FAIR Model Standard Artifact (V3.0)
Standards artifact for the Factor Analysis of Information Risk Model, version 3.0, released January 15, 2025.
Learn MoreA FAIR Framework for Effective Cyber Risk Management
Cybersecurity leaders face an increasingly complex risk landscape where the stakes—financial, operational, and regulatory—continue to climb. The FAIR Institute’s latest white paper, Integrating FAIR Models for Cyber Risk Management, written by Pankaj Goyal and me, provides an invaluable blueprint for addressing these challenges. By detailing the integration of the FAIR Model, FAIR Controls Analytics Model (FAIR-CAM), and FAIR Materiality Assessment Model (FAIR-MAM), this paper illustrates a robust framework that quantifies cyber risk in financial terms while aligning security practices with business objectives. This paper was developed to bridge a gap in how organizations quantify and manage cyber risks. Many existing approaches to cybersecurity focus on improving controls (mitigating vulnerabilities) without a clear understanding of the broader impact on business operations or compliance mandates. Furthermore, the 2023 SEC Cybersecurity Disclosure Rule has heightened the need for transparent, standardized methods for reporting material risks and estimating potential losses. By weaving together three interrelated FAIR standards, this paper sets out to empower Chief Information Security Officers (CISOs), cyber risk leaders, and other stakeholders to: quantify risk in terms of probable financial loss, taking into account control effectiveness and its direct impact on risk factors; evaluate materiality with a structured, defensible approach to loss estimation; and align risk management efforts, especially investments to improve controls, with business priorities and regulatory compliance. For CISOs and cyber risk management leaders, this white paper addresses how to: Bridge the Cyber-Business Gap: By quantifying risk in financial terms, the integrated FAIR models enable leaders to communicate risk in a language the board and executives understand—dollars and cents. Optimize Control Effectiveness: FAIR-CAM offers a structured methodology for understanding how controls interact as a system, allowing organizations to invest strategically in the most impactful controls. Meet Regulatory Demands: With the SEC’s requirement to disclose “material” risks, FAIR-MAM provides the granularity and rigor needed to develop accurate and defensible loss estimates for reporting. Enhance Decision-Making: By integrating these models into a Cyber Risk Management System (CRMS), organizations gain real-time insights (situational awareness), enabling better prioritization and resource allocation. Our paper addresses the following key topics: The FAIR Model: Foundation for Risk Quantification At its core, the FAIR Model decomposes risk into Loss Event Frequency and Loss Magnitude, providing a clear structure for estimating annualized loss exposure (ALE). By integrating threat intelligence and vulnerability data, FAIR enables dynamic, continuous risk monitoring. FAIR-CAM: A “Controls Physiology” Approach FAIR-CAM expands on the FAIR Model by categorizing controls into three domains — Loss Event Controls (reduce loss frequency or magnitude), Variance Management Controls (ensure control reliability), and Decision Support Controls (align decisions with organizational objectives). This systemic perspective highlights interdependencies between controls, ensuring a more reliable measurement of their effectiveness. FAIR-MAM: Granular Loss Magnitude Analysis FAIR-MAM addresses the challenge of quantifying the financial impact of cyber incidents. By breaking down losses into 10 modules and 26 categories, it enables analysts to provide more precise, defensible estimates. This is particularly valuable for meeting regulatory reporting requirements like those outlined by the SEC. Role of the Cyber Risk Management System (CRMS) A CRMS operationalizes these FAIR standards by centralizing data, automating analyses, and enabling real-time monitoring. It provides a unified platform for integrating risk quantification, control evaluation, and loss analysis, ensuring decisions are both data-driven and aligned with business goals. Conclusion This white paper serves as an essential guide for organizations seeking to implement cyber risk management at scale using FAIR. By integrating the FAIR Model, FAIR-CAM, and FAIR-MAM, organizations can shift from reactive, siloed security measures to proactive, aligned risk management strategies. For cyber risk leaders navigating an increasingly complex threat landscape, this framework offers not just a roadmap but a competitive advantage—demonstrating resilience, transparency, and strategic alignment in the face of growing cyber challenges.
Learn MoreKeynote Conversation: Securing the Nation In Conversation with US Cyber Leaders
I am very honored to present our Day 2 Keynote Session this morning, with two of the United States’ top cyber officials. Having this event in DC provides us with a unique experience to get a Federal Cybersecurity Perspective and to hear from leaders at CISA, DHS, and others about how quantification can help protect our national infrastructure. Please join me in welcoming our esteemed Keynote speakers today: • Iranga Kahangama, Assistant Secretary for Cyber, Infrastructure, Risk, and Resilience, US Department of Homeland Security • Jeff Greene, Acting Executive Assistant Director for Cybersecurity, CISA • And Moderator: Nick Sanna, Founder, FAIR Institute
Learn MoreWhy Things can go from Bad to "BOOM" Pretty Quickly
First we start with a CISO panel, “Why Things can go from Bad to "BOOM" Pretty Quickly.” A common paradox in security is that successful prevention breeds complacency. Significant investments in security often lead to reduced incidents, which can inadvertently create the perception that security measures are unnecessary. This can result in budget cuts, deferred upgrades, and neglect of emerging threats. Over time, this decline in security posture increases the likelihood of a catastrophic breach or a gradual erosion of defenses. This panel will discuss what we can do to put in place the counter forces to sustain security. Reminder to please use the QR code in your program to submit question virtually throughout the session. Welcome our panelists today: • Erik Decker, CISO, Intermountain Health • Brian Kelly, CISO, American Airlines • David Neuman, Senior Analyst, TAG Cyber • Wendi Whitmore, Head of Unit 42 Threat Intelligence, Palo Alto Networks • And moderator: Brandon Pinzon, CISO and Risk Executive
Learn MoreQuantifying Cyber Losses Like an Insurer and CFO Would
First we start with a very practical session, “Quantifying Cyber Losses Like an Insurer and CFO Would.” This session will highlight materiality and FAIR-MAM™ and will focus on the how practitioners can focus on the financial side, the magnitude side, of the FAIR model. Welcome our panelists: Robert Immella, Global CRQ Lead, Fortune 1000 Company Monica Tigleanu, Cyber Strategy Leader, BMS Group Erica Eager, Sr. Director Risk Quantification, Safe Security And moderator: Jack Jones, Chairman Emeritus, FAIR Institute
Learn MoreUnlocking Regulatory Alignment Harnessing FAIR Standards for Effective Dialogues with Regulators
First we start with a CISO and Board panel, “Unlocking Regulatory Alignment: Harnessing FAIR Standards for Effective Dialogues with Regulators.” Welcome our panelists today: Christopher Porter, CISO, Fannie Mae James Lam, Board Director, Blackrock iShares And moderator: Neila Zerguini, Partner, Deloitte Canada
Learn MoreAccelerating AI Achieving the Right Balance Between Speed and Security
This is the General Track, and we are going to begin our next panel “Accelerating AI: Achieving the Right Balance Between Speed and Security.” AI and its associated risks have really taken the world by storm. Now, our expert panel of experts shares their experience and thoughts about GenAI. Reminder to please use the QR code in your program to submit question virtually throughout the session. Welcome to our panelists: • Randy Herold, CISO, ManpowerGroup • Michelle Griffith, VP, Security GRC, IHG • Oki Mek, CISO, U.S. Federal Civilian Government, Microsoft • Chip Block, VP/Chief Solutions Architect, Evolver, CEO/Chief Technologist, Kiwi Futures • And moderator: Pankaj Goyal, Director, Research and Standards, FAIR Institute
Learn More5 Techniques for Elevating Security Leaders to True CISOs How to Transition from Security to Trust
This is the Executive Track, and we are going to begin our next panel “5 Techniques for Elevating Security Leaders to True CISOs: How to Transition from Security to Trust.” Welcome to our speaker, FAIR Institute Board of Directors Member and CISO at Databricks, Omar Khawaja.
Learn MoreGetting Started with FAIR™
This is the Practitioner Track, and we are going to begin our next use case panorama “Getting Started with FAIR™.” As we always have new members joining and folks attending for the first time, this session is so important. And today we have amazing presenters ready to share their stories and tips with you on what a successful program looks like as it gets started. Welcome to our speakers: Rob Moore, VP, Technology Risk Management, Mastercard Tony Martin-Vegue, Technology Risk Management, Netflix AJ Anand, Director, Transformation and Continuous Improvement, Global Security, ADP
Learn MoreFireside Chat: Connecting Data Risk to Enterprise Risk A Business Centric Approach with Bipul Sinha
We are excited and fortunate to have a special fireside chat today on “Connecting Data Risk to Enterprise Risk: A Business-Centric Approach” with Bipul Sinha, the CEO of Rubrik in conversation with Saket Modi, CEO, Safe Security.
Learn MoreFireside Chat with Jack Jones, Author of FAIR™ and FAIR CAM™
I am excited to begin our afternoon sessions with a special discussion with Jack Jones, Chairman Emeritus, FAIR Institute; Author of FAIR™, FAIR-CAM™ on the history of the FAIR model and the future of CRQ. Please welcome Jack and Todd Tucker, Managing Director of the FAIR Institute!
Learn MoreNavigating the Complexities of Assessing and Managing AI Risk
I am excited to begin our afternoon sessions with a special discussion with the AI Workgroup of the FAIR Institute on “Navigating the Complexities of Assessing and Managing AI Risk” Please welcome Arun Pamulapati, Sr. Staff Field Engineer, Databricks Jacqueline Lebo, Risk Advisory Manager, Safe Security Omar Khawaja, CISO, Databricks
Learn MoreATT&CKing Cyber Risk Quantification
I am excited to begin our afternoon sessions with a special discussion on “ATT&CKing Cyber Risk Quantification” and we really have the experts in the room with us today! Please welcome Wade Baker, PhD, Partner, Cyentia Institute Jon Baker, Director & Co-Founder, Center for Threat-Informed Defense, MITRE Engenuity Vidit Baxi, CISO, Safe Security
Learn MoreWhat Does Effective Cyber Risk Reporting and Board Oversight Look Like?
Hello and welcome all to this panel on the ever-important topic “What Does Effective Cyber Risk Reporting and Board Oversight Look like?”. Allow me to introduce our panelists: Suja Chandrasekaran, Global, Operations, Digital, Technology and Business Transformation Chief Executive and Board Member Amir St. Clair, AVP, Enterprise Risk Management, Advocate Health And moderator: Larry Clinton, President, Internet Security Alliance
Learn MoreDeveloping Agile Risk Management Capability by Building your Human Firewall
Presenting the session on the ever-important topic “Beyond Cyber Security – Developing agile risk management capability by building your human firewall” with Dr Gavriel (Gav) Schneider, Group CEO & Principal Consultant, Risk 2 Solution Group. In today’s hyper-connected and rapidly evolving digital landscape, traditional cyber security measures alone are insufficient to protect organizations from the myriad of threats they face. This session will explore the critical role of human elements in creating a robust and adaptive risk management framework.
Learn MoreBuilding an Enterprise Risk Ownership Model that Works: Quant Risk Ownership and Acceptability
Welcome to another incredible case study presentation with the DropBox team titled “Building an Enterprise Risk Ownership Model that Actually Works: Quant Risk Ownership and Acceptability.” This talk is going to focus on practical examples of implementation and the impacts of evolving to this new risk ownership model at both lower and executive levels of an organization. Welcome to the stage Tyler Britton, Principal Security Engineer at Dropbox.
Learn MoreClosing Remarks: Where is CRQ Going?
We look to close out FAIRCON24 with a summary of our time and sessions here and with a look towards the future of the risk management industry. Here to provide that context is our Closing Remarks speaker, Cody Scott, Senior Analyst for Security & Risk at Forrester.
