Library Header Image Library Header Image

Ben’s Book of The Month: Measuring and Managing Information Risk: A FAIR Approach – 2nd edition


Posted on by Ben Rothke

Factor analysis of information risk (FAIR) is a taxonomy of the factors that contribute to risk and how they interact. It concerns establishing accurate probabilities for the frequency and magnitude of data loss events. While often called a methodology, it is, in fact, not a formal risk methodology. 

I have been a fan of FAIR for a long time. I reviewed the first edition of the book here in 2014 and named it the best Information Security book of 2014. Since the first edition, it has become an Open Group standard

IT in general has changed a lot since 2014, and Information Security and information risk even more so. Fortunately, authors Jack Jones and Jack Freund have updated their classic and are back with the 2nd Edition ofMeasuring and Managing Information Risk: A FAIR Approach(Butterworth-Heinemann). 

Like the first edition, the book provides a comprehensive guide to help readers make effective risk and business decisions by formally and quantitatively understanding their organizational risk. The term 'quantitatively' is imperative, as Information Security and risk decisions driven more by emotion than by quantification can lead to disaster.

This edition adds details on topics such as risk theory, risk calculation, scenario modeling, and risk communication within organizations. It concludes with perspectives from leading industry professionals.

The core importance of FAIR is its groundbreaking shift from vague guesswork and subjective opinions to quantifiable risk assessments. By introducing numerical and financial calculations into IT risk, FAIR enables security leaders to communicate effectively with business-relevant metrics. This quantitative approach empowers well-informed decision-making, though achieving it remains challenging.

FAIR is invaluable because it helps risk professionals use the language of the corporate board and senior executives. Understanding that and communicating in their language can make it much easier for information security to be perceived as a valued asset, rather than relying on Chicken Little statistics.

Information risk management is a highly complex topic that spans numerous fields. At its core, it is about identifying, evaluating, and prioritizing data risks. There are many core areas of risk that people get wrong, and FAIR can fix them. 

FAIR takes the risk professional out of the realm of risk management via the checklist, which only produces meaningless measurements, into the world of quantitative, defendable results.

For those who are looking for a tool to create pretty executive summary charts with lots of colors, FAIR will sorely disappoint them. For those looking for a method to calculate qualitative risk to support a formal enterprise risk management program, they won’t find a better guide than this book.

The book is an excellent reference that will force you to reconsider how you view risk management.

The authors write that risk decision-making quality boils down to the quality of the information decision makers operate on and the decision makers themselves. The book does a remarkable job of showing how a person can become a much better decision-maker.

A subtle but important point the book makes early on is that many risk professionals confuse risk possibilities with risk probabilities. The FAIR method forces you to focus on probabilities rather than obsess over obscure possibilities. Such a quantitative analysis approach is what makes FAIR so beneficial.

The challenge of FAIR is acclimating to its dialect. But once done, it creates an extremely powerful methodology for risk communication and management. And therein lies its power. Setting up a common risk management framework is an invaluable tool for presenting risk ideas. In addition, it makes the findings much more objective and defensible.

FAIR is a powerful tool that can revolutionize risk management. The challenge is that it takes a village to make such a change. Management may be reticent to invest in what is perceived as yet another risk management framework. But once you start using the FAIR language and validate your findings, astute management will likely catchon. Over time, FAIR can indeed be a risk management game changer.

Uttered by Supreme Court Justice Potter Stewart in 1964, "I know it when I see it" was used by him to describe his threshold for identifying pornography without needing a precise legal definition. It highlights the subjective, often nonrational, nature of judicial decision-making.

Information risk should be objective and rational. And that is precisely what Measuring and Managing Information Risk: A FAIR Approach does.

Contributors
Ben Rothke

Senior Information Security Manager, Tapad

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSAC™ Conference, or any other co-sponsors. RSAC Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs