The National Association of Corporate Directors (NACD) emphasizes the need for improved cyber risk information for boards. This includes understanding:
Value of Enterprise Digital Assets - Particularly, recognizing the significance of the company's most critical assets, often referred to as the "crown jewels."
Probability of Cyber Event Occurrence and Potential Loss - Assessing the likelihood of cyber incidents and the potential financial impact.
Reputational Damage and Shareholder Value Impact - Considering how cyber events may affect the company's reputation and shareholder value.
Costs of Cybersecurity Program Development and Maintenance - Evaluating the financial investments required for establishing and sustaining an effective cybersecurity program.
Costs of Regulatory Compliance - Understanding the expenses associated with meeting regulatory requirements related to cybersecurity.
The existing most common ways to evaluate risk is on a high, medium, low scale or on a 1-5 scale like the below image.
Making well-informed decisions about factors like colors or ordinal numbers can indeed be challenging. When we encounter abstract values like "4" or "medium/high," their meaning often remains elusive. To illustrate the absurdity of such values, consider the sentence, "the risk of XYZ scenario to the business is 4." It becomes evident that the validity of these assessments is intimately tied to the outcomes of a risk analysis. When these outcomes lack concrete context, interpreting their significance becomes a complex task.
Furthermore, the challenge lies in discerning what truly matters. When everything is labeled as important, it dilutes the significance of individual elements. This concept aligns with the wisdom of George McBundy's quote, "If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds." In essence, not all risks and assets are of equal value or importance.
Adding to the complexity, risk estimates frequently prove highly subjective. They are often riddled with unexamined assumptions, inconsistencies, personal biases, inadequate cost-benefit analyses, and challenges in effectively communicating risk-related information.
In light of these challenges and the need for better decision-making in the realm of cyber risk, the FAIR Model provides a framework dedicated to consistently enhancing the quality of informed decisions. FAIR (Factor Analysis of Information Risk) offers a structured approach to quantifying and managing information security and operational risk, empowering organizations to make more precise and defensible risk-related choices.
Comments