyber risk measurement practices that don’t reliably measure risk and re-focus on some basic techniques advanced in Factor Analysis of Information Risk (FAIR™).

Learn More
Video

How Government Can Help Manage Cyber Risk-The Example of the New Cybersecurity Framework in Jordan

H.E. Eng. Bassam Maharmeh, President, National Cyber Security Center of Jordan

Learn More
Video

How to Address Common Cyber Risk Management Challenges with FAIR™

Osama Salah, Head of IT Information Security Transformation Program, Abu Dhabi Department of Finance

Learn More
Video

How Risk Economics Can Help Us Win the Battle in Cyberspace

Nick Sanna, President, FAIR Institute, CEO, RiskLens, Board Member, ISA

Learn More
Video

Advancing Cyber Risk Management Practices in Your Organization-Practical Tips an Next Steps

Mohamed Adbulrahim, Managing Director, Octopian Security, Co-Chair FAIR Chapter Jordan

Learn More
Video

Improving Cyber Risk Visibility and Decision-Making-Practical Use Cases

Iman Khalid Al Marzouqi, Group Support Services Director, Alpha Dhabi Holding

Learn More
Video

Measuring and Managing Cyber Risk Effectively-A FAIR Approach

Jack Jones, 3x CISO, Award-winning Author of the FAIR Model, Chairman, FAIR Institute, Chief Risk Scientist, RiskLens

Learn More
Video

Creating National Cyber Risk and Governance Culture

Ahmed Al-Qawasmi, Chief Internal Audit Officer, MEPS Majdi Armouti, CEO, Digital Haze Ismael Al-Hinti, Pres., Al Hussein Technical University Iyad Khorma, CEO, Aqaba Digital Hub

Learn More
Video with Slides

Webinar - Understanding CRQ - A Buyers Guide Review V2

Jack Jones, Chairman, FAIR Institute; Author, FAIR™ Model

Learn More
Video with Slides

Getting Your Money's Worth: Putting Your Controls Inventory to Work

Marta Palanques, Director of Risk Methodologies in Technology Risk Management at Capital One

Learn More
Video with Slides

Case Study: Quantifying the Control and Risk Landscape Using FAIR-CAM

Tyler Britton, Quantitative Cyber Risk Manager at DropBox

Learn More
PDF

New Member Engagement Packet

A quick overview of the FAIR Institute to get you started.

Learn More
Video

Fireside Chat-A Legislative and Policy Update on Cybersecurity and Risk Management

Moderator: Larry Clinton, President, Internet Security Alliance (ISA) Mark Montgomery, Executive Director, CyberSolarium.org Frank Cilluffo, Commissioner, CSC

Learn More
Video

Fireside Chat-What the Revised SEC Guidance on Cyber Risk Disclosures Means for You

David Hirsch, Chief of the Crypto Asset and Cyber Unit, Division of Enforcement, SEC Kristy Littman, Fmr. Chief of Enforcement - Cyber Unit, SEC

Learn More
Video

Panel: Driving Culture Change - From a Compliance to a Risk-based Approach to Cybersecurity

Moderator: Omar Khawaja, CISO, Highmark Health Mark Tomallo, SVP, CISO, Victoria’s Secret Mary Elizabeth Faulkner, CISO, Thrivent Financial Jeff Norem, Deputy CISO, Freddie Mac

Learn More
Video with Slides

Panel: Communicating Cyber Risk to the Board and the Business: How Is It Changing?

Moderator: Julian Meyrick, Managing Partner & Vice President, Security Strategy Risk & Compliance, Security Services, IBM James Lam, Board Director & ERM Author Evan Wheeler, Sr. Director, Technology Risk Management, Capital One Michael Meis, Associate CISO, KU Health

Learn More
Video with Slides

Managing Cyber Risk as a Strategic Enterprise Risk - John Button, Gartner

John Button, Principal Enterprise Risk Advisor, Gartner

Learn More
Video with Slides

Case Study-Five Objections to FAIR and How to Overcome Them with Netflix

Tony Martin-Vegue, Senior Information Security Risk Engineer, Netflix Prashanthi Koutha, Senior Risk Engineer, Netflix

Learn More
Video with Slides

Presentation-Expedia Groups’ Approach to Build an Effective Security Risk MGT Program using FAIR

Krishna Sheshabhattar, Director, Security, Risk, and Compliance, Expedia Group Randy Spusta, Global Competency Leader, Security Strategy Risk & Compliance Practice, IBM Security

