We all know cybersecurity carries a real risk to every business, but how can you quantify it and put a $/£/€ value on it? Yesterday at the FAIR Institute summit in London, I learned there is a way.

The FAIR model stands for
Analysis of

Developed by Jack Jones, the FAIR defines model defines six kinds of loss:

Productivity – a reduction of the organization to effectively produce goods or services in order to generate value

Response – the resources spent while acting following an adverse event

Replacement – the expense to substitute/repair an affected asset

Fines and judgments (F/J) – the cost of the overall legal procedure deriving from the adverse event

Competitive advantage (CA) – missed opportunities due to the security incident

Reputation – missed opportunities or sales due to the diminishing corporate image following the event.

The FAIR Institute is a non-profit professional organisation dedicated to advancing the discipline of measuring and managing cyber and operational risk.

It provides information risk, cybersecurity and business executives with the standards and best practices to help organizations measure, manage and report on information risk from the business perspective.

At yesterday’s event at the IET in London, I managed to meet and hear from:

Nick Sanna, President, FAIR Institute; CEO, RiskLens

Phil Huggins, CISO, National Health Service

Julian Meyrick, Managing Partner/Vice President, Security Strategy Risk & Compliance, IBM Security

Pooya Alai, Cyber Security Manager, Maersk

Laura Cristiana Voicu, Manager Security Assurance and Risk Management, InfoSec, Elastic

Jo Armstrong, Head of UK Card Technology Risk Management, Capital One

David Steng, Director, Cyber Risk & Economics, Group Cybersecurity Office, Fresenius Group

Ferhat Yazgili, Senior Cyber Risk Manager, Fresenius Group

It was also great to hear what the UK Government is doing from Naomi Gilbert, Head of Cyber Resilience Policy. I hope to have on the podcast soon to talk about cyber risk from a Government policy perspective.

The day helped me better understand how risk can be quantified, as at the start of all my talks, I ask the audience who has 2-factor tuned on for ALL the services they use. For the hands that don’t go up, I now have a way of estimating the cost if a breach occurs.

I’m also developing a chapter on risk for my upcoming book, Digitally Curious. Pre-order here.

Thanks to Cathy Morley Foster from Eskenzi PR and Marketing, who had the foresight to invite me, and the FAIR Insitute for putting on a great day.