The Rapaport Diamond Report, first issued by Martin Rapaport in 1978, is the global benchmark for polished diamond pricing. Published weekly, it provides a price list used by diamond traders, wholesalers, and jewelers to evaluate value based on weight, shape, color, and clarity.
Prices in the report serve as the basis for standardizing and negotiating diamond prices worldwide. Diamond dealers and jewelers often quote prices as a percentage discount or premium relative to the Rapaport Price List.
Similarly, Corporate America needs an industry report to quantify data risk as data are the diamonds of the IT world. But how can the value of data be quantified? Short answer: It’s not easy. Long answer, Tony Martin-Vegue tries to do for IT risk management what Rapaport did for the diamond industry in From Heatmaps to Histograms: A Practical Guide to Cyber Risk Quantification (Apress).
To further frame the discussion, consider Alfred North Whitehead’s famous remark that the European philosophical tradition “consists in a series of footnotes to Plato.” This suggests that Plato introduced most of the fundamental questions and themes that Western philosophy has continued to debate.
In this vein, when it comes to cyber risk quantification, it could be said that the field “consists in a series of footnotes to FAIR.” Factor Analysis of Information Risk (FAIR) is an international standard quantitative model for cybersecurity and operational risk.
Martin-Vegue uses FAIR extensively throughout the book, and it opens with comments from Jack Jones, the creator of FAIR.
Jones, along with Dr. Jack Freund, wrote the definitive guide to FAIR in Measuring and Managing Information Risk: A FAIR Approach. Now in its 2nd edition, it is an extraordinarily valuable book, but not an easy read.
Building on this foundation, Martin-Vegue takes a kinder, gentler approach to cyber risk quantification (CRQ) and shows how it can be developed and used within an organization. As powerful as FAIR is, many are intimidated by it and see CRQ as a tsunami.
This intimidation is not unfounded. The notion of a formal CRQ program is daunting to many. The book notes that several myths scare firms away from developing and implementing a CRQ program. Some of these myths include that you need a lot of data, expensive software and specialized tools, an army of people, and more.
Regarding the term "heatmap" in the title, the book notes that most heatmaps are overly qualitative and lack meaningful quantification. They may look great in PowerPoint, but these heatmaps ultimately do very little to mitigate risks.
Histograms and similar charts have bars, frequencies, and many colors, but do nothing to address the financial and data risks they depict. His approach shows how to get off that PowerPoint wheel of pain and onto a real CRQ that provides value.
As we move into practical solutions, the Jones/Fruend book remains the definitive guide to FAIR, while this book is a great reference for putting it into practice. As for putting it into action, Martin-Vegue is a big fan of using AI tools to help with that.
However, the problem arises when relying on AI for risk quantification: AI, which is often prone to hallucinations, is even more susceptible in this field. The book shows ways in which to deal with those issues.
Many books on the topics scare readers away with an emphasis on statistics and ideas that are far too conceptual, not this one. Those looking for an introductory work on CRQ will find this a very welcoming guide to the often intimidating work of cyber risk.