Learn More
Video with Slides

Case Study-Refining the “R” in GRC at Scale with Mike Radigan, Cisco

Michael Radigan, Cyber Risk Advisor, Cisco

Learn More
Video with Slides

Case Study-Scaling FAIR for M&A & Beyond-Combining Bottom-Up and Top-Down Approaches with Richemont

Cedric de Carvalho, Head of Group Cyber Risk & Advisory, Richemont

Learn More
Video with Slides

Presentation-Justifying the Value of Cybersecurity to the Business with Omar Khawaja

Omar Khawaja, CISO at Highmark Health on their BOSITE Framework

Learn More
Video with Slides

Case Study-Harnessing The Voltage Effect to Scale our FAIR Risk Programs with Zach Cossairt, Equinix

Zach Cossairt, Information Risk Program Manager, Equinix

Learn More
Video with Slides

Case Study-Embedding CRQ in the Infosec Governance Process of a Fast-Growing Pop Culture Retail Org.

Markus Kaufmann, CISO, Senior Director of Information Security, Funko Tom Callaghan, Co-Founder, C-Risk

Learn More
Video with Slides

Case Study-Building a Strong Foundation for your Quantitative Risk MGT Program with Tim Wynkoop

Tim Wynkoop, Sr. Information Security Risk Engineer, Equinix

Learn More
Video with Slides

Panel-Scaling a Quantitative Risk Management Program

Andrew Retrum, Managing Director, US Security Program & Strategy Practice Lead, Protiviti Brenda Thayer, Senior Manager, Technology Risk, Fannie Mae David Severski, Senior Security Data Scientist, Cyentia Institute, Brenda Thayer, Senior Manager of Technology Risk, Fannie Mae, Tim Kelly, Senior Manager, Protiviti

Learn More
Video with Slides

Presentation-Unveiling the IRIS 2022-Bigger Scale, Greater Depth, and More Data for Your CRQ Program

Wade Baker, Partner, Cyentia Institute David Severski, Senior Security Data Scientist, Cyentia Institute

Learn More
Video with Slides

Presentation-Trends in Determining Systemic Cyber Risk for the Financial Services Industry

Matthew Tolbert, Sr. Cybersecurity Specialist, Supervision and Regulation, Fed Reserve Bank of Cleveland

Learn More
Video with Slides

Closing Remarks with Derek Johnson and Jack Jones

Jack Jones, Chairman, FAIR Institute and Derek Johnson, Senior Reporter, SC Media

Learn More
Video with Slides

Presentation-Scaling FAIR for Third Party Risk Management with Black Kite

Bob Maley, Chief Security Officer, Black Kite

Learn More
Video with Slides

FAIRCON22 Welcome Address

Nick Sanna, President, FAIR Institute

Learn More
Video with Slides

Keynote Address: Trusting Risk-Informed Decisions with Jack Jones

Jack Jones, Chairman, FAIR Institute

Learn More
Video with Slides

Keynote - How Risk Economics Can Help Us Win the Battle in Cyberspace with Larry Clinton

Larry Clinton, President, Internet Security Alliance (ISA)

Learn More
Video with Slides

Presentation: Subjective Judgements: Outperforming Your Current Best Experts with Doug Hubbard

Douglas Hubbard, President, Hubbard Decision Research

Learn More
Video with Slides

Panel-CIS, NIST 800-53, ISO27000-Mapping Leading Control Frameworks to FAIR-CAM™

Moderator: Jack Jones, Chairman, FAIR Institute Daniel Stone, Associate Director, Security & Privacy, Protiviti Erin Macuga, Manager Risk and Information Security, Thrivent Financial Robert Immella, Global Leader of Cyber Risk Quantification, Caterpillar Inc Tyler Britton, Quantitative Cyber Risk Manager, DropBox Drew Brown, Information System Security Developer, FAA

Learn More
Video with Slides

Presentation-How to Scale FAIR Programs with Controls Analytics with RiskLens

Jack Jones, Chairman FAIR Institute, Chief Risk Scientist, RiskLens Bryan Smith, CTO, RiskLens

Learn More
Video with Slides

Preparing for the Quantum Threat to Cryptocurrency and Cryptography - Protiviti Sponsored Webinar

Preparing for the Quantum Threat to Cryptocurrency and Cryptography - Protiviti Sponsored Webinar

Learn More
PDF

The Future of Cybersecurity Risk Measurement at RSAC22 - Slide Deck

Hello and good morning. Welcome to our seminar today from the FAIR Institute where we will be diving into the Future of Cybersecurity Risk Measurement.

