Risk Quantification with the FAIR Model

The tribe opens its virtual door to our CISO community, to exchange ideas, evaluate the good, the bad and the ugly, challenge the status quo, and share lessons learned.

For the opening event in 2024 we’re honored to welcome Jack Jones, author of the FAIR model and Chairman of the FAIR Institute. Today’s session will be moderated by CISO Tribe founding member and seasoned Group CISO, Ivan Milenkovic.

Can't make it on this date? No worries, just register and you will automatically receive a link to the video directly after the event....

Introduction to FAIR: A Methodology for Quantifying and Managing Risk in Any Organization

Many of our discussions today center around strategic business alignment, transitioning from compliance- to risk-based cybersecurity approaches, gaining executive support and getting the organization aligned with the security program.

One key aspect is that Boards of directors and business executives want to understand an organization's loss exposure in financial terms to enable effective decision-making. Risk and security professionals must become facilitators of the balance between protecting the organization and running the business. And this is where risk quantification comes into play.

Factor Analysis of Information Risk (FAIR™) is the international standard quantitative model for information security and operational risk. FAIR provides a model for understanding, analyzing and quantifying cyber risk and operational risk in financial terms. It is unlike risk assessment frameworks that focus their output on qualitative color charts or numerical weighted scales and builds a foundation for developing a robust approach to information risk management.

During his presentation, Jack will explain where we are as a profession today when it comes to proper risk management and decision making, and from thereon dive into the FAIR model and how we could apply it within our own organizations.

‘Trusting risk measurements is one thing, being able to defend them is quite something else’. Jack will highlight the difference and help us to understand what it takes to have risk measurements that are trustworthy.

About your speaker:

Jack has worked in information security for over thirty-five years, ten years of which as a CISO with three different companies, including a Fortune 100 company. In 2012 Jack received the CSO Compass award for risk management leadership. An adjunct professor at Carnegie Mellon University, he teaches in the CRO and CISO executive programs.

Jack created the “Factor Analysis of Information Risk” (FAIR) model which has been adopted as an international standard. Currently, Jack is the Chief Risk Scientist at RiskLens and Chairman of the FAIR Institute non-profit organization with over 13,000 members worldwide. He has also co-authored a book on FAIR entitled “Measuring and Managing Information Risk, a FAIR Approach” which was inducted into the Cyber Security Canon.

Agenda:

15h00: Welcome -- Wim Stoffelen, CISO Tribe (NL)

15h05: Introduction by your moderator – Ivan Milenkovic, CISO Tribe (UK)

15h10: Presentation FAIR Model – Jack Jones, Founder FAIR Institute (USA)

15h35: Q&A Session -- Audience, Jack and Ivan

15h55: Closing remarks and next events -- Wim