Feb 25 2021

How FAIR & ISO 27001 Work Together

Category: ISO 27k,Security Risk AssessmentDISC @ 11:43 am

We often are asked if FAIR™, the international standard for cyber and technology risk quantification and the basis of the RiskLens platform, is compatible with the common security and risk standards and frameworks.

The answer is yes — by bringing a financial discipline to otherwise technical guidelines, FAIR and RiskLens enhance their value as business-decision support tools. The most widely used cybersecurity framework, the NIST CSF, includes FAIR as a recommended best practice for risk assessment and risk analysis.

The ISO 27000 standards don’t prescribe a specific approach to analyzing risk and leave it to the risk practitioners to select their preferred analytics model. This is where FAIR comes in.

Factor Analysis of Information Risk (FAIR) decomposes risk into discrete factors that can be quantified and analyzed together to describe risk as a range of probable loss in dollars. Unlike risk assessment methods that focus their output on qualitative color charts or numerical weighted scales, the FAIR standard delivers financially derived results through the RiskLens platform that can be communicated across the enterprise in standard business terms of loss exposure and return on investment.

Source: How FAIR & ISO 27001 Work Together

Measuring and Managing Information Risk: A FAIR Approach

Tags: FAIR, Quantitative Cyber Risk Management


Feb 25 2021

Proven Use Cases to Start Quantitative Cyber Risk Management

Category: Risk Assessment,Security Risk AssessmentDISC @ 11:05 am

With the growing interest in Factor Analysis of Information Risk (FAIR™), we hear a lot from people who have read about FAIR or even taken FAIR training and are really excited about the potential power of cyber risk quantification for risk management –  but have come away with the impression that to actually bring a quantitative risk management program to life in their organization would be…

…a slow, evolutionary process.

Well, it is a process of upward evolution from qualitative, opinion-driven, red-yellow-green risk analysis to critical thinking about risk in financial terms.  And yes, bringing your entire organization to a common way of thinking about risk as loss events instead of vague worries like “the cloud” is a great step forward.

Proven Use Cases to Start Quantitative Cyber Risk Management

Tags: Quantitative Cyber Risk Management