Learn More
Video

Maturing A Quantitative Risk Management Program in the Federal Government

Maturing A Quantitative Risk Management Program in the Federal Government

Learn More
Video

Overcoming the Challenges of Mapping NIST CSF to FAIR-CAM™

Overcoming the Challenges of Mapping NIST CSF to FAIR-CAM™

Learn More
Video

Unveiling My Cyber Risk Benchmark: Risk Quantification for All

Unveiling My Cyber Risk Benchmark: Risk Quantification for All

Learn More
Video

Critical Do’s and Don’ts of Cyber Risk Board Reporting

Critical Do’s and Don’ts of Cyber Risk Board Reporting

Learn More
Video

Building a Quantitative Cyber Risk Program Based on FAIR

Building a Quantitative Cyber Risk Program Based on FAIR

Learn More
PDF

New study demonstrating CRQ parameters

The Cyentia Institute just released a new study that analyzes 2000 incidents affecting nonprofit organizations to derive estimates and parameters for loss event frequency, loss magnitude, common incident patterns, etc.

Learn More
PDF

An Overview of the FAIR Controls Analytics Model (FAIR-CAM™)

Click below to download the white paper "An Overview of the FAIR Controls Analytics Model (FAIR-CAM™)"

Learn More
Discussion Forum

FAIR-CAM™ FAQs

FAIR-CAM™ FAQs:

Learn More
PDF

Description of the FAIR-CAM™ Standard

Download the white paper below.

Learn More
Video with Slides

Operationalizing FAIR at a Healthcare Insurer and Provider - Advanced Track Meeting - Sept 23, 2021

In the webinar “Operationalizing FAIR at a Healthcare Insurer and Provider: Initial Mis-Steps, Current Use Cases, and Future State," Greg and Jason will discuss how Highmark Health took the next steps after identifying Top Risks, some of the challenges they have faced, how they are currently using FAIR to drive decision-making, and what their vision for FAIR at Highmark looks like.

Learn More
Video with Slides

Common Uses Cases of FAIR Analysis - Beginner Chapter Meeting #3 - September 15, 2021

FAIR is the most common quantitative methodology in the technology and operational risk field, enjoying wide adoption and abundant resources to help those getting started.

Learn More
Video with Slides

Protiviti Sponsored Webinar - Establish Your Cyber Risk Management Baseline

After an organization has successfully conducted FAIR analyses*, many wonder how they can expand their use of risk quantification to better understand their overall cyber risk exposure.

Learn More
PDF

2019 Cyber Risk Management Maturity Benchmark Survey

The FAIR™ Institute’s third annual Cyber Risk Management Maturity Benchmark Survey results are in, and show “a lot of opportunity left in the risk management space for improvement,” says survey report author and FAIR Institute Fellow Jack Freund, PhD.

Learn More
Video with Slides

FAIR Institute Chapter Meeting - Advanced Track Meeting 1 - Reporting Risk to the Board

Presenters: Matt Kruse, FIS Global, Senior Director - Risk, Information Security and Compliance (RISC), FIS Global, Nick Corzine, Manager, Quantitative Cyber Risk Analysis, Centene

Learn More
Video with Slides

FAIR Institute Chapter Meeting - Incentivizing Better Risk Decisions: Lesson From Rogue Actuaries

Presenter: Tony Martin-Vegue - Sr. Information Security Risk Engineer/Netflix

Learn More
Video with Slides

How to Manage and Communicate Cyber Risk in Business Terms - Association Seminar at RSAC21

Here is the FAIR Institute's 3-part seminar on the business benefits of cyber risk quantification at RSA Conference 2021.

Learn More
Video with Slides

FAIR Institute Chapter Meeting - What They Didn't Teach You In Fair School

Presenter: Jack Whitsitt - FAIR Institute Board Member, SIRA Board Member, Cybersecurity Psychologist

Learn More
Video with Slides

WEBINAR: Presentación de caso de uso sobre el uso de FAIR para la implementación de un nuevo sistema

Únase a nosotros para la presentación del seminario web de casos de uso, organizada por el Instituto FAIR en español, para aprender sobre el uso de FAIR para la implementación de un nuevo sistema de TI en Ascena Retail Group, una empresa de Fortune 500 en los Estados Unidos.

