CYBER RISK IN FINANCIAL TERMS: WHY FAIR IS THE GOLD STANDARD
By Bob Maley, CSO, Black Kite
In a mature risk management program, risk is usually defined in business terms (financial impact) and then measured against two important factors:
- Risk Appetite: The level of strategic risk an organization is willing to accept during normal business operations
- Risk Tolerance: The degree of variance from risk appetite that an organization will accept around specific objectives
Many organizations have a hard time measuring third-party risk in these terms, creating frustration for risk practitioners who want a more effective way to quantify results and for decision makers, who need clear metrics to make more informed decisions.
In the past, organizations have relied on risk questionnaires and risk scoring, with findings that are overly technical and complicated. Getting to this stage in a third-party risk management (TPRM) program is an accomplishment, but how are these findings quantified and measured against the organization’s risk appetite and tolerance? How are the findings and conclusions communicated to stakeholders?
Leveraging the Open FAIR™ model helps achieve and maintain an acceptable level of loss exposure, while also clearly conveying the breadth of probable impact to the organization.
WHAT IS FAIR?
- Factor Analysis of Information Risk (FAIR) is the only international standard quantitative model for information security and operational risk. The model:
- Provides a model for understanding, analyzing and quantifying information risk in financial terms
- Is unlike risk assessment frameworks that focus output on qualitative color charts or numerical weighted scales
- Builds a foundation for developing a robust approach to information risk management
- FAIR model components are specifically designed to support risk quantification, through:
- A standard taxonomy and ontology for information and operational risk
- A framework for establishing data collection criteria
- Measurement scales for risk factors
- A modeling construct for analyzing complex risk scenarios
- The FAIR model analysis complements existing risk management frameworks by building on qualitative efforts in order to better quantify risk. Shortcomings in risk management frameworks include:
- Organizations such as NIST, ISO, OCTAVE, ISACA, etc. are useful for defining and assessing risk management programs, but go no further than those parameters
- Most frameworks prescribe the need to quantify risk, but for the most part, they leave it up to the practitioners to figure that process out
- Some are silent on the subject of how to compute risk, while others are open in the allowance of third-party methods
- Frameworks such as NIST 800-30 attempt to measure risk, but fall short as they rely on qualitative (not quantitative) scales and flawed definitions
FAIR helps fill the gaps in other risk management frameworks by providing a proven and standard risk quantification methodology that can be leveraged on other frameworks.
HOW BLACK KITE INTEGRATES AND SCALES FAIR TO QUANTIFY THIRD-PARTY RISKS
At a high-level, open-source technical data is used to feed FAIR calculations to achieve a technical cyber rating. This letter grade rating provides an overall cyber hygiene view, which is part of a wider risk assessment. However, this rating alone lacks context related to business impact.
FAIR helps fill the gaps in other risk management frameworks by calculating the financial impact of a vendor by using data, beyond the technical rating, in conjunction with other peer-related data. This data can be garnered from research like the annual IBM/Ponemon Cost of a Data Breach report, Verizon Data Breach report, and Black Kite’s ongoing monitoring of publicly announced breaches.
WHERE TO PRIORITIZE?
- Technical cyber rating: C-
- Probable financial impact: $14,000
- Technical cyber rating: B+
- Probable financial impact: $75,000
At first glance, Company A’s rating is more alarming, but $14,000 may be below your supply chain’s risk appetite. Company B’s probable financial impact figure of $75,000 may be above your organization’s risk appetite. To further limit risk and financial loss, your business may decide to conduct a deeper assessment and prioritize vulnerabilities in company B’s report.
The Black Kite FAIR report provides guidance to assist you in making these decisions and also lets you tailor specific analysis, per vendor, as more data becomes available. You can easily update various risk indicators and data points to tailor the results for your organization in the event of a vendor breach.Request a free FAIR report