Learn MoreStrategies for Optimizing Cyber Insurance and Mitigating Risk
We have the final breakout panel now before our last plenary sessions. This session is titled “Strategies for Optimizing Cyber Insurance and Mitigating Risk” and will include a very important talk on the growing role of cyber insurance in the field. Let me invite up to the stage our participants: Mark Wheeler, Co-Founder & Co-CEO, Mosaic Insurance Meghan Hannes, Chief Underwriting & Claims Officer, K2 Insurance Gerry Glombicki, Head of Cyber Security Common Interest Group, Fitch Ratings And moderator: Steven Schwartz, VP, Insurance Strategy & Underwriting, Safe Security
Learn MoreUnlocking Cyber Resilience Executing the Govern Function in the NIST Cybersecurity Framework
This session is titled “Unlocking Cyber Resilience: Executing the Govern Function in the NIST Cybersecurity Framework” and will include a very important about one of our industry’s most well-known frameworks. Let me invite up to the stage our participants: Amy Mahn, International Policy Specialist, NIST Kelly Volz, Managing Director, Cybersecurity Financial Services, EY Heather Dart, Sr. Mgr Information Risk Management, Danaher And moderator: Vince Dasta, Risk Advisor, Safe Security
Learn MoreRisk at the Speed of Business Delivering Risk Management as a Service
This session is titled “Risk at the Speed of Business: Delivering Risk Management as a Service” and is a case study with Zach Cossairt, Integrated Risk Program Senior Manager, Governance Risk & Compliance at Equinix. The use case will focus on one business line at Equinix that is now successfully operationalizing the risk team’s service portfolio to improve the pace and quality of their decision making.
Learn MoreFAIRCON24 Welcome Address
This year at FAIRCON24, more than 60 CISOs, CIOs, board members and cyber risk leaders, all of you here in this room today, will present on, discuss, engage, and share on key topics facing our industry such as third-party risk management, cyber reporting for the board, automating and scaling your program, and emerging risk areas such as AI. Conference attendees will discover a more modern approach to cyber risk management built on the FAIR cyber risk quantification model and including essential program elements, process automation, data visualization and analytics, and GenAI. Together discover new technologies, learn about growing FAIR standards, and expand our networks! Now without further ado, it’s time to get FAIRCON24 kicked off! It is my pleasure to introduce Nick Sanna, Founder of the FAIR Institute. Nick founded the FAIR Institute in 2016 as an expert non-profit organization due to a growing demand from an expanding FAIR community. The idea was to create a forum for learning about FAIR, for developing and sharing innovative best practices, and to serve as a platform and for networking with peers.
Learn MoreFireside Chat with John Chambers and Saket Modi
Fireside Chat with John Chambers, Fmr CEO and Chairman Emeritus at Cisco and Saket Modi, CEO at Safe Security.
Learn MoreEstablishing the CISO as an Indispensable Business Partner
The next session “Establishing the CISO as an Indispensable Business Partner” is packed with experts. The role of the CISO has transformed from a technical steward to a strategic business partner. This discussion will explore a pivotal shift in the perception and responsibilities of the CISO within organizations. The speakers will share case studies and their insights on strategies and best practices that enable CISOs to effectively align Cybersecurity initiatives with overarching business goals. Moderated by Robert Rodriquez, Chairman and Founder of SINET, please help me welcome our esteemed panelists: Michael Johnson, CISO, Meta Financial Tony Parrillo, VP Global Head of Cybersecurity, Enterprise IT, Schneider Electric Bethany De Lude, CISO, The Carlyle Group Susan Chiang, CISO, Headway
Learn MoreDo We Need Cyber Expertise at the Board Level?
Welcome all, please allow me to introduce our next session “Do We Need Cyber Expertise at the Board Level?” This is an ever important question and in this session, Board Members will speak directly to executives to provide tips on what they expect from the C-Suite. Moderated by Yvette Kanouff, Board Member: SAIC, Amdocs, Entegris, Sprinklr, let me introduce our panelists: Michael Coden, Senior Advisor, BCG Brad Strock, Fmr CIO, PayPal Mike Gade, Senior Advisor, BCG
Learn MoreEmpowering Business Decisions through CRQ Insights from the Practitioner's Perspective
Please allow me to introduce our next session “Empowering Business Decisions through CRQ: Insights from the Practitioner's Perspective” Today, leading practitioners in (CRQ) will outline how they have successfully used FAIR to architect CRQ programs that enable better business decisions. Our panelists will delve into their first-hand experiences, spotlighting how these data-driven approaches have shaped critical business strategies and yielded tangible outcomes. Welcome our panelists: Grace Gair, Director, Technology Risk Management, Capital One Luis Valenzuela, Director, Data Governance and Data Loss Prevention, InComm Payments Zach Kacprowicz, Senior Advisor, Cyber Risk Management, Cigna And moderator, Daniel Stone, Director, Security & Privacy, Protiviti
Learn MoreCISO Liability How Not to Get Singled Out in an Evolving Regulatory Environment
We begin this track with a really important panel “CISO Liability: How Not to Get Singled Out in an Evolving Regulatory Environment.” Our panelists will be discussing our world a year after the SEC disclosure rules were announced and went into effect last year. Reminder to please use the QR code in your program and follow the instructions to submit questions virtually throughout the session. Welcome to our panelists: • David Hirsch, Partner, McGuireWoods LLP; Fmr. Chief, Crypto Asset and Cyber Unit in the Division of Enforcement, SEC • Mark Tomallo, CISO, Victoria's Secret • John Winter, Chief Legal Officer and Counsel, LLA • Kaitlin Betancourt, Partner, Data, Privacy & Cybersecurity, Goodwin Law • And moderator: Nick Sanna, Founder, FAIR Institute
Learn MoreState of the Third-Party Risk Management (TPRM) Market
In this session, you will hear from Alla Valente, Senior Research Analyst, Forrester and Cody Scott, Senior Analyst, Security & Risk, Forrester on their research in third party risk management. This is going to be an engaging session with time for questions as well. Please keep the questions coming by using the QR code in the program.
Learn MoreOrchestrating Cyber Resilience Across First and Third Party Risk
On our panel on “Orchestrating Cyber Resilience Across First and Third Party Risk,” we will hear from many people with different perspectives on their work bridging the first and third party gap and on recent high-profile events such as Change Healthcare, CrowdStrike. Reminder to please use the QR code in your program and follow the instructions to submit questions virtually throughout the session. Welcome to our panelists: • Kris Lovejoy, Board Member, Dominion Energy; Global Security and Resilience Practice Leader, Kyndryl • Michael Sechrist, Executive Director for Threat and Risk Management, athenahealth • Drew Simonis, CISO, Juniper Networks • Juanita Bates, Director Cybersecurity Governance Risk & Compliance, Jefferson Health • Moderator: Pengfei Wang, Cybersecurity Risk Management & GRC Leader, EY
Learn MoreMore than cheese: FAIR Third Party Analytics Model, secret for a perfect pizza
In this presentation, the presenters will walk through the pizza delivery use case to illustrate how FAIR-TAM (FAIR Third Party Assessment Model) is used to automate and integrate third-party risk management. FAIR-TAM enables these businesses to survive and grow in this increasingly competitive GenAI-enabled business environment. This use case shows why risk leaders must elevate their focus from individual controls to the “control physiology” paradigm described under FAIR Control FAIR Controls Analytics Model™ (FAIR-CAM™). Please welcome our speakers: Denny Wan, Chair, Reasonable Security Institute Andrew Shea, Founder, CRFQ Pankaj Goyal, Director, Research and Standards, FAIR Institute
Learn MoreDeveloping an Effective Cyber Risk Management Program in Today's Digital Landscape
In an age where digital transformation accelerates and regulatory bodies increasingly emphasize oversight, crafting a robust cyber risk management program (CRMP) becomes crucial. This presentation delves into the intricacies of establishing a comprehensive CRMP, leveraging insights from authoritative sources such as the SEC, NIST, and NACD. It highlights the pivotal role of board members and executive leadership and offers practical strategies for CRMP implementation, guided by a cross-industry framework that encompasses four foundational components and 23 guiding principles. Welcome to the stage our speakers, Brian Allen, SVP, Emerging Technology Risk Management for BITS, Bank Policy Institute; Fmr. CSO, Time Warner Cable and Brandon Bapst, Cyber Risk Advisor, EY!
Learn MoreEmbracing a True Risk Based Approach to TPRM
Welcome back, time for our next session in the practitioner track. Another amazing case study use case session by GSK. Focused again on their work with thirdy party risk management. Join me in welcoming Meena Martin, VP, Cyber Risk and Assurance, GSK and Pankaj Goyal, Director, Research and Standards, FAIR Institute.
Learn MoreIntegrating Cyber Into ERM
Our last session is a super important one that advances even more on the theme of building a fully mature risk program, “Integrating Cyber Into ERM.” Our panel members today are: • John Sapp, VP, Information Security & CISO, Texas Mutual Insurance Company • James Lam, Board Director, Blackrock iShares • Stan Dore, Fmr. CRO, FHLB • Paul Zikmund, CISO, Berkadia • Aneesh Bhatnagar, Head of Risk Products, Servicenow • And moderator: Evan Wheeler, Sr. Director, Tech Risk Mgt, Capital One
Learn MoreKeep Quantifying or Else
Our last session in the practitioner track today is presented by Pierre Olodo, Senior Lead Cyber Risk, Richemont International SA. Pierre will present how they started their cyber risk quantification journey with specific use cases (both technology and business oriented). These use cases were then presented to leadership, who are now requiring more and more cyber risk quantification, hence the need for us to increase the pace in handling and delivering cyber risk quantification.
Learn MoreIT Security Controls Prioritization Using FAIR-CAM™ - Sponsored by C-Risk (Webinar)
Join our upcoming webinar IT Security Controls Prioritization Using FAIR-CAM™, hosted by C-Risk Co-founder Tom Callaghan, Jack Jones, Chairman Emeritus of the FAIR Institute, and Rob Moore, VP of Technology Risk at Mastercard. The recent extension to the FAIR™ model, FAIR-CAM™, provides data-driven insights into controls efficacy and measures the risk reduction of control improvements in the context of specific risk scenarios. FAIR-CAM™ takes a physiological approach to understanding control functions—an area often only superficially addressed by traditional cybersecurity frameworks. This model offers a deeper understanding of the key dependencies between controls and provides a clear measure of control efficacy. In this one-hour webinar, you’ll learn how to leverage FAIR-CAM™ to enhance control prioritization and take actionable steps to reduce the likelihood and impact of threat events.
Learn MoreAssessing & Quantifying Enterprise GenAI Risk – Sponsored Webinar with Ostrich Cyber-Risk
The rapid rise of generative AI has created new opportunities for the enterprise while also introducing new risk issues that must be measured, prioritized and addressed. New tech, advanced models enabling innovative business applications result in unique risk scenarios and mitigation options that may challenge the cyber focused risk analyst. What approach should be used? How can the FAIR risk analyst decompose the problem and deliver credible, defensible guidance? This session will examine how to apply the FAIR-AIR Approach Playbook created by the FAIR Institute to quantify AI risk in financial terms allowing stakeholders to make rational business decisions (cost-benefit) on risk treatment options. Key Takeaways: Help you identify your AI loss exposure and enable risk-based decisions Insure proper data and alignment for scenarios and use cases Know how to meet the business needs and enable AI deployment Sponsored by Ostrich Cyber-Risk.
Learn MoreFrom Controls to Clarity: Simplifying FAIR using the NIST CSF – Sponsored Webinar with Ostrich Cyber-Risk
Adopting the Factor Analysis of Information Risk (FAIR™) methodology and scaling its value can be challenging, especially for early adopters. Identifying and effectively using data on the strength of individual controls within your organization can be particularly difficult. Many organizations already align their programs with leading practices using the NIST Cybersecurity Framework or similar security frameworks. However, these assessments often fall short in guiding the prioritization of cybersecurity budgets and roadmaps. Join experts from Ostrich Cyber Risk and Protiviti as they demonstrate the significant advantages of combining risk quantification with cybersecurity framework assessments to maximize your cybersecurity strategy. Sponsored by Ostrich Cyber-Risk.
