Quantitative Risk Management with FAIR — Communicating Risk Now that we’ve been through the calculations to arrive at a number with regards to our risk exposure, we now discuss how to communicate it. Remember, you’re not on the land of “qualitative risk management” and all you’re being asked is to position a risk in a 4×4 matrix. […]
Quantitative Risk Management with FAIR — Evaluate Loss Magnitude We’ve come very far in the last few blog posts, and have the second part of the Risk equation (the first being Loss Event Frequency which we’ve asserted in the last post) which is the Loss Magnitude in the FAIR Risk Taxonomy. It’s comprised of the following: Loss […]
Quantitative Risk Management with FAIR — Evaluate Loss Event Frequency In FAIR, Loss Event Frequency refers to what is typically called “Likelihood” in qualitative approaches to Risk Management. Here we’ll be doing some of Stage 2 It’s defined as the probable frequency, in a given timeframe, that the threat agent or community we’re assessing ourselves against will […]
Quantitative Risk Management with FAIR — Stage 1 — Ransomware scenario In order to perform the risk analysis, we’ll need to work with some assumptions so it’s key that those are clear and documented, so they can be improved and challenged by those involved and that usually means both risk analysts, engineers and business owners. So for this example, […]
Quantitative Risk Management with FAIR — Sharing the journey Though I’ve known about FAIR (Factor Analysis of Information Risk) for many years and studied it for a number of different security certifications I’ve taken over the years, I never had the experience of using it on a day to day basis as always worked for organisations that had […]