In light of the Colonial Pipeline cyberattack, measuring risk is on everyone’s minds. However, quantifying risk is often not easy. So many factors go into determining and measuring risk that it makes it difficult to pin any one thing down, especially in large enterprises.
However, without a method to balance security and operational risk against cybersecurity threats, many companies are flying blind when weeding out threats and vulnerabilities in their systems. Organizations are starting to understand that threat event frequency is increasing in the face of the pandemic and the large number of digital transformation initiatives it spurred.
What is the FAIR Model?
FAIR (Factor Analysis of Information Risk) is a model that breaks down different aspects of risk and monetizes the elements. Allowing security teams to break down the factors and relationships between risk factors lets companies gain a broader insight into how risk is addressed and where the gaps may be. Ultimately, FAIR assigns a monetary value to risk factors, successfully defining risk in a business context.
This newer way to frame risk is crucial because it allows businesses to translate cyber risk into a business context and create a narrative to help get executive buy-in on cybersecurity initiatives. It will enable CISOs to calculate return on security investment (RoSI), allowing for more transparency and risk visibility.
The FAIR risk methodology allows businesses to measure, analyze, and understand risk concretely. The nice thing about the FAIR model is that it can augment current security programs and, by doing so, strengthen the organization's security posture. Only once the risk is understood can CISOs make informed decisions about risk scenarios and taxonomy.
NIST CSF and FAIR
The COVID-19 pandemic forced organizations to become dependent on digital operations to avoid extinction in the face of the pandemic. The number of threat agents skyrocketed as companies were pushed into digital spaces to survive. Loss events became more commonplace, stressing CISOs and other security professionals. Threat capabilities and what enterprise systems were equipped to deal with were being re-assessed, pushing organizations to adopt new frameworks and better practices like NIST.
The National Institute of Standards and Technology developed the Framework for Protecting Critical Infrastructure Cybersecurity in response to an executive order from President Obama. The first version of what would be later dubbed the NIST Cybersecurity Framework (CSF) was released in 2014. What was unique about the development of V1 was the decentralized and collaborative way it was developed. CyberSaint Founder Padraic O'Reilly contributed to the development of the cybersecurity framework.
It is often the aspiration of many security leaders, whether at a small business or a multi-billion dollar enterprise, to adopt the NIST CSF for their organization. Its comprehensive and flexible nature makes it the most future-proof framework to navigate new technologies entering the market and new regulations hitting almost every industry. However, The NIST CSF can also be challenging to adopt, given its wide-ranging nature. For many security leaders, often tasked with adopting the CSF from their CEO or the Board of Directors, selecting where to begin is the greatest challenge.
The FAIR Model has been widely debated in the security community for its approach and ability to quantify cyber security risk in financial terms. Security practitioners can quantify cyber risks to accurately detail loss exposure, loss event frequency, and the estimated financial loss of a cyber attack or event using the FAIR methodology.
With NIST adding FAIR as an informative reference to the wildly popular Cybersecurity Framework, the FAIR model has moved from obscurity to primary business practice.
Learn about the recent updates made to the NIST CSF 2.0 here.
Because there are so many regulations and frameworks that different industries map to, it’s crucial for any new risk quantification methodology to work well with existing frameworks. FAIR helps organizations determine their greatest strengths and where they have room for improvement and growth.
Who can adopt the FAIR model?
Ideally, those with a proactive cyber risk management solution and a more mature security posture would adopt an FAIR model to supplement their already existing frameworks. With the end goal of modern information security teams being to deliver data that supports a more significant cyber risk management strategy, taking an integrated approach is critical to delivering on these needs.
Quantifying risk is a relatively new practice. While the need for concrete cyber risk quantification has emerged, the landscape of risk assessment frameworks to quantify risk is still fragmented. Cyber risk quantification is often viewed as an impractical process that is ambitious but, overall, relatively futile, given the novelty of the concept. The RoSI is challenging to measure, and the results are challenging to condense into a business-friendly context.
This has pushed CISOs to favor a qualitative approach to risk evaluation. As demand for digital transformation grows, CISOs are under more pressure than ever before to effectively communicate risk to a broad audience, including C-suite executives and company employees.
Many cyber risk quantification solutions available today are, by all intents and purposes, black-box solutions that ingest risk data and return metrics specific to the solution with little to no explanation as to how those metrics came about. When looking at “glass-box” vs. black-box in cybersecurity, we’re talking about the theory of transparent risk quantification vs. shielded risk quantification.
CISOs should focus on how “glass-box” solutions can increase a security leader’s confidence level to give them faster insights, leading to smarter decisions and meaningful action in a crisis. A clear understanding of the potential impacts in financial terms can bridge the gap of communication with business-side leaders when reporting cybersecurity to the Board.
Companies can achieve cyber resiliency by securing a plan and placing it into policy. They will be able to respond quickly to threats and address them promptly. IT and business will become more integrated and will trust each other to address concerns proactively and communicate when they do so.
Wrapping Up
The FAIR model empowers security and risk practitioners to gain executive-level buy-in on security initiatives to mature to a robust and transparent level of cyber risk quantification and reporting.
To learn more about how CyberStrong can help your cyber risk quantification process, contact us.
