Version 2 Updated for Release – February 2023.
From Jack Jones, Chairman of the FAIR Institute and creator of the FAIR model for cyber risk quantification (CRQ) — the definitive guide to understanding CRQ: What it is (and isn’t), its value proposition and limitations, and facts regarding the misperceptions that are commonplace.
If you’re considering or are actively shopping for an analysis solution that treats cyber risk in financially-based business terms, Jack’s extensive, jargon-free guide — including an evaluation checklist — will give you the objective and practical advice you need.
And just in time. There’s never been more interest or, frankly, confusion in the marketplace over what exactly is cyber risk quantification. As you’ll read in this buyer guide, many solutions may count vulnerabilities, provide ordinal values, or deliver numeric “maturity” scores but don’t measure risk, let alone put a financial value on it to help make business decisions.
This paper answers questions such as:
- What does CRQ provide that I’m not already getting from other cyber risk-related measurements?
- What makes CRQ reliable? Why should I believe the numbers?
- Do I have enough data to run an analysis?
Jack also provides red flags to look out for in CRQ solutions, such as:
- Mis-identification of risks.
- Mis-use of control frameworks as risk measurement tools.
- Over-simplification that can result in poorly-informed decisions, especially when performed at scale.
The ‘Understanding Cyber Risk Quantification’ guide is designed to be of use to security and risk executives, industry analysts, consultants, auditors, investors, and regulators–essentially anyone who has a stake in how well cyber risk is managed.
Download Below