<p>In today’s enterprise, some degree of cyber-risk exposure is inevitable. CISOs must use limited resources to <a href=”https://www.techtarget.com/searchsecurity/tip/Enterprise-risk-management-should-inform-cyber-risk-strategies”>strategically address the most significant risks</a>, in alignment with their organizations’ <a href=”https://www.techtarget.com/searchsecurity/feature/How-to-define-cyber-risk-appetite-as-a-security-leader”>cyber-risk appetites</a>.</p>
<p>The easiest and fastest — but also least reliably accurate — way to <a href=”https://www.techtarget.com/searchsecurity/tip/5-ways-to-achieve-a-risk-based-security-strategy”>assess relative cyber-risk</a> is qualitatively. A qualitative analysis