Learn More
Video with Slides

Measuring the Cyber Attack Surface - RiskRecon Sponsored Webinar Recording

Webinar recording and slide deck below.

Learn More
PDF

FAIR Institute and HITRUST Plan Integration of FAIR Standard and HITRUST CSF

The FAIR Institute and HITRUST® launched an effort to integrate FAIR™, the international standard for cyber risk quantification, with the HITRUST CSF, the cybersecurity controls framework in use at hundreds of thousands of organizations, including 75% of Fortune 200 companies.

Learn More
Video with Slides

C-Level Panel - Improving Decision Making through the Adoption of FAIR

Frank Kim, Curriculum Director, SANS Institute

Learn More
Video with Slides

Clarifying SEC’s Expectations for Cyber Risk Disclosures

Kristy Littman, Chief, Cyber Unit, Division of Enforcement, U.S. Securities and Exchange Commission (SEC)

Learn More
Video with Slides

Roundtable - A Strategic Approach to Defending the U.S. in Cyberspace

Moderator: Nick Sanna, President, FAIR Institute

Learn More
Video with Slides

Use Case Panorama - How FAIR Analysis Improves Risk Communication and Decision Making

Moderator: Donna Gallaher, Board of Advisors, FAIR Institute

Learn More
Video with Slides

Case Study - How FAIR Analyses Support Decision-Making at Netflix

Tony Martin-Vegue, Sr. Information Security, Risk Engineer, Netflix

Learn More
Video with Slides

Presentation - Improving DevSecOps with FAIR at Doordash

Sarina Hothi, Security Project Manager, DoorDash

Learn More
Video with Slides

Presentation - Updates to the Open FAIR Standards

John Linford, Forum Director, Security Forum & Open Trusted Technology Forum (OTTF), The Open Group

Learn More
Video with Slides

Keynote Conversation-How to Help the Business Make the Right Decisions on Risks They Struggle to See

Michele Wucker, Author, "The Gray Rhino: How to Recognize and Act on the Obvious Dangers We Ignore"

Learn More
Video with Slides

Case Study - Decision Making with FAIR - Quantification and The Rise of Class Action Lawsuits

We have all seen the value of running FAIR analysis across a number of business situations. But how can the output of FAIR analyses be applied to everyday business decisions?

Learn More
Video with Slides

Presentation - The Team as a Measurement Instrument

Douglas Hubbard, Author, "How to Measure Anything in Cybersecurity Risk"

Learn More
Video with Slides

Case Study - Building a Program with HITRUST & FAIR

Marshall Lambert, Team Lead, Cyber Risk Quantification, Highmark Health

Learn More
Video with Slides

Case Study - Protecting Government Information and Assessing Controls at Scale

Anthony Corso, Assistant Commission, Office of the Victorian Information Commissioner

Learn More
Video with Slides

Conversation - OCC Insights for Cyber Risk Assessments

Bill Barouski, Chief Information Risk Officer, Northern Trust Corporation

Learn More
Video with Slides

Presentation - Drivers for IRM, Digital Transformation & Cost Optimization

Moderator: Sounil Yu, CISO, YL Ventures & Board of Advisor Member, FAIR Institute

Learn More
Video with Slides

Opening Keynote: Factoring Risk in Decision Making: Better Risk Measurement Enables Better Decisions

Welcome Remarks and Opening Keynote: Factoring Risk in Decision Making: How Better Risk Measurement Enables Better Decision-Making

Learn More
Video with Slides

Presentation - How to Rapidly Triage Issues and Findings to Focus on What Matters Most

David Elfering, Senior Director of Information Security

Learn More
Video with Slides

Presentation - How Better Data Can Help Executives Make Better Decisions

Wade Baker, Partner & Co-Founder, Cyentia Institute; Member, Board of Advisors, FAIR Institute

Learn More
Video with Slides

Case Study - Reporting Cyber Risk to the Board: Real Life Examples

Matt Kruse, Senior Director - Risk, Information Security and Compliance (RISC), FIS Global

Learn More
Video with Slides

Presentation - Prioritizing NIST CSF Activities with FAIR

Richard Barretto, Security Operations Manager, Cimpress Jack Freund, Fellow, FAIR Institute

Learn More
Video with Slides

Case Study - Enhancing HIPAA Risk Assessment with FAIR

Reny Mathew, InfoSec Analyst, Cambia Health Solutions

Learn More
Video with Slides

Case Study - Building A Quantitative Risk Management Program in the Federal Government