Learn MoreHow GSK is Building A Next Generation TPRM Program and Tooling - Sponsored by Safe Security
The cybersecurity landscape is constantly evolving with new threats and traditional TPRM methods are not suited to handle emerging risks such as cyber threats, data breaches, and supply chain disruptions. Join Marek Jakubczak, Cyber Risk Leader at GSK and Ram Vemula Product Management, Head of Partnerships at Safe Security to hear about the current state of TPRM and how a large company is changing the game. Lets review the shortcomings and limitations of current approaches and how to build next generation TPRM processes and tools that will help your organization stay resilient, keep pace with the dynamic risk environment, improve operational efficiency, and protect the organization from potential threats associated with third-party relationships. We will also talk about how we can effectively partner with third-parties in managing risk and give them the tools necessary to burn down risk.
Learn MoreNIST CSF Effectiveness: Controls & Quantification – Sponsored Webinar with Ostrich Cyber-Risk
In this webinar, Greg Spicer, Co-Founder and CRO of Ostrich Cyber Risk, along with Kevin Gelsthorpe and John Feezell of Kyndryl, will dive into the intricacies of identifying your biggest cyber risks using NIST Cybersecurity Framework (NIST CSF). We then will explore how to determine which controls most effectively mitigate these risks and how to quantify their effectiveness in financial terms, and influence decisions with stakeholders in your business. Sponsored by Ostrich Cyber-Risk.
Learn MoreFAIR-CAM Controls Library
The FAIR Institute, with the assistance of technical adviser Safe Security, is creating a draft Cybersecurity Controls Library, informed by FAIR-CAM, the FAIR Controls Analytics Model. Now, we are inviting the FAIR community to support this project to develop a highly useful resource for FAIR practitioners looking to assess their controls based on FAIR-CAM. The Controls Library categorizes controls according to their functions as described by FAIR-CAM, and each with an extensive description of how they operate and their value in a cyber risk management program.
Learn MoreFAIR Standards Booklet
A new and complete guide to the FAIR model and standard extensions, FAIR-CAM, FAIR-MAM, FAIR-TAM, FAIR AIR, and FAIR Automation.
Learn MoreRSAC24 Seminar: Mastering Cybersecurity Risk with FAIR: An Introduction and Case Study
Join the FAIR Institute for a two-part seminar that will demystify the world of FAIR™ (Factor Analysis of Information Risk). In the first session, we'll provide an in-depth introduction to FAIR™, equipping you with the knowledge needed to tackle cyber risk effectively. In the second session, we'll dive into a compelling case study that showcases the practical application of FAIR™ principles.
Learn MoreThe Future of AI Risk Management: A Deep Dive with the FAIR Institute AI Workgroup
Join the FAIR Institute AI Workgroup as we navigate the evolving world of AI risks. We'll introduce the workgroup, its members, and exciting 2024/25 initiatives. In this webinar, the Workgroup members will share their insights on: Building trust in the age of AI Navigating recent hot-button topics like illegal AI robocalls, a use case with Rite Aid, and the EU Act Mitigating model development risks and ensuring materiality We will learn how to navigate these complexities and build trustworthy AI for your organization.
Learn MoreFinancial Impact Questionnaire (FIQ) - Customize FAIR-MAM for Your Most Accurate Cyber Loss Data
The FAIR Institute introduced in 2023 the FAIR Materiality Assessment Model (FAIR-MAM ™) a step change in quantifying loss magnitude for FAIR cyber risk analysis. FAIR-MAM enabled analysts to gather loss data at a granular level that ensured a high level of accuracy – and store it in an always available repository, ready for reporting out the impact of a data breach or other loss event in a defensible format that could stand up to scrutiny by regulators. We’re now introducing a tool to help further sharpen loss data for analysis: the Financial Impact Questionnaire (FIQ).
Learn MoreManaging Cyber Risk in a Time of New Incident Disclosure Rules Welcome Address
Without further ado, please join me in welcoming our esteemed keynote speaker, Nick Sanna, Founder of the FAIR Institute. Speaking today on “Managing Cyber Risk in a Time of New Incident Disclosure Rules” and how FAIR plays a necessary part. Welcome Nick!
Learn MoreCase Study Panorama with Richemont and Econocom
Speaking about real life examples, next up today is our first of two Case Study Panorama sessions with Pierre Olodo, Senior Lead Cyber Risk, Richemont and Anne Lupfer, Deputy CSO, Econocom who will both give us examples of deploying quantification at their organizations.
Learn MoreMeeting Regulatory Compliance - How to Think About Materiality with FAIR
Our session now is “Meeting Regulatory Compliance - How to Think About Materiality with FAIR” that will discuss real life examples at companies using FAIR and also give insight into the research that the Institute is planning this year. Welcome Mouhamad el Houssaini, Risk Director, ADP and Pankaj Goyal, Director of Standards and Research, FAIR Institute.
Learn MoreThe Significance of the NIS2 Directive and of the Digital Operational Resilience Act DORA
Next up, we have an esteemed panel of experts who will deep dive into “The Significance of the NIS2 Directive and of the Digital Operational Resilience Act (DORA).” Welcome to the stage: Moderator: Anne Leslie, Cloud Risk & Controls Leader EMEA, Financial Services, IBM Cathie-Rosalie Joly, Partner, Bird & Bird Law Firm Martina Dvar, Advisor, European Central Bank Iva Tasheva, Co-founder & Cybersecurity Lead, CYEN; Working Group Member, ENISA
Learn MoreRe-thinking Third Party Risk Management
Wrapping up our morning sessions today, we will turn our focus to another research initiative of the FAIR Institute, how to re-thinking third party risk management with quantification. Here to discuss and present are Meena Martin, VP Cyber Risk and Assurance, GSK and Pankaj Goyal, Director of Standards and Research, FAIR Institute.
Learn MoreGenAI Related Risk and Opportunities
Moving on to the next panel focusing on managing new risks and opportunities in the rapidly growing world of AI, please help me welcome our panel today: Moderator: Pankaj Goyal, Director of Standards and Research, FAIR Institute Gérôme Billois, Partner, Wavestone Sabine Marcellin, Lawyer, Digital Law, Oxygen+; Professor, AI, KEDGE Business School Jacqueline Lebo, Risk Advisory Manager in Security Services, Safe Security
Learn MoreThe Future of the Cyber Risk Management Profession with Jack Jones
As we advance into the day, so we advance into the further of our profession. Join me in welcoming Jack Jones, Chairman Emeritus of the FAIR Institute and author of FAIR and FAIR-CAM for his talk on “The Future of the Cyber Risk Management Profession!”
Learn MoreCxO Panel - Managing Cyber Risk in a Time of New Incident Disclosure Rules
Next up we have a very special CxO panel for you to share how executives can more effectively manage cyber risk in this time of new incident disclosure rules. Please welcome: - Moderator: Thiébaut Meyer, Director, Office of CISO, Google Cloud - Benoit Fuzeau, CISO, CASDEN; President, CLUSIF - Aljona Reiser, Head of Cyber Business Risk, Commerzbank AG - Ariane Chapelle, Partner, BDO Chapelle
Learn MoreOptimizing Cyber Insurance with Risk Quantification
Our next panel will dive deep into optimizing cyber insurance with risk quantification, help me welcome our moderator and panelists: - Moderator: Christopher Khadan, Chief Customer Officer, Safe Security - Leopold Larios, Director of Cyber Insurance Offering, Descartes Underwriting - Andreas Schmitt, Global Cyber Underwriting Manager, Zurich Insurance - Thierry Zucchi, Head of Cyber Activity, Relyens - Patrick Montagner, Deputy Secretary General, ACPR (French Prudential and Resolution Authority)
Learn MoreCase Study Panorama with Mastercard and Fresenius
Kicking off our last segment of sessions today is our final case study panorama session, moderated by Greg Spicer, Co-Founder and CRO at Ostrich Cyber-Risk. Join me in welcoming two expert FAIR professionals, Rob Moore, VP, Technology Risk, Mastercard and David Steng, Director, Cyber Risk & Economics, Group Cybersecurity Office, Fresenius Group.
Learn MoreUsing FAIR and MITRE to Understand How Controls Impact Risk
The next session shifts focus to controls and FAIR-CAM as we understand how using FAIR and MITRE Controls Impact Risk. Welcome back Tom as moderator and our panelists, Frédéric Bouveresse, IS&T Cyber Risks Governance Specialist, Alstom and Francesco Chiarini, Global Head - Technology Resilience, Sandoz.
Learn MoreAutomating and Scaling FAIR Quantitative Risk Analysis Sponsored by Safe Security
Enterprises adopting FAIR face a critical hurdle in scaling operations due to the manual nature of the process. Recognizing this gap, FAIR has introduced two extensions: FAIR-CAM, the controls analytics model, and FAIR-MAM, the materiality assessment model.
Learn MoreA FAIR Artificial Intelligence (AI) Cyber Risk Playbook
The FAIR Institute presents FAIR-AIR, a FAIR-inspired approach to help you identify your AI-related loss exposure and make risk-based decisions on treating this new category in cyber risk management – new but a puzzle to be solved using the FAIR techniques of modeling and quantifying cyber risk that our community has validated for years.
Learn MoreCIS 8.0 to FAIR-CAM Mapping V1
A team of FAIR Institute members led by FAIR creator Jack Jones have mapped the CIS Critical Security Controls v. 8.0 to the new FAIR Controls Analytics Model (FAIR-CAM™). The CIS Controls are a popular 18-category set of best practices that, like other cybersecurity frameworks, tell you what controls to implement but not what measurable effect they have on reducing cyber risk singly or as an interdependent system. Jack developed FAIR-CAM to make compliance with frameworks more about mitigating risk than checking off boxes on a list.
Learn MoreWebinar: The NIST Artificial Intelligence Risk Management Framework (AI RMF)
The NIST Trustworthy and Responsible AI Resource Center published the Artificial Intelligence Risk Management Framework (AI RMF) in early 2023 to support the responsible adoption of trustworthy AI systems. The voluntary, risk-based, rights-preserving, and flexible framework provides an approach for organizations to manage the benefits and risks of AI through specific approaches outlined in the AI RMF. The AI RMF is designed to function as part of a larger organizational risk management program specifically to mitigate the potential of harms to people, organizations, and ecosystems (people & planet) unique to AI systems. Today, Martin Stanley will provide an overview of the AI RMF and supporting NIST resources available to assist organizations in responsibly adopting AI. Martin Stanley is the Strategic Technology Branch Chief and leads the research and development program for the Cybersecurity and Infrastructure Security Agency (CISA/DHS). Martin previously led the Cybersecurity Assurance Program at CISA and the Enterprise Cybersecurity Program at the U.S. Food and Drug Administration. Prior to his federal service Martin held executive leadership positions at Vonage and UUNET Technologies. Martin recently co-authored “Digital Health”, an Oxford University Press Publication in 2021. Martin is currently assigned to NIST to advance adoption of the NIST Artificial Intelligence Risk Management Framework.
Learn MoreThrowing the 'Bad' Data in With the Good – Sponsored Webinar with Ostrich Cyber-Risk
In this webinar, participants will be introduced to a simple way to think about and communicate the relative value of data inputs to FAIR analysis and learn about the concept of a “risk information classification framework”. Attendees will also hear about how such a framework may be used for reducing the likelihood of “analysis data rejection” from the business and how to implement a managed approach for improving precision, visibility, and confidence in analysis.
Learn MoreKeynote Address: The Future of Risk Analysis in an AI and Automation World
I am very honored to present our Day 2 Keynote Speaker this morning, Jack Jones, author of the FAIR model and Chairman of the FAIR Institute presenting the Keynote Address today, “The Future of Risk Analysis in an AI and Automation World.” Jack has worked in information security for over thirty-five years, ten years of which as a CISO with three different companies, including a Fortune 100 company. In 2012 Jack received the CSO Compass award for risk management leadership. An adjunct professor at Carnegie Mellon University, he teaches in the CRO and CISO executive programs. Jack created the “Factor Analysis of Information Risk” (FAIR) model which has been adopted as an international standard. Currently, Jack is the Chairman of the FAIR Institute and the Chief Research Scientist at Safe Security. He has also co-authored a book on FAIR entitled “Measuring and Managing Information Risk, a FAIR Approach” which was inducted into the Cyber Security Canon in 2016.
