With the growing interest in Factor Analysis of Information Risk (FAIR™), we hear a lot from people who have read about FAIR or even taken FAIR training and are really excited about the potential power of cyber risk quantification for risk management – but have come away with the impression that to actually bring a quantitative risk management program to life in their organization would be…
…a slow, evolutionary process.
Well, it is a process of upward evolution from qualitative, opinion-driven, red-yellow-green risk analysis to critical thinking about risk in financial terms. And yes, bringing your entire organization to a common way of thinking about risk as loss events instead of vague worries like “the cloud” is a great step forward.
Proven Use Cases to Start Quantitative Cyber Risk Management