Emery Csulak, Principal Deputy Chief Information Officer, U.S. Department of Energy (DOE)

Learn More
Video with Slides

Presentation - Support Your Company’s Digital Transformation during Times of Crisis

Harold Marcenaro, Digital Risk Officer, Banco de Credito del Peru (BCP)

Learn More
Video with Slides

Seminario web introductorio de FAIR Institute para América Latina y América del Sur

Estimados especialistas de América Latina, La Conferencia FAIR 2020 (FAIRCON2020), la principal conferencia global de gestión de riesgos cuantitativos, se llevará a cabo digitalmente los días 6 y 7 de octubre (martes y miércoles).

Learn More
Video with Slides

Weaving a Safer Web: Significant Risks from Insignificant Details - RiskRecon Sponsored Webinar

As organizations continue to adjust to the current digital climate security teams have had to shift their focus - enhancing work-from-home security measures, managing changes to the digital supply chain, monitoring the ever-expanding data universe - but recent research has shown that some businesses are ignoring some basic security principles, thus leaving themselves exposed to serious threats.

Learn More
Video with Slides

Rapid Risk Assessments: Identifying and Prioritizing Risks in Minutes Instead of Months - RiskLens

Many information security teams are running risk assessments that are qualitative in nature and do not provide results in terms business leaders and decision makers can understand.

Learn More
Video with Slides

Using FAIR to Understand Change in Resilience Risk - Protiviti Sponsored Webinar

This webinar is a step-by-step walk-through from the primary authors of Protiviti’s latest thought leadership piece, “Understanding Changes in Resilience Risks From Technology Advancements.”

Learn More
Video with Slides

How Financial Risk Quantification Can Help Federal Agencies Better Integrate Cybersec. Risk & ERM

Listen in to learn how Financial Risk Quantification can assist in integration of Cybersecurity Risk and ERM.

Learn More
Video with Slides

Reducing Cybersecurity Risk by Automating Continuous Vendor Assessment - Sponsored by RiskRecon

Assessing cybersecurity risk has taken on a new meaning as organizations shift toward virtual, and companies focusing on maintaining operations.

Learn More
Video with Slides

Making Better Cyber and Technology Risk Decisions - Part 3 Webinar with Jack Jones

How to Get Started with Quantification & FAIR

Learn More
PDF

ISACA Journal Case Study: ‘Building a Rock-Solid ERM Culture on FAIR™’

The latest issue of the ISACA Journal) presents a detailed case study on the long-running FAIR™ program at Rock Holdings, Inc. (parent company of Quicken Loans and Rocket Loans), and how “FAIR implementation transformed the business’ enterprise risk management (ERM) program and risk culture.”

Learn More
Video with Slides

Making Better Cyber and Technology Risk Decisions - Part 2 Webinar with Jack Jones

Advantages of a Quantitative Approach to Cyber Risk

Learn More
Video with Slides

Making Better Cyber and Technology Risk Decisions - Part 1 Webinar with Jack Jones

Successfully managing today’s complex and dynamic cyber and technology risk landscape requires being able to prioritize well and communicate effectively to executive stakeholders.

Learn More
Video with Slides

"Use Risk Quantification to Change Executive Priorities and Investments in Security" Webinar

Security and Risk Management leaders are exploring various methodologies in measuring information risk.

Learn More
Video with Slides

Cyber Risk Through a Cyber Situational Awareness Lens - Webinar with Jack Jones

The military has leveraged the concept of situational awareness to improve decision-making, particularly in the face of uncertainty.

Learn More
Video with Slides

Managing Cyber Risk with FAIR and NIST CSF - Webinar with Jack Jones

NIST CSF is intended to help organizations become more risk-focused.

Learn More
Video with Slides

WEBINAR: Reducing Cyber Risk from Employees Working at Home Case Study

Many companies are currently looking at work from home options for employees in response to the Coronavirus pandemic, while still maintaining control over sensitive corporate data.

Learn More
Video with Slides

RSAC20 Seminar Slides - A FAIR Approach to Cyber and Technology Risk Measurement

Risk management expectations are evolving, especially with regards to how risk is being measured and communicated.