Learn MorePanel: How to Get Ready for the New SEC Rule on Cybersecurity
I am excited for our first panel today titled “Panel: How to Get Ready for the New SEC Rule on Cybersecurity”. Nothing has pushed CRQ more front and center than the release of new rules from the Securities and Exchange Commission (SEC) on cyber risk disclosure – and the concern and confusion around what’s a material cyber risk. Together, we will tackle the issue head-on with expert panelists, including the SEC’s cyber enforcement chief. Led by moderator Kim Nash, Deputy Bureau Chief, WSJ Pro Cybersecurity, please help me welcome the panelists to the stage: • David Hirsch, Chief, Crypto Asset and Cyber Unit in the Division of Enforcement, SEC • Brian Walker, CEO, The CAP Group • Kurt John, CSO, Expedia Group • Richard Borden, Cybersecurity and Privacy Partner, Frankfurt, Kurnit, Klein, & Selz
Learn MoreQuantifying Multi-Product Security and Privacy AI Risk with FAIR and NIST AI RMF
This track is focused on one of the hottest topics in our industry right now, AI. How can organizations balance the opportunities that arise from AI adoption while managing its risk? What does AI risk actually mean? How can we best manage it? Those questions are coming fast, and FAIR practitioners of quantitative cyber risk management are adapting rapidly. First up in our track today are Tyler Britton, Security Engineer and Taylor Maze, Risk & Governance Manager at Dropbox. They will be presenting on their work with this case study session titled “Quantifying Multi-Product Security and Privacy AI Risk with FAIR and NIST AI RMF.”
Learn MoreChallenges and Opportunities of Moving to Quantitative Risk Management in ERM
Help me welcome our panelists today: Evan Wheeler, Senior Director, Technology Risk Management at Capital One and FAIR Institute Advisory Board Member Ted Webster, Chief Security and Privacy Officer,
Learn MoreAccelerating your GenAI Adoption Through AI Risk Posture Management
Presenting today is Pankaj Goyal, Director of Standards & Research at the FAIR Institute, joined by Brandon Sloane in AI Governance at Meta.
Learn MorePatch Prioritization with FAIR-CAM™
Next we have Denny Wan, Co-Chair, Sydney Chapter and the FAIR-CAM Workgroup, John Linford, Forum Director at The Open Group, and Sasha Romanosky, Senior Policy Researcher at RAND. The timely application of software patches is the first line of defense against malware by reducing the attack surface. This presentation will discuss how to apply the FAIR-CAM model to inform on the effectiveness of a patch prioritization policy.
Learn MoreThe State of the CRQ Market
Here to give a view of the entire state of the CRQ Market, please welcome to the stage, Cody Scott, Senior Analysts for Security and Risk at Forrester Research. Cody will be focusing on what users are asking for and where the market is now, including both the positives and the challenges, and where the industry research needs to focus moving forward.
Learn MoreHow is the Discussion About Cyber Risk Changing at the Board Level?
We are lucky to have with us today a superstar panel on “How the Discussion About Cyber Risk is Changing at the Board Level?”. Reminder to please use the QR code and follow the instructions on page 2 in your program to submit questions. Led by moderator Larry Clinton, President of the Internet Security Alliance (ISA), please help me welcome the panelists to the stage: • Elias Oxendine IV, CISO, Yum Brands • Kevin McCarty, CISO, Cigna US Healthcare • Kris Lovejoy, Board Member, Dominion Energy and Global Security and Resilience Practice Leader, Kyndryl • David Burg, Americas Cybersecurity Leader, EY
Learn MoreConnecting Threat Intel to risk with MITRE ATT&CK and FAIR™
We are lucky to have with us today a great session on “Connecting Threat Intel to risk with MITRE ATT&CK and FAIR™". Please help me welcome the panelists to the stage, Jon Baker, Director, MITRE Center for Threat-Informed Defense Arvin Bansal, vCISO, Fortune 500 Company Vidit Baxi, CISO, Safe Security
Learn MoreIntroducing FAIR-MAM™ - A Comprehensive Approach to Loss Modeling in FAIR™
This track is focuses on way in which we can build on the FAIR model, making improvements and advancement to our risk management practices. Starting today with an introduction in FAIR-MAM, FAIR Materiality Assessment Model. Join me in welcoming: • Erica Eager, Senior Director, Risk Quantification, Safe Security • Filippo Curti, Financial Economist, Federal Reserve Board of Richmond • Tom Macphee, Cyber Risk Senior Manager, Cigna
Learn MoreCyber Insure or Self Insure?
My name is Arturo Perez-Reyes Strategist, SVP, Cyber and Technology at Newfront. Welcome to our session today that will ask the question “to cyber insure, or to self-insure?”! Joining me on stage are my esteemed colleagues: • Tom Srail, EVP Cyber Risk, Willis Tower Watson • Brandon Pinzon, SVP, Chief Security Officer, Argo Group Insurance • Mayur Patel, VP, Senior Cyber Underwriter, Munich Re
Learn MoreUsing the FAIR Model for AI Risk-Based Accountability
The purpose of this session is sharing practical risk-based compliance tips, by using the FAIR model in order to fix Impact Assessments. The presentation will show convenient tactics for adapting several concepts such as primary and secondary losses, and temporary-bound probability, all in a multidimensional compliance environment. Welcome to the stage Luis Enriquez, Professor at Université de Lille (France), and Universidad Andina Simón Bolivar (Ecuador)!
Learn MoreMeasuring Controls Effectiveness and Risk with FAIR-CAM™
Join our speakers Bryan Smith, VP Product Management at Safe Security and Tyler Britton, Security Engineer at Dropbox as we dive into measuring controls effectiveness and risk with FAIR-CAM™
Learn MoreDeriving Probability Distributions with Pairwise Relative Comparisons
This presentation supports the FAIR contention that we need to use ranges or distributions for probability and impact in FAIR for risk management. More importantly, this presentation shows how the PERT-styled distributions used in FAIR analyses can be supplemented with pairwise comparisons that can reduce ‘noise’ inherent in measuring uncertainty, thus producing more accurate distributions based on individual judgments as well as judgments from groups of individuals. The process is based on pairwise comparisons of a range of uncertain outcomes, such as the frequencies of an event.
Learn MoreMeasuring Real Life Cyberattacks on Enterprise Networks
Our next session will explore a novel approach to measuring loss events of realistic cyberattacks, empowering organizations to assess their security resilience based on changing threat landscapes and make data-driven decisions for bolstering their defenses against evolving cyber threats. Please welcome Christian Ellerhold, Lead Principle Engineer, Cyber Risk Management at Infineon Technologies to the stage!
Learn MoreThe Rising Ambition of Cyber Risk Management Programs
Now we are lucky to have a case study panorama with a stellar lineup of experts discussing the most important things facing a cyber risk management program today. Led by moderator Daniel Stone, Director at Protiviti, allow me to introduce our panelists: Meena Martin, VP, Cyber Risk and Assurance, GSK Dan Phillips, Security Risk Management Lead, Meta Robert Immella, Global Leader, CRQ, Caterpillar Valmiki Mukherjee, Chairman, Cyber Future Foundation
Learn MoreFAIRCON23 Closing Remarks
Thank you all for sharing your expertise. Let’s get ready now for the conclusion of the conference. Closing Remarks will begin momentarily as we allow the rest of the conference attendees to join us here in the Grand Ballroom.
Learn MoreFAIRCON23 Welcome Address
Now without further ado, it’s time to get FAIRCON23 kicked off! It is my pleasure to introduce Nick Sanna, Foudner of the FAIR Institute and Dave Burg, Americas Cybersecurity Leader at EY. Nick founded the FAIR Institute in 2016 as an expert non-profit organization due to a growing demand from an expanding FAIR community. The idea was to create a forum for learning about FAIR, for developing and sharing innovative best practices, and to serve as a platform and for networking with peers. Dave Burg serves as EY’s Americas Cybersecurity Leader. In this role, he assists clients in reactive and proactive consulting capacities involving the deployment of information technology solutions and their use. Please welcome Nick and Dave!
Learn MoreKeynote Panel: Navigating the Confluence of Cybersecurity and AI: Mitigating Risks for the Future
As the stage gets set to continue into our Keynote Conversation, please help me welcome two very special guests. Joining us today are Chris DeRusha, Federal Chief Information Security Officer and Deputy National Cyber Director and Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA. We are very grateful to have Chris and Eric here to be in conversation with Nick on “Navigating the Confluence of Cybersecurity and AI: Mitigating Risks for the Future.” The focus of the session will be specifically on how AI affecting cyber risk management. The panel will discuss what how to make sense of AI risk, what to do with it, and of course, the subject of AI from the Federal perspective.
Learn MorePanel: What Models Do We Need to Improve Risk Management in the 21st Century?
The next session “What Models Do We Need to Improve Risk Management in the 21st Century?” is packed with experts. We are about to get key insights, advice, and tips from C-Level experts who are leaders of this quantitative movement. Reminder to please to submit your questions using the QR code in the program. Moderated by Robert Rodriquez, Chairman and Founder of SINET, please help me welcome our esteemed panelists: Paul Selby, CISO at US Department of Energy Jennifer Buckner, SVP Technology Risk Management at Mastercard Nathaniel Davis Jr, Vice President, Corporate & Defense Security at Rolls-Royce Ian Rathie, CISO at The Fitch Group Kurt John, CSO at Expedia Group
Learn MoreImproving Cyber Visibility and Decision-Making at Maersk
Now, please allow me to introduce our next session with Neil Davis, Head of Cyber Risk Management at Maersk titled “Improving Cyber Visibility and Decision-Making at Maersk.” This case study session will provide a world class example of how Maersk is using quantification to improve cyber risk visibility and their companywide decision making. Neil leads the cyber risk team at AP Moller-Maersk, providing insight into risk exposure by identifying, assessing, and managing the cyber risks faced by Maersk and its supply chain, in support of strategic and tactical decision making - balancing risk and return.
Learn MoreWinning Over The Doubters - Cutting Through Complexity to Exceed Stakeholder Expectations
In this session, you will hear from Robert Moore, Vice President of Technology Risk at Mastercard and Tom Callaghan, Co-Founder at C-Risk as they give a case study presentation on winning over the doubtes. These tips will help you to get through the perceived complexity of quantification in order to effectively communicate to the business and exceed stakeholder expectations.
Learn MoreLeveraging Risk Quantification to Build An Integrated Risk Management Program
Our last session in Track 2 today is presented by Damian Apone, Global Director, Governance, Risk & Compliance at Genuine Parts Company and Chris Correia, Associate Partner at IBM. They will discuss the journey that GPC has undertaken with IBM’s support to build a holistic risk management program. They will discuss how GPC decided to use risk quantification as a foundational capability to enhance risk identification, risk reporting and prioritization of security projects to optimize GPC’s security operations. Damian will share his experiences working with leadership to demonstrate the value of risk quantification along with some of the challenges and early successes the organization faced in the adoption of risk quantification. In addition, Damian and Chris will discuss how risk quantification is supporting GPC as in their review of risk appetite, executive level reporting and cybersecurity insurance.
Learn MoreConnecting Cyber Risk Assessment to Integrated Decision Management
I am sure that many of you started making great connections during the networking break. Now, please allow me to introduce our next session with Doug Hubbard titled “Presentation: Connecting Cyber Risk Assessment to Integrated Decision Management” Quantitative risk analysis in cyber is only part of enterprise risk and risk is only part of quantitative decision making. Integrated decision management involves utilizing methods tested in large clinical trials and improving and tracking the performance of models, measurement methods, and even expert judgement. Measuring the performance of decision making itself is the most important - and yet apparently among the last – of critical measurements for organizations to conduct. This session will propose a framework for how we may integrate the empirical methods, new algorithms, and even the psychology of decisions and estimates to improve one of the last and most important frontiers of organizational management.
