We all know cybersecurity carries a real risk to every business, but how can you quantify it and put a $/£/€ value on it? Yesterday at the FAIR Institute summit in London, I learned there is a way.
The FAIR model stands for
Factor
Analysis of
Information
Risk
Developed by Jack Jones, the FAIR defines model defines six kinds of loss:
Productivity – a reduction of the organization to effectively produce goods or services in order to generate value
Response – the resources spent while acting following an adverse event
Replacement – the expense to substitute/repair an affected asset
Fines and judgments (F/J) – the cost of the overall legal procedure deriving from the adverse event
Competitive advantage (CA) – missed opportunities due to the security incident
Reputation – missed opportunities or sales due to the diminishing corporate image following the event.
The FAIR Institute is a non-profit professional organisation dedicated to advancing the discipline of measuring and managing cyber and operational risk.
It provides information risk, cybersecurity and business executives with the standards and best practices to help organizations measure, manage and report on information risk from the business perspective.
Nick Sanna, President, FAIR Institute; CEO, RiskLens
Phil Huggins, CISO, National Health Service
Julian Meyrick, Managing Partner/Vice President, Security Strategy Risk & Compliance, IBM Security
Pooya Alai, Cyber Security Manager, Maersk
Laura Cristiana Voicu, Manager Security Assurance and Risk Management, InfoSec, Elastic
Jo Armstrong, Head of UK Card Technology Risk Management, Capital One
David Steng, Director, Cyber Risk & Economics, Group Cybersecurity Office, Fresenius Group
Ferhat Yazgili, Senior Cyber Risk Manager, Fresenius Group
It was also great to hear what the UK Government is doing from Naomi Gilbert, Head of Cyber Resilience Policy. I hope to have on the podcast soon to talk about cyber risk from a Government policy perspective.
The day helped me better understand how risk can be quantified, as at the start of all my talks, I ask the audience who has 2-factor tuned on for ALL the services they use. For the hands that don’t go up, I now have a way of estimating the cost if a breach occurs.
I’m also developing a chapter on risk for my upcoming book, Digitally Curious. Pre-order here.
Thanks to Cathy Morley Foster from Eskenzi PR and Marketing, who had the foresight to invite me, and the FAIR Insitute for putting on a great day.