Learn More
Video with Slides

FAIR Institute Interview with Jack Jones and Michele Wucker, author of "The Gray Rhino"

It was a meeting of the minds: FAIR model creator Jack Jones, who’s dedicated his career advocating for quantitative, critical thinking against the easy-button practices of conventional cyber risk management—and Michele Wucker, author of The Gray Rhino: How to Recognize and Act on the Obvious Dangers We Ignore, a highly acclaimed book that’s getting renewed buzz as a result of the “unforeseen” coronavirus crisis that was all along like a snorting gray rhino about to charge.

Learn More
Video with Slides

FAIR Breakfast Meeting During RSAC20 - Building Effective Cyber Risk Management Programs that Work

Key Points from Jack Jones and CISOs on Adopting FAIR

Learn More
Video with Slides

Webinar Recording-Fannie Mae Cyber Intelligence Team Drives Culture Change Around Risk Using FAIR

Organizations starting out on their FAIR journey have probably heard the pitch several times by now: the qualitative High Medium Low “risk ratings” don’t cut it anymore.

Learn More
Video with Slides

Combining NIST CSF and FAIR to Drive Better Cyber Risk Decisions - RiskLens Sponsored Webinar

If you are a private sector organization driving your security program forward with the NIST-CSF framework, or a U.S. Government Agency working to adhere to the NIST Framework for Improving Critical Infrastructure Cybersecurity, you're on the right track to better outcomes.

Learn More
Video with Slides

2019 Risk Management Maturity Benchmark Survey Results Webinar

Join Jack Freund, PhD. and co-author of the FAIR Book “Measuring and Managing Information Risk: A FAIR Approach” and our expert panel for this engaging webinar on Thursday, December 19 at 11 AM EST.

Learn More
Video with Slides

Webinar: Quantified Cyber Risk Management: Three steps to success with Highmark Health

Interactive discussion focusing on Highmark Health's two-year journey to implement quantitative cyber risk management methods.

Learn More
Video with Slides

Profiling organisation - FAIR Analysis - post by Denny Wan, Chair of the Sydney Local Chapter

The Open Group FAIR cyber risk quantification framework aims to create a common risk language that all can understand across an organisation.

Learn More
Video with Slides

Am I Mature Enough to Adopt FAIR? - Uncovering the True Success Factors

Finding your team's "True North" when starting a FAIR program can be overwhelming.

Learn More
Video with Slides

Various Stages of FAIR Adoption - Geoji Paul, Centene and Nathan Thomack, Emerson

Please welcome to the stage Geoji Paul, Director of Information Security Risk at Centene and Nathan Thomack, Manager of Cybersecurity Risk Management at Emerson for their session “Various Stages of FAIR Adoption.”

Learn More
Video with Slides

Integrating Cyber Into ERM

Thank you all for joining our panel session “Integrating Cyber Into ERM.”

Learn More
Video with Slides

Why Digital Business Needs IRM & Risk Quantification by John Wheeler, Gartner

Day 2 Keynote Speaker, John Wheeler, Global Research Leader - Risk Management Technology at Gartner.

Learn More
Video with Slides

Using FAIR to take the Headache out of considering Cyber Insurance for your Business - Walmart

At Walmart, the use of FAIR-based risk quantification methods enable decision makers to effectively evaluate cyber-insurance policies.

Learn More
Video with Slides

A Crash Course on Quantitative vs. Qualitative with Evan Wheeler

The title of this presentation is “A Crash Course on Quantitative vs. Qualitative.” This presentation will help us answer the questions of should I adopt a formal risk model, and should I quantify risk.

Learn More
Video with Slides

Pen Testing Your Board Pitch: An Interactive Exercise

This session will provide actionable advice on satisfying board members’ appetite for cyber risk analysis on an equal, quantitative footing with enterprise risk analysis (ERM).

Learn More
Video with Slides

Integrating Strategic Cyber Threat Intel and FAIR, Musso Shaikh, Cyber Threat Intel, Fannie Mae

A mutually beneficial relationship exists between threat intelligence and quantitative risk assessments via FAIR.

Learn More
Video with Slides

Scoping Enterprise Risk Assessments - Keith Weinbaum, Quicken Loans

Please welcome Keith Weinbaum, Enterprise Risk Management Architect at Quicken Loans.

Learn More
Video with Slides

Operationalizing Risk Quantification in Business Processes with Jack Whitsitt

So, you’ve brought in FAIR into your organization. You got the executive buy-in, were trained, and are now a FAIR-shop.

Learn More
Video with Slides

Closing the Risk Management Loop with Cyber Risk Quantification with Greg Rothauser

A growing list of financial services organizations are using FAIR to mature information risk management function and effectively address the most significant risks.