Learn MoreIs It Raining Risk? What Data says about Cyber Risk in the Cloud
We begin this track with a session by Wade Baker, Co-Founder of Cyentia Institute and Professor at Virginia Tech. Over the years, the Cyentia Institute has published quite a few reports that analyze various aspects of risk in the cloud. Wade is going to provide a a “Greatest Hits” presentation todaywith the goal being to answer questions like “Is cyber risk in cloud environments measurably different than on-prem and, if so, how?” all while tying it back to the FAIR framework.
Learn MoreHow to Re-think Third-Party Risk with FAIR-TAM™?
We are launching into new waters here as we discuss how to re-think third party risk with FAIR-TAM, the new FAIR extension for third party risk. Leading this session is Pankaj Goyal, Director for Standards & Research at the FAIR Institute. Joining Pankaj are Sarah Sullivan, Director IS&T Security Performance at Thomas Jefferson University Hospitals and Adam Wells, Senior Manager for Cyber Risk Services at Yum! Brands.
Learn MoreThe 2024 Annual Cybersecurity Risk Report
The FAIR Institute Cyber Risk Report is designed to provide reference estimates for the probability, loss, and loss exposure of common cyber events. It summarizes the findings by industry and event themes and details how actionable variables, such as security stance and data retention management, can reduce risk exposure. This year, we are pleased to present original research from EY on the challenges of implementing a cybersecurity program, a survey that revealed the structural problems that hold back many programs and the attributes of the most effective CISOs – as EY calls them, “Secure Creators.” At the FAIR Institute, we believe that transparency and accountability in cyber risk management are best served through cyber risk quantification (CRQ) – with Factor Analysis of Information Risk (FAIR™), the international standard for CRQ, built on a foundation of carefully curated data. We based our 2024 Cybersecurity Risk Report on FAIR analyses and extensive research by our data science advisors. We invite you to discover the most relevant cyber risk data for your organization and benchmark your performance against peers in your industry and others.
Learn MoreThe CRQ Program Development Lifecycle
This next case study session will focus on best practices for enterprise- level FAIR-based CRQ program development. From the initial development of a program charter to the measurement and monitoring of program performance and optimization, the well-established phases and processes of the CRQ Program Development Lifecycle provide a proven methodology to ensure productive outcomes including executive-level engagement, analyst proficiency, use case selection, powerful storytelling, business alignment, and higher levels of program success. Join me in welcoming Zach Cossairt, Integrated Risk Program Senior Manager at Equinix and Jon Oppenhuis, Director, Risk Strategy and Success at Safe Security.
Learn MoreUsing Cyber Risk Intelligence to Scale Third Party FAIR Assessments
This next case study session is titled Using Cyber Risk Intelligence to Scale Third Party FAIR Assessments with John Feezell, Assoc. Director, Security Counseling at Kyndryl and Bob Maley, Chief Security Officer at Black Kite. In this session, Bob and John will discuss how the additional context of cyber ratings, compliance assessments, ransomware and data breach intelligence and other cyber risk information can help scale your FAIR assessments.
Learn MoreScenario Planning for Effect
Our last session in Track 1 today is presented by Aaron McKay, Cybersecurity Engineer at SCRAM Systems and Jack Whitsitt, Director of CRQ at Ostrich Cyber-Risk discussing a case study on scenario planning for effect.
Learn MoreFireside Chat: Incident Response and Materiality
I’m happy to introduce our participants in conversation today discussing Incident Response and Materiality, Kevin Mandia, CEO of Mandiant and Saket Modi, CEO of Safe Security, Technical Advisor to the FAIR Institute. Kevin is the Chief Executive officer of Mandiant at Google Cloud. He has served as the company’s Chief Executive Officer since June 2016, including as Chief Executive Officer of FireEye, Inc. until its corporate name change to Mandiant, Inc. in October 2021. Kevin served as a member of the company’s Board of Directors from February 2016 until September 2022, when Mandiant became a part of Google Cloud. Saket Modi is the Co-Founder and CEO of Safe Security, a Cybersecurity and Digital Business Risk Quantification platform company. A computer science engineer by education, he founded Safe Security in 2012 while in his final year of engineering. Safe Security protects the digital infrastructure of multiple Fortune 500 companies around the world.
Learn More4 Steps To SEC Compliance – Sponsored Webinar with Ostrich Cyber-Risk
As the December 2023 SEC deadline approaches, it is crucial for organizations to prepare for changes effectively. Join this webinar with Jack Whitsitt, Director of Cyber Risk Quantification (CRQ) at Ostrich Cyber-Risk, where he will cover: Materiality & Risk: Understand the importance of materiality, risk appetite, tolerance, thresholds, and how to assess and quantify them. CRQ Integration: Learn how CRQ seamlessly measures these concepts, facilitating clear communication with the SEC and your Board. Implementation Steps: Discover actionable steps you can take today.
Learn MoreHow to Achieve SEC Compliance with Real-time and Automated FAIR Solution - Safe Security Sponsored Webinar
New SEC Cyber Risk Disclosure Rules mandate transformation in how publicly traded companies identify, measure, and report on the cyber risks that hit the level of material impact. Businesses need to develop frameworks and processes to make this fundamental shift swiftly. But how? Join this sponsored webinar with Molly Slocum, Director of Product Management from our Technical Advisor, Safe Security, moderated by Jack Jones, author of the FAIR™ methodology and Chairman of FAIR Institute. Molly will present on how you can provide your organization with automated, real-time, and quantitative risk management program based on FAIR™. Get actionable insights on how to: Automate FAIR™ to measure the probable material impact of cyber risk Report on material cyber risks in financial terms that satisfy regulators and your Board Demonstrate a transparent cybersecurity strategy protecting investor interests using the most advanced, AI-driven solution. Plus, hear real customer use cases of how AI-driven Cyber Risk Quantification has equipped businesses to identify, measure, and communicate cyber risk in real-time.
Learn MoreAn Introduction to the FAIR Materiality Assessment Model (FAIR-MAM™)
The FAIR Institute is releasing a new standard to help organizations assess the materiality of cybersecurity risk and incidents, called FAIR Materiality Assessment Model (FAIR-MAMTM). FAIR-MAM expands the loss magnitude factor of the FAIR model, and provides a more detailed taxonomy and breakdown of loss categories driven by cybersecurity incidents.
Learn MoreWhat the New SEC Regulation on Cyber Reporting Means for the Risk Management Profession - Webinar
As many of us know, the SEC Commissioners voted to adopt the proposed rule on cyber security. This rule aims to elevate the cyber risk reporting and management practices for public companies (registrants) in the US, to help investors in such companies consider the probable impact of cyber risk as they make investment decisions. This will be a forcing function for companies to adopt trusted cyber risk quantification (CRQ) models such as FAIR™ and adopt processes and tools that provide them with visibility into their material risks and incidents. Tune in to hear industry experts as they explain and discuss what this all means for the risk management profession. Key advice will be shared on how to navigate these new rules together and how CRQ is the top way you can help your organizations be compliant.
Learn MoreGRC and CRQ - A (Good) Story of Codependency - Sponsored Webinar with Ostrich Cyber-Risk
In order to understand how best to plan for and execute Cyber Risk Quantification (CRQ) as a practice and a program, it’s best to start by understanding how it fits into more traditional Governance Risk Compliance (GRC). Leveraging a CRQ tool in a GRC program provides a means to measure cyber risk levels objectively. CRQ is not intended to ‘replace’ or ‘bolt on’ to an existing GRC program. Instead, CRQ informs an evolution of existing practices, and those practices plus CRQ must be taken into consideration as they blend into an enhanced approach to decision-making by leveraging the common ground: METRICS. In this webinar, you will learn how GRC programs and CRQ tools together will help you: More accurately estimate and track exposure of financial losses Prioritize between compliance and regulation requirements Prioritize cyber investments, allocate budget and adjust strategy Highlight the decrease in potential financial losses to determine which regulatory or compliance requirement is worth investing in Inform stakeholders how you are meeting new cyber regulations
Learn MoreCase Study- Improving Cyber Risk Visibility and Decision-Making with Maersk
Moving right along to our next session, allow me to introduce the Cyber Security Risk Team from Maersk. This case study session will provide a world class example of how Maersk is using quantification to improve cyber risk visibility and their companywide decision making. Here to present today are Pooya Alai and Rebekka Kurland!
Learn MoreKeynote by Jack Jones - The Future of Cybersecurity Risk Measurement
Next up, we have the author and creator of the FAIR Model, Jack Jones with a new and forward-looking presentation on The Future of Cybersecurity Risk Measurement. Jack has worked in information security for over thirty-five years, ten years of which as a CISO with three different companies, including a Fortune 100 company. In 2012 Jack received the CSO Compass award for risk management leadership. An adjunct professor at Carnegie Mellon University, he teaches in the CRO and CISO executive programs. Jack created the “Factor Analysis of Information Risk” (FAIR) model which has been adopted as an international standard. Currently, Jack is the Chief Risk Scientist at RiskLens and Chairman of the FAIR Institute, our award-winning global non-profit organization with over 13,000 members worldwide. He has also co-authored a book on FAIR entitled “Measuring and Managing Information Risk, a FAIR Approach” which was inducted into the Cyber Security Canon in 2016.
Learn MoreKeynote by Nick Sanna - How Risk Economics Can Help Us Win the Battle in Cyberspace
For our Opening Keynote, “How Risk Economics Can Help Us Win the Battle in Cyberspace”, it is my pleasure to introduce Nick Sanna, FAIR Institute Founder and President. Nick founded the FAIR Institute in 2016 as an expert non-profit organization due to a growing demand from an expanding FAIR community. The idea was to create a forum for learning about FAIR, for developing and sharing innovative best practices, and to serve as a platform and for networking with peers. He was supported in this effort by the author of FAIR – Jack Jones, the Institute's Chairman - and industry representatives from companies such as Fannie Mae, Cisco, Bank of America, and Northern Trust. Outside of his volunteer work at the FAIR Institute, Nick is the CEO of RiskLens, a software company that has developed an enterprise platform based on FAIR and that acts as the Institute's Technical Advisor. Please welcome Nick Sanna!
Learn MoreCase Study for Cyber Risk Quantification in Luxury Watchmaking with Richemont
Next up is our final case study for the day from Pierre Olodo, Cyber Risk Specialist at Richemont. Pierre will share two scenarios having to deal with CRQ when it comes to luxury watchmaking. A unique take on the craft! Help me welcome Pierre to the stage
Learn MorePanel - What Does Effective Cyber Risk Oversight Look Like?
We have a stellar panel lined up. This session is titled “What Does Effective Cyber Risk Oversight Look Like?” and it will dive deeper into Nick’s presentation, and you will hear some real-life examples. The group will discuss the different roles around oversight and share leading practices on what works and works well. Help me welcome to the stage our panel moderated by Julian Meyrick: • Phil Huggins, CISO, NHS England • Jo Armstrong, Head of UK Card Technology Risk Management, Capital One • Naomi Gilbert, Head of Cyber Resilience Policy, Dept. for Digital, Culture, Media and Sport • Daniel May, Regional CISO, Commerzbank
Learn MorePanel - Communicating Cyber Risk to Management and the Board
Welcome back for our next panel session of the day focused on “Communicating Cyber Risk to Management and the Board. We will be discussing the ever present and important topic of communication and will hear the best tips for performing it successfully. Joining us today are our panelists: • Moderator: Jack Whitsitt, Director of Cyber Risk Quantification, Ostrich Cyber-Risk • Keyun Ruan, Risk Economics and Quantification Lead, Google Cloud • Cedric De Carvalho, Head of Group Cyber Risk & Advisory, Richemont
Learn MorePanel - Moving from a Compliance-Based to a Risk-Based Approach to Cybersecurity
I’m going to invite Jack Jones back to the stage to moderate a panel on “Moving from a Compliance-Based to a Risk-Based Approach to Cybersecurity” that will focus on the benefits and the how-tos of creating an effective strategy around this. Also help me welcome our panelists: • Paul de Luca, Head of Cyber Risk, HPE • Laura Voicu, Manager Security Assurance and Risk Management, InfoSec, Elastic • Hardip Bharj, Head of Security Risk Management, SAP
Learn MoreApproach and Lessons Learned From Building a Cyber Risk Quantification Program with Fresenius
Rolling right into our next case study session from the Fresenius Group. These presenters are going to talk about their experiences and share what they have learned from building a CRQ program. Let’s now welcome to the stage, David Steng, Director, Cyber Risk & Economics, Group Cybersecurity Office and Ferhat Yazgili, Senior Cyber Risk Manager from Fresenius Group.