Learn More
Video with Slides

Building a Cybersecurity Program with a Risk Management Framework & FAIR

Many organizations rely on risk management frameworks such as NIST CSF and HITRUST as guidance for building best practice cybersecurity programs.

Learn More
Video with Slides

CISO Panel: Defining the Goals of an Effective Risk Management Program

The next session “Defining the Goals of an Effective Risk Management Program” will include expert CISOs who are leaders of this movement and who will share their experience with us.

Learn More
Video with Slides

How to Measure Risk with Limited and Messy Data: Overcoming the Myths by Doug Hubbard

Doug is the author of the books How to Measure Anything, How to Measure Anything in Cybersecurity Risk and The Failure of Risk Management and a consultant through Hubbard Decision Research.

Learn More
Video with Slides

The View from U.S. Congress Cong. Jim Langevin, Co-Chair Congressional Cybersecurity Caucus

Securing our nation’s technology infrastructure against cyber-attacks is a top priority for Rep. Langevin.

Learn More
Video with Slides

Managing Organizational and Third-party Risk in the Age of Digital Transformation

Managing Organizational and Third-party Risk in the Age of Digital Transformation: Practical Lessons and Data-influenced Considerations

Learn More
Video with Slides

Use Case Panorama - How Quantification Enables Risk-Aligned Decision Making

Real-life business decisions at some of the world's largest companies are being made every day based on quantitative risk assessments.

Learn More
Video with Slides

Enabling Risk Management Programs That Actually Work by Jack Jones, Chairman, FAIR Institute

For our opening keynote, I would like to introduce Jack Jones, author of FAIR and Chairman of the FAIR Institute, who will discuss , “Enabling Risk Management Programs That Actually Work.”

Learn More
PDF

Compilation of Risk Assessment Guidelines from Various Regulatory and Compliance Entities

The Cyber Risk Management Workgroup has now published a compilation of risk assessment guidelines from various regulatory and compliance entities intended to be used as an overview for practitioners.

Learn More
PDF

Regulatory/Compliance Risk Assessment Overview for FAIR Practitioners

Attached is the Cyber Risk Management Workgroup Deliverable "Regulatory/Compliance Risk Assessment Overview for FAIR Practitioners"

Learn More
PDF

The Road to Cyber Risk Maturity - 2018 Risk Management Maturity Benchmark Survey Report

Our second annual Benchmark Survey Report to provide insights into the current state of the industry and how best to move forward.

Learn More
Wistia Link

Video: 2018 Risk Management Maturity Benchmark Survey Results Webinar

Video: 2018 Risk Management Maturity Benchmark Survey Results Webinar

Learn More
Video with Slides

Member Engagement Packet for the FAIR Institute

Have questions of where to start within the Institute? Want to find out how to best get started?

Learn More
Video with Slides

Board Oversight of Cyber Risk - Baseline Diagnostic Guide

Download attachment below.

Learn More
PDF

Wheel of Fire Hits Stack - A New Way of Visualizing Effective Risk Management

"We need effective risk management to make well-informed decisions and we need effective risk management to measure those decisions and, over time, sometimes a relatively short time, to challenge the status quo as our environments change and as we know and understand more.

Learn More
PDF

Jack Jones Managing Cybersecurity Surprises - the Executives Perspective

“Executives hate surprises” begins a new white paper, Managing Cybersecurity Surprises – the Executive’s Perspective, by FAIR model creator Jack Jones, and goes on to detail the four most likely reasons that organizations get blindsided by cybersecurity failures:

Learn More
Video with Slides

Panel: How to communicate the value of FAIR to internal and external stakeholders

Attached is the Cyber Risk Management Workgroup Deliverable "Regulatory/Compliance Risk Assessment Overview for FAIR Practitioners"

Learn More
Video with Slides

Awards Luncheon

Learn More
Video with Slides

Technical Advisor, RiskLens Sponsored Webinar

Seasoned risk consultant and FAIR expert, Rebecca Merritt, of RiskLens will share her personal path to enlightenment (read: FAIR model!) as a former IT Auditor for a Big 4.

Learn More
Video with Slides

Information Overload - How much do boards really need to know about cyber risk

Slide presentation from Jack Jones on how to better communicate to Boards.

Learn More
Video with Slides

FAIR Institute Orientation Webinar for New Members

This webinar is hosted on a monthly basis for new members to the Institute. It is an overview of the offerings of the Institute and the advantages of becoming an engaged member.

Learn More
Video with Slides

About the FAIR Institute

Feel free to download and share the "About the FAIR Institute" presentation attached below to spread the word of FAIR and the FAIR Institute.

Learn More
PDF

Industrial Company Assesses Ransomware Threat - Sponsored by RiskLens

This case study is designed as a scenario that would help to inform management about the significance of an emerging risk, such a ransomware.

Learn More
PDF

Financial Institution Prepares for GDPR and NYDFS Regulations Using RiskLens - Sponsored by RiskLens

A global banking and financial services holding company with over $300B in total assets is preparing for the upcoming European Union General Data Protection Regulation (GDPR) and New York Department of Financial Services (NYDFS) cybersecurity regulations.

Learn More
PDF

Financial Institution calculates Risk Exposure in Moving to Office 365 - Sponsored by RiskLens

A financial services institution with $10B in total assets was trying to determine if a move to Office 365 from their internally hosted Exchange Server made sense for the organization.

Learn More
PDF

Healthcare Supplier Uses RiskLens to Identify Business Continuity Strategy - Sponsored by RiskLens

A large healthcare supplier serving more than 150 million Americans operated a key fulfillment facility in an area threatened by natural disasters.

Learn More
PDF

Manufacturing Company CISO Confidently Justifies IP Protection Project - Sponsored by RiskLens

The CISO at a global manufacturing company with $50 billion in revenue faced an all-too common problem: intellectual property (IP), critical to their success and position in their market, was scattered throughout the organization, exposing them to grave occurrences of IP ex-filtration.

Learn More
Wistia Link

Video: 2017 Risk Management Maturity Benchmark Survey Results Webinar

Our first annual Benchmark Survey Report and Webinar provide insights into the current state of the industry and how best to move forward.

Learn More
PDF

Where Do We Go From Here? 2017 Risk Management Maturity Benchmark Survey Results Report

Our first annual Benchmark Survey Report and Webinar provide insights into the current state of the industry and how best to move forward.

Learn More
PDF

Improving Risk Decisions

This article will provide insight into the factors that drive risk decisions, the role of business management and security experts in decision making, as well as the information that’s necessary in order to make well-informed risk decisions.

Learn More
PDF

The Failure of GRC

In this white paper, Jack Jones shares five reasons why many organizations are, at best, realizing only one of many important objectives.

Learn More
PDF

Effectively Leveraging Data in FAIR Analyses

With the advent of FAIR, organizations finally have a model that enables effective cyber risk measurement. As a result, this document will provide guidance and examples to help organizations improve their FAIR-based risk analyses using these data sources.

Learn More
PDF

A Clarification of "Risks"?

People in the risk management profession routinely use the word “risk” in different ways. Although this may be fine in a non-professional setting, it presents significant challenges in terms of our ability to accurately and efficiently identify, measure, and communicate about risk.

Learn More
PDF

How You Prioritize, Matters

This paper describes at a high level a comparison of the relative efficacy of prioritizing risk remediation activities using qualitative versus quantitative methods.

Learn More
PDF

Does Training Help Reduce Spear Phishing Risk?

Find out if training can reduce risk associated with spear and regular phishing in this case study.

Learn More
PDF

Cost-Benefit of Implementing Credit Card Database Tokenization

Review a case study on how much credit card number tokenization can reduce the risk associated with the card datastore.

Learn More
PDF

A Risk-Based Approach for Information Security and Fraud Analytics

Review a Big Data Case Study on Using a Risk-Based Approach for Information Security and Fraud Analytics.

Learn More
PDF

Learning Institution Assesses Best Architecture To Secure Cloud App

Understand how much risk is associated with different security encryption strategies related to cloud data.

Learn More
PDF

Cyber Risk Management Maturity

This document describes a more fundamental approach to defining and evaluating cyber risk management maturity.

Learn More
Video with Slides

Building a Sustainable FAIR Program

Learn from one of the most successful FAIR implementation teams.

Learn More
Video with Slides

Mapping NIST CSF & FAIR - Slides from the Data Utilization Workgroup Call (11/08/2017)

Join Jack Jones as he explains how NIST CSF and FAIR act as complements to one another.

Learn More
PDF

Root-Cause Analysis - Break Out of Ground Hog Day

Applying Root Cause Analysis to a portfolio of issues can help identify and resolve systemic issues within your organization.

Learn More