Learn MoreEurope Summit Closing Remarks with Tony Morbin, News Editor EU, Information Security Media Group
Finally, I am going to hand over the stage to Tony Morbin, Executive News Editor for the EU at Information Security Media Group. Tony has been working and writing in the information security space for years and was previously editor at IT Security Guru and SC Media UK. Tony has been speaking with you all today and listening to the presentations and will now help us close out the day with summary thoughts while relaying them to industry trends.
Learn MoreMeasurement Planning Webinar - Sponsored Webinar with Ostrich Cyber-Risk
Often, when getting started with CRQ, organizations tend to focus on how to quantify individual scenarios. While this is an important step, it soon becomes clear that measuring risk for decision support purposes requires a suite of scenarios working in combination to suit a variety of purposes. This “scenario suite” should be treated as one entity composed of individual scenarios that are collectively comparable, fit for purpose, re-useable, and sustainable. At this webinar, we will introduce the concept of developing a “Measurement Plan” to support this concept and we will touch on several techniques that can be used to assure your Cyber Risk Quantification work meets both current and future needs.
Learn MoreToday’s Best Practices for Cybersecurity Risk Measurement - FAIR Institute Seminar at RSAC23
At RSAC23 this week, FAIR Institute Chairman Jack Jones challenged an audience of 400 in two seminars to move beyond today’s common cyber risk measurement practices that don’t reliably measure risk and re-focus on some basic techniques advanced in Factor Analysis of Information Risk (FAIR™).
Learn MoreHow Government Can Help Manage Cyber Risk-The Example of the New Cybersecurity Framework in Jordan
H.E. Eng. Bassam Maharmeh, President, National Cyber Security Center of Jordan
Learn MoreHow to Address Common Cyber Risk Management Challenges with FAIR™
Osama Salah, Head of IT Information Security Transformation Program, Abu Dhabi Department of Finance
Learn MoreHow Risk Economics Can Help Us Win the Battle in Cyberspace
Nick Sanna, President, FAIR Institute, CEO, RiskLens, Board Member, ISA
Learn MoreAdvancing Cyber Risk Management Practices in Your Organization-Practical Tips an Next Steps
Mohamed Adbulrahim, Managing Director, Octopian Security, Co-Chair FAIR Chapter Jordan
Learn MoreImproving Cyber Risk Visibility and Decision-Making-Practical Use Cases
Iman Khalid Al Marzouqi, Group Support Services Director, Alpha Dhabi Holding
Learn MoreMeasuring and Managing Cyber Risk Effectively-A FAIR Approach
Jack Jones, 3x CISO, Award-winning Author of the FAIR Model, Chairman, FAIR Institute, Chief Risk Scientist, RiskLens
Learn MoreCreating National Cyber Risk and Governance Culture
Ahmed Al-Qawasmi, Chief Internal Audit Officer, MEPS Majdi Armouti, CEO, Digital Haze Ismael Al-Hinti, Pres., Al Hussein Technical University Iyad Khorma, CEO, Aqaba Digital Hub
Learn MoreWebinar - Understanding CRQ - A Buyers Guide Review V2
Jack Jones, Chairman, FAIR Institute; Author, FAIR™ Model
Learn More"Understanding Cyber Risk Quantification: The Buyer’s Guide" by Jack Jones - V2 Published 2023
From Jack Jones, Chairman of the FAIR Institute and creator of the FAIR model for cyber risk quantification (CRQ) — the definitive guide to understanding CRQ: What it is (and isn't), its value proposition and limitations, and facts regarding the misperceptions that are commonplace.
Learn MoreGetting Your Money's Worth: Putting Your Controls Inventory to Work
Marta Palanques, Director of Risk Methodologies in Technology Risk Management at Capital One
Learn MoreCase Study: Quantifying the Control and Risk Landscape Using FAIR-CAM
Tyler Britton, Quantitative Cyber Risk Manager at DropBox
Learn MoreNew Member Engagement Packet
A quick overview of the FAIR Institute to get you started.
Learn MoreFireside Chat-A Legislative and Policy Update on Cybersecurity and Risk Management
Moderator: Larry Clinton, President, Internet Security Alliance (ISA) Mark Montgomery, Executive Director, CyberSolarium.org Frank Cilluffo, Commissioner, CSC
Learn MoreFireside Chat-What the Revised SEC Guidance on Cyber Risk Disclosures Means for You
David Hirsch, Chief of the Crypto Asset and Cyber Unit, Division of Enforcement, SEC Kristy Littman, Fmr. Chief of Enforcement - Cyber Unit, SEC
Learn MorePanel: Driving Culture Change - From a Compliance to a Risk-based Approach to Cybersecurity
Moderator: Omar Khawaja, CISO, Highmark Health Mark Tomallo, SVP, CISO, Victoria’s Secret Mary Elizabeth Faulkner, CISO, Thrivent Financial Jeff Norem, Deputy CISO, Freddie Mac
Learn MorePanel: Communicating Cyber Risk to the Board and the Business: How Is It Changing?
Moderator: Julian Meyrick, Managing Partner & Vice President, Security Strategy Risk & Compliance, Security Services, IBM James Lam, Board Director & ERM Author Evan Wheeler, Sr. Director, Technology Risk Management, Capital One Michael Meis, Associate CISO, KU Health
Learn MoreFAIR, Okay, Now What-Steps to Set Up a Quantitative Risk MGT Program at Any Org with Michael Meis
Michael Meis, Associate CISO, KU Health
Learn MoreManaging Cyber Risk as a Strategic Enterprise Risk - John Button, Gartner
John Button, Principal Enterprise Risk Advisor, Gartner
Learn MoreCase Study-Five Objections to FAIR and How to Overcome Them with Netflix
Tony Martin-Vegue, Senior Information Security Risk Engineer, Netflix Prashanthi Koutha, Senior Risk Engineer, Netflix
Learn MorePresentation-Expedia Groups’ Approach to Build an Effective Security Risk MGT Program using FAIR
Krishna Sheshabhattar, Director, Security, Risk, and Compliance, Expedia Group Randy Spusta, Global Competency Leader, Security Strategy Risk & Compliance Practice, IBM Security
Learn MoreCase Study-Refining the “R” in GRC at Scale with Mike Radigan, Cisco
Michael Radigan, Cyber Risk Advisor, Cisco
Learn MoreCase Study-Scaling FAIR for M&A & Beyond-Combining Bottom-Up and Top-Down Approaches with Richemont
Cedric de Carvalho, Head of Group Cyber Risk & Advisory, Richemont
Learn MorePresentation-Justifying the Value of Cybersecurity to the Business with Omar Khawaja
Omar Khawaja, CISO at Highmark Health on their BOSITE Framework
Learn MoreCase Study-Harnessing The Voltage Effect to Scale our FAIR Risk Programs with Zach Cossairt, Equinix
Zach Cossairt, Information Risk Program Manager, Equinix
Learn MoreCase Study-Embedding CRQ in the Infosec Governance Process of a Fast-Growing Pop Culture Retail Org.
Markus Kaufmann, CISO, Senior Director of Information Security, Funko Tom Callaghan, Co-Founder, C-Risk
Learn MoreCase Study-Building a Strong Foundation for your Quantitative Risk MGT Program with Tim Wynkoop
Tim Wynkoop, Sr. Information Security Risk Engineer, Equinix
Learn MorePanel-Scaling a Quantitative Risk Management Program
Andrew Retrum, Managing Director, US Security Program & Strategy Practice Lead, Protiviti Brenda Thayer, Senior Manager, Technology Risk, Fannie Mae David Severski, Senior Security Data Scientist, Cyentia Institute, Brenda Thayer, Senior Manager of Technology Risk, Fannie Mae, Tim Kelly, Senior Manager, Protiviti
Learn MorePresentation-Unveiling the IRIS 2022-Bigger Scale, Greater Depth, and More Data for Your CRQ Program
Wade Baker, Partner, Cyentia Institute David Severski, Senior Security Data Scientist, Cyentia Institute
Learn MorePresentation-Trends in Determining Systemic Cyber Risk for the Financial Services Industry
Matthew Tolbert, Sr. Cybersecurity Specialist, Supervision and Regulation, Fed Reserve Bank of Cleveland
Learn MoreClosing Remarks with Derek Johnson and Jack Jones
Jack Jones, Chairman, FAIR Institute and Derek Johnson, Senior Reporter, SC Media
Learn MorePresentation-Scaling FAIR for Third Party Risk Management with Black Kite
Bob Maley, Chief Security Officer, Black Kite
Learn MoreKeynote Address: Trusting Risk-Informed Decisions with Jack Jones
Jack Jones, Chairman, FAIR Institute
Learn MoreKeynote - How Risk Economics Can Help Us Win the Battle in Cyberspace with Larry Clinton
Larry Clinton, President, Internet Security Alliance (ISA)
Learn MorePresentation: Subjective Judgements: Outperforming Your Current Best Experts with Doug Hubbard
Douglas Hubbard, President, Hubbard Decision Research
Learn MorePanel-CIS, NIST 800-53, ISO27000-Mapping Leading Control Frameworks to FAIR-CAM™
Moderator: Jack Jones, Chairman, FAIR Institute Daniel Stone, Associate Director, Security & Privacy, Protiviti Erin Macuga, Manager Risk and Information Security, Thrivent Financial Robert Immella, Global Leader of Cyber Risk Quantification, Caterpillar Inc Tyler Britton, Quantitative Cyber Risk Manager, DropBox Drew Brown, Information System Security Developer, FAA
Learn MorePresentation-How to Scale FAIR Programs with Controls Analytics with RiskLens
Jack Jones, Chairman FAIR Institute, Chief Risk Scientist, RiskLens Bryan Smith, CTO, RiskLens
Learn MorePreparing for the Quantum Threat to Cryptocurrency and Cryptography - Protiviti Sponsored Webinar
Preparing for the Quantum Threat to Cryptocurrency and Cryptography - Protiviti Sponsored Webinar
Learn MoreThe Future of Cybersecurity Risk Measurement at RSAC22 - Slide Deck
Hello and good morning. Welcome to our seminar today from the FAIR Institute where we will be diving into the Future of Cybersecurity Risk Measurement.
Learn MoreMaturing A Quantitative Risk Management Program in the Federal Government
Maturing A Quantitative Risk Management Program in the Federal Government
Learn MoreOvercoming the Challenges of Mapping NIST CSF to FAIR-CAM™
Overcoming the Challenges of Mapping NIST CSF to FAIR-CAM™
Learn MoreUnveiling My Cyber Risk Benchmark: Risk Quantification for All
Unveiling My Cyber Risk Benchmark: Risk Quantification for All
Learn MoreCritical Do’s and Don’ts of Cyber Risk Board Reporting
Critical Do’s and Don’ts of Cyber Risk Board Reporting
Learn MoreBuilding a Quantitative Cyber Risk Program Based on FAIR
Building a Quantitative Cyber Risk Program Based on FAIR
Learn MoreNew study demonstrating CRQ parameters
The Cyentia Institute just released a new study that analyzes 2000 incidents affecting nonprofit organizations to derive estimates and parameters for loss event frequency, loss magnitude, common incident patterns, etc.
Learn MoreAn Overview of the FAIR Controls Analytics Model (FAIR-CAM™)
Click below to download the white paper "An Overview of the FAIR Controls Analytics Model (FAIR-CAM™)"
Learn MoreOperationalizing FAIR at a Healthcare Insurer and Provider - Advanced Track Meeting - Sept 23, 2021
In the webinar “Operationalizing FAIR at a Healthcare Insurer and Provider: Initial Mis-Steps, Current Use Cases, and Future State," Greg and Jason will discuss how Highmark Health took the next steps after identifying Top Risks, some of the challenges they have faced, how they are currently using FAIR to drive decision-making, and what their vision for FAIR at Highmark looks like.
Learn MoreCommon Uses Cases of FAIR Analysis - Beginner Chapter Meeting #3 - September 15, 2021
FAIR is the most common quantitative methodology in the technology and operational risk field, enjoying wide adoption and abundant resources to help those getting started.
Learn MoreProtiviti Sponsored Webinar - Establish Your Cyber Risk Management Baseline
After an organization has successfully conducted FAIR analyses*, many wonder how they can expand their use of risk quantification to better understand their overall cyber risk exposure.
Learn More2019 Cyber Risk Management Maturity Benchmark Survey
The FAIR™ Institute’s third annual Cyber Risk Management Maturity Benchmark Survey results are in, and show “a lot of opportunity left in the risk management space for improvement,” says survey report author and FAIR Institute Fellow Jack Freund, PhD.
Learn MoreFAIR Institute Chapter Meeting - Advanced Track Meeting 1 - Reporting Risk to the Board
Presenters: Matt Kruse, FIS Global, Senior Director - Risk, Information Security and Compliance (RISC), FIS Global, Nick Corzine, Manager, Quantitative Cyber Risk Analysis, Centene
Learn MoreFAIR Institute Chapter Meeting - Incentivizing Better Risk Decisions: Lesson From Rogue Actuaries
Presenter: Tony Martin-Vegue - Sr. Information Security Risk Engineer/Netflix
Learn MoreHow to Manage and Communicate Cyber Risk in Business Terms - Association Seminar at RSAC21
Here is the FAIR Institute's 3-part seminar on the business benefits of cyber risk quantification at RSA Conference 2021.
Learn MoreFAIR Institute Chapter Meeting - What They Didn't Teach You In Fair School
Presenter: Jack Whitsitt - FAIR Institute Board Member, SIRA Board Member, Cybersecurity Psychologist
Learn MoreFAIR Institute Chapter Meeting - Beginner Track Meeting 1 - FAIR Overview
Recording and slide deck below.
Learn MoreWebinar: Protiviti Experts Break Down NISTIR 8286 – Perspectives from the Field - Protiviti Sponsor
Slides and recording available below
Learn MoreWEBINAR: Presentación de caso de uso sobre el uso de FAIR para la implementación de un nuevo sistema
Únase a nosotros para la presentación del seminario web de casos de uso, organizada por el Instituto FAIR en español, para aprender sobre el uso de FAIR para la implementación de un nuevo sistema de TI en Ascena Retail Group, una empresa de Fortune 500 en los Estados Unidos.
Learn MoreMeasuring the Cyber Attack Surface - RiskRecon Sponsored Webinar Recording
Webinar recording and slide deck below.
Learn MoreWebinar - Discussion on New Whitepaper - "Building a Program with HITRUST & FAIR"
WEBINAR RECORDING AND SLIDE DECK BELOW
Learn MoreFAIR Institute and HITRUST Plan Integration of FAIR Standard and HITRUST CSF
The FAIR Institute and HITRUST® launched an effort to integrate FAIR™, the international standard for cyber risk quantification, with the HITRUST CSF, the cybersecurity controls framework in use at hundreds of thousands of organizations, including 75% of Fortune 200 companies.
Learn MoreC-Level Panel - Improving Decision Making through the Adoption of FAIR
Frank Kim, Curriculum Director, SANS Institute
Learn MoreClarifying SEC’s Expectations for Cyber Risk Disclosures
Kristy Littman, Chief, Cyber Unit, Division of Enforcement, U.S. Securities and Exchange Commission (SEC)
Learn MoreRoundtable - A Strategic Approach to Defending the U.S. in Cyberspace
Moderator: Nick Sanna, President, FAIR Institute
Learn MoreUse Case Panorama - How FAIR Analysis Improves Risk Communication and Decision Making
Moderator: Donna Gallaher, Board of Advisors, FAIR Institute
Learn MoreRoundtable - Helping the Board Exercise Proper Cyber Risk Oversight
Larry Clinton, President, ISA
Learn MoreCase Study - How FAIR Analyses Support Decision-Making at Netflix
Tony Martin-Vegue, Sr. Information Security, Risk Engineer, Netflix
Learn MorePresentation - Improving DevSecOps with FAIR at Doordash
Sarina Hothi, Security Project Manager, DoorDash
Learn MorePresentation - Updates to the Open FAIR Standards
John Linford, Forum Director, Security Forum & Open Trusted Technology Forum (OTTF), The Open Group
Learn MoreKeynote Conversation-How to Help the Business Make the Right Decisions on Risks They Struggle to See
Michele Wucker, Author, "The Gray Rhino: How to Recognize and Act on the Obvious Dangers We Ignore"
Learn MoreCase Study - Decision Making with FAIR - Quantification and The Rise of Class Action Lawsuits
We have all seen the value of running FAIR analysis across a number of business situations. But how can the output of FAIR analyses be applied to everyday business decisions?
Learn MorePresentation - The Team as a Measurement Instrument
Douglas Hubbard, Author, "How to Measure Anything in Cybersecurity Risk"
Learn MorePanel - How FAIR Can Help Better Integrate Cyber Risk with ERM
Moderator: James Lam
Learn MoreCase Study - Building a Program with HITRUST & FAIR
Marshall Lambert, Team Lead, Cyber Risk Quantification, Highmark Health
Learn MoreCase Study - Protecting Government Information and Assessing Controls at Scale
Anthony Corso, Assistant Commission, Office of the Victorian Information Commissioner
Learn MoreConversation - OCC Insights for Cyber Risk Assessments
Bill Barouski, Chief Information Risk Officer, Northern Trust Corporation
Learn MorePresentation - Drivers for IRM, Digital Transformation & Cost Optimization
Moderator: Sounil Yu, CISO, YL Ventures & Board of Advisor Member, FAIR Institute
Learn MoreOpening Keynote: Factoring Risk in Decision Making: Better Risk Measurement Enables Better Decisions
Welcome Remarks and Opening Keynote: Factoring Risk in Decision Making: How Better Risk Measurement Enables Better Decision-Making
Learn MorePresentation - How to Rapidly Triage Issues and Findings to Focus on What Matters Most
David Elfering, Senior Director of Information Security
Learn MorePres.-Managing Risk in Times of Crisis: Applying FAIR to Become More Business-Centric during COVID
Omar Khawaja, CISO, Highmark Health
Learn MorePresentation - How Better Data Can Help Executives Make Better Decisions
Wade Baker, Partner & Co-Founder, Cyentia Institute; Member, Board of Advisors, FAIR Institute
Learn MoreCase Study - Reporting Cyber Risk to the Board: Real Life Examples
Matt Kruse, Senior Director - Risk, Information Security and Compliance (RISC), FIS Global
Learn MorePresentation - Prioritizing NIST CSF Activities with FAIR
Richard Barretto, Security Operations Manager, Cimpress Jack Freund, Fellow, FAIR Institute
Learn MoreCase Study - Enhancing HIPAA Risk Assessment with FAIR
Reny Mathew, InfoSec Analyst, Cambia Health Solutions
Learn MoreCase Study - Building A Quantitative Risk Management Program in the Federal Government
Emery Csulak, Principal Deputy Chief Information Officer, U.S. Department of Energy (DOE)
Learn MorePresentation - Support Your Company’s Digital Transformation during Times of Crisis
Harold Marcenaro, Digital Risk Officer, Banco de Credito del Peru (BCP)
Learn MoreSeminario web introductorio de FAIR Institute para América Latina y América del Sur
Estimados especialistas de América Latina, La Conferencia FAIR 2020 (FAIRCON2020), la principal conferencia global de gestión de riesgos cuantitativos, se llevará a cabo digitalmente los días 6 y 7 de octubre (martes y miércoles).
Learn MoreWeaving a Safer Web: Significant Risks from Insignificant Details - RiskRecon Sponsored Webinar
As organizations continue to adjust to the current digital climate security teams have had to shift their focus - enhancing work-from-home security measures, managing changes to the digital supply chain, monitoring the ever-expanding data universe - but recent research has shown that some businesses are ignoring some basic security principles, thus leaving themselves exposed to serious threats.
Learn MoreRapid Risk Assessments: Identifying and Prioritizing Risks in Minutes Instead of Months - RiskLens
Many information security teams are running risk assessments that are qualitative in nature and do not provide results in terms business leaders and decision makers can understand.
Learn MoreUsing FAIR to Understand Change in Resilience Risk - Protiviti Sponsored Webinar
This webinar is a step-by-step walk-through from the primary authors of Protiviti’s latest thought leadership piece, “Understanding Changes in Resilience Risks From Technology Advancements.”
Learn MoreHow Financial Risk Quantification Can Help Federal Agencies Better Integrate Cybersec. Risk & ERM
Listen in to learn how Financial Risk Quantification can assist in integration of Cybersecurity Risk and ERM.
Learn MoreReducing Cybersecurity Risk by Automating Continuous Vendor Assessment - Sponsored by RiskRecon
Assessing cybersecurity risk has taken on a new meaning as organizations shift toward virtual, and companies focusing on maintaining operations.
Learn MoreMaking Better Cyber and Technology Risk Decisions - Part 3 Webinar with Jack Jones
How to Get Started with Quantification & FAIR
Learn MoreISACA Journal Case Study: ‘Building a Rock-Solid ERM Culture on FAIR™’
The latest issue of the ISACA Journal) presents a detailed case study on the long-running FAIR™ program at Rock Holdings, Inc. (parent company of Quicken Loans and Rocket Loans), and how “FAIR implementation transformed the business’ enterprise risk management (ERM) program and risk culture.”
Learn MoreMaking Better Cyber and Technology Risk Decisions - Part 2 Webinar with Jack Jones
Advantages of a Quantitative Approach to Cyber Risk
Learn MoreMaking Better Cyber and Technology Risk Decisions - Part 1 Webinar with Jack Jones
Successfully managing today’s complex and dynamic cyber and technology risk landscape requires being able to prioritize well and communicate effectively to executive stakeholders.
Learn More"Use Risk Quantification to Change Executive Priorities and Investments in Security" Webinar
Security and Risk Management leaders are exploring various methodologies in measuring information risk.
Learn MoreCyber Risk Through a Cyber Situational Awareness Lens - Webinar with Jack Jones
The military has leveraged the concept of situational awareness to improve decision-making, particularly in the face of uncertainty.
Learn MoreManaging Cyber Risk with FAIR and NIST CSF - Webinar with Jack Jones
NIST CSF is intended to help organizations become more risk-focused.
Learn MoreWEBINAR: Reducing Cyber Risk from Employees Working at Home Case Study
Many companies are currently looking at work from home options for employees in response to the Coronavirus pandemic, while still maintaining control over sensitive corporate data.
Learn MoreRSAC20 Seminar Slides - A FAIR Approach to Cyber and Technology Risk Measurement
Risk management expectations are evolving, especially with regards to how risk is being measured and communicated.
Learn MoreFAIR Institute Interview with Jack Jones and Michele Wucker, author of "The Gray Rhino"
It was a meeting of the minds: FAIR model creator Jack Jones, who’s dedicated his career advocating for quantitative, critical thinking against the easy-button practices of conventional cyber risk management—and Michele Wucker, author of The Gray Rhino: How to Recognize and Act on the Obvious Dangers We Ignore, a highly acclaimed book that’s getting renewed buzz as a result of the “unforeseen” coronavirus crisis that was all along like a snorting gray rhino about to charge.
Learn MoreFAIR Breakfast Meeting During RSAC20 - Building Effective Cyber Risk Management Programs that Work
Key Points from Jack Jones and CISOs on Adopting FAIR
Learn MoreFAIR Breakfast Meeting During RSAC20 - Building Effective Cyber Risk Management Programs that Work
All slide decks are attached for download below.
Learn MoreWebinar Recording-Fannie Mae Cyber Intelligence Team Drives Culture Change Around Risk Using FAIR
Organizations starting out on their FAIR journey have probably heard the pitch several times by now: the qualitative High Medium Low “risk ratings” don’t cut it anymore.
Learn MoreCombining NIST CSF and FAIR to Drive Better Cyber Risk Decisions - RiskLens Sponsored Webinar
If you are a private sector organization driving your security program forward with the NIST-CSF framework, or a U.S. Government Agency working to adhere to the NIST Framework for Improving Critical Infrastructure Cybersecurity, you're on the right track to better outcomes.
Learn More2019 Risk Management Maturity Benchmark Survey Results Webinar
Join Jack Freund, PhD. and co-author of the FAIR Book “Measuring and Managing Information Risk: A FAIR Approach” and our expert panel for this engaging webinar on Thursday, December 19 at 11 AM EST.
Learn MoreWebinar: Quantified Cyber Risk Management: Three steps to success with Highmark Health
Interactive discussion focusing on Highmark Health's two-year journey to implement quantitative cyber risk management methods.
Learn MoreProfiling organisation - FAIR Analysis - post by Denny Wan, Chair of the Sydney Local Chapter
The Open Group FAIR cyber risk quantification framework aims to create a common risk language that all can understand across an organisation.
Learn MoreAm I Mature Enough to Adopt FAIR? - Uncovering the True Success Factors
Finding your team's "True North" when starting a FAIR program can be overwhelming.
Learn MoreVarious Stages of FAIR Adoption - Geoji Paul, Centene and Nathan Thomack, Emerson
Please welcome to the stage Geoji Paul, Director of Information Security Risk at Centene and Nathan Thomack, Manager of Cybersecurity Risk Management at Emerson for their session “Various Stages of FAIR Adoption.”
Learn MoreIntegrating Cyber Into ERM
Thank you all for joining our panel session “Integrating Cyber Into ERM.”
Learn MoreWhy Digital Business Needs IRM & Risk Quantification by John Wheeler, Gartner
Day 2 Keynote Speaker, John Wheeler, Global Research Leader - Risk Management Technology at Gartner.
Learn MoreUsing FAIR to take the Headache out of considering Cyber Insurance for your Business - Walmart
At Walmart, the use of FAIR-based risk quantification methods enable decision makers to effectively evaluate cyber-insurance policies.
Learn MoreA Crash Course on Quantitative vs. Qualitative with Evan Wheeler
The title of this presentation is “A Crash Course on Quantitative vs. Qualitative.” This presentation will help us answer the questions of should I adopt a formal risk model, and should I quantify risk.
Learn MorePen Testing Your Board Pitch: An Interactive Exercise
This session will provide actionable advice on satisfying board members’ appetite for cyber risk analysis on an equal, quantitative footing with enterprise risk analysis (ERM).
Learn MoreIntegrating Strategic Cyber Threat Intel and FAIR, Musso Shaikh, Cyber Threat Intel, Fannie Mae
A mutually beneficial relationship exists between threat intelligence and quantitative risk assessments via FAIR.
Learn MoreScoping Enterprise Risk Assessments - Keith Weinbaum, Quicken Loans
Please welcome Keith Weinbaum, Enterprise Risk Management Architect at Quicken Loans.
Learn MoreOperationalizing Risk Quantification in Business Processes with Jack Whitsitt
So, you’ve brought in FAIR into your organization. You got the executive buy-in, were trained, and are now a FAIR-shop.
Learn MoreClosing the Risk Management Loop with Cyber Risk Quantification with Greg Rothauser
A growing list of financial services organizations are using FAIR to mature information risk management function and effectively address the most significant risks.
Learn MoreBuilding a Cybersecurity Program with a Risk Management Framework & FAIR
Many organizations rely on risk management frameworks such as NIST CSF and HITRUST as guidance for building best practice cybersecurity programs.
Learn MoreCISO Panel: Defining the Goals of an Effective Risk Management Program
The next session “Defining the Goals of an Effective Risk Management Program” will include expert CISOs who are leaders of this movement and who will share their experience with us.
Learn MoreHow to Measure Risk with Limited and Messy Data: Overcoming the Myths by Doug Hubbard
Doug is the author of the books How to Measure Anything, How to Measure Anything in Cybersecurity Risk and The Failure of Risk Management and a consultant through Hubbard Decision Research.
Learn MoreThe View from U.S. Congress Cong. Jim Langevin, Co-Chair Congressional Cybersecurity Caucus
Securing our nation’s technology infrastructure against cyber-attacks is a top priority for Rep. Langevin.
Learn MoreManaging Organizational and Third-party Risk in the Age of Digital Transformation
Managing Organizational and Third-party Risk in the Age of Digital Transformation: Practical Lessons and Data-influenced Considerations
Learn MoreUse Case Panorama - How Quantification Enables Risk-Aligned Decision Making
Real-life business decisions at some of the world's largest companies are being made every day based on quantitative risk assessments.
Learn MoreEnabling Risk Management Programs That Actually Work by Jack Jones, Chairman, FAIR Institute
For our opening keynote, I would like to introduce Jack Jones, author of FAIR and Chairman of the FAIR Institute, who will discuss , “Enabling Risk Management Programs That Actually Work.”
Learn MoreCompilation of Risk Assessment Guidelines from Various Regulatory and Compliance Entities
The Cyber Risk Management Workgroup has now published a compilation of risk assessment guidelines from various regulatory and compliance entities intended to be used as an overview for practitioners.
Learn MoreRegulatory/Compliance Risk Assessment Overview for FAIR Practitioners
Attached is the Cyber Risk Management Workgroup Deliverable "Regulatory/Compliance Risk Assessment Overview for FAIR Practitioners"
Learn MoreThe Road to Cyber Risk Maturity - 2018 Risk Management Maturity Benchmark Survey Report
Our second annual Benchmark Survey Report to provide insights into the current state of the industry and how best to move forward.
Learn MoreVideo: 2018 Risk Management Maturity Benchmark Survey Results Webinar
Video: 2018 Risk Management Maturity Benchmark Survey Results Webinar
Learn MoreMember Engagement Packet for the FAIR Institute
Have questions of where to start within the Institute? Want to find out how to best get started?
Learn MoreBoard Oversight of Cyber Risk - Baseline Diagnostic Guide
Download attachment below.
Learn MoreWheel of Fire Hits Stack - A New Way of Visualizing Effective Risk Management
"We need effective risk management to make well-informed decisions and we need effective risk management to measure those decisions and, over time, sometimes a relatively short time, to challenge the status quo as our environments change and as we know and understand more.
Learn MoreJack Jones Managing Cybersecurity Surprises - the Executives Perspective
“Executives hate surprises” begins a new white paper, Managing Cybersecurity Surprises – the Executive’s Perspective, by FAIR model creator Jack Jones, and goes on to detail the four most likely reasons that organizations get blindsided by cybersecurity failures:
Learn MorePanel: How to communicate the value of FAIR to internal and external stakeholders
Attached is the Cyber Risk Management Workgroup Deliverable "Regulatory/Compliance Risk Assessment Overview for FAIR Practitioners"
Learn MoreTechnical Advisor, RiskLens Sponsored Webinar
Seasoned risk consultant and FAIR expert, Rebecca Merritt, of RiskLens will share her personal path to enlightenment (read: FAIR model!) as a former IT Auditor for a Big 4.
Learn MoreInformation Overload - How much do boards really need to know about cyber risk
Slide presentation from Jack Jones on how to better communicate to Boards.
Learn MoreFAIR Institute Orientation Webinar for New Members
This webinar is hosted on a monthly basis for new members to the Institute. It is an overview of the offerings of the Institute and the advantages of becoming an engaged member.
Learn MoreAbout the FAIR Institute
Feel free to download and share the "About the FAIR Institute" presentation attached below to spread the word of FAIR and the FAIR Institute.
Learn MoreIndustrial Company Assesses Ransomware Threat - Sponsored by RiskLens
This case study is designed as a scenario that would help to inform management about the significance of an emerging risk, such a ransomware.
Learn MoreFinancial Institution Prepares for GDPR and NYDFS Regulations Using RiskLens - Sponsored by RiskLens
A global banking and financial services holding company with over $300B in total assets is preparing for the upcoming European Union General Data Protection Regulation (GDPR) and New York Department of Financial Services (NYDFS) cybersecurity regulations.
Learn MoreFinancial Institution calculates Risk Exposure in Moving to Office 365 - Sponsored by RiskLens
A financial services institution with $10B in total assets was trying to determine if a move to Office 365 from their internally hosted Exchange Server made sense for the organization.
Learn MoreHealthcare Supplier Uses RiskLens to Identify Business Continuity Strategy - Sponsored by RiskLens
A large healthcare supplier serving more than 150 million Americans operated a key fulfillment facility in an area threatened by natural disasters.
Learn MoreManufacturing Company CISO Confidently Justifies IP Protection Project - Sponsored by RiskLens
The CISO at a global manufacturing company with $50 billion in revenue faced an all-too common problem: intellectual property (IP), critical to their success and position in their market, was scattered throughout the organization, exposing them to grave occurrences of IP ex-filtration.
Learn MoreVideo: 2017 Risk Management Maturity Benchmark Survey Results Webinar
Our first annual Benchmark Survey Report and Webinar provide insights into the current state of the industry and how best to move forward.
Learn MoreWhere Do We Go From Here? 2017 Risk Management Maturity Benchmark Survey Results Report
Our first annual Benchmark Survey Report and Webinar provide insights into the current state of the industry and how best to move forward.
Learn MoreImproving Risk Decisions
This article will provide insight into the factors that drive risk decisions, the role of business management and security experts in decision making, as well as the information that’s necessary in order to make well-informed risk decisions.
Learn MoreThe Failure of GRC
In this white paper, Jack Jones shares five reasons why many organizations are, at best, realizing only one of many important objectives.
Learn MoreEffectively Leveraging Data in FAIR Analyses
With the advent of FAIR, organizations finally have a model that enables effective cyber risk measurement. As a result, this document will provide guidance and examples to help organizations improve their FAIR-based risk analyses using these data sources.
Learn MoreA Clarification of "Risks"?
People in the risk management profession routinely use the word “risk” in different ways. Although this may be fine in a non-professional setting, it presents significant challenges in terms of our ability to accurately and efficiently identify, measure, and communicate about risk.
Learn MoreHow You Prioritize, Matters
This paper describes at a high level a comparison of the relative efficacy of prioritizing risk remediation activities using qualitative versus quantitative methods.
Learn MoreDoes Training Help Reduce Spear Phishing Risk?
Find out if training can reduce risk associated with spear and regular phishing in this case study.
Learn MoreCost-Benefit of Implementing Credit Card Database Tokenization
Review a case study on how much credit card number tokenization can reduce the risk associated with the card datastore.
Learn MoreA Risk-Based Approach for Information Security and Fraud Analytics
Review a Big Data Case Study on Using a Risk-Based Approach for Information Security and Fraud Analytics.
Learn MoreLearning Institution Assesses Best Architecture To Secure Cloud App
Understand how much risk is associated with different security encryption strategies related to cloud data.
Learn MoreCyber Risk Management Maturity
This document describes a more fundamental approach to defining and evaluating cyber risk management maturity.
Learn MoreBuilding a Sustainable FAIR Program
Learn from one of the most successful FAIR implementation teams.
Learn MoreMapping NIST CSF & FAIR - Slides from the Data Utilization Workgroup Call (11/08/2017)
Join Jack Jones as he explains how NIST CSF and FAIR act as complements to one another.
Learn MoreRoot-Cause Analysis - Break Out of Ground Hog Day
Applying Root Cause Analysis to a portfolio of issues can help identify and resolve systemic issues within your organization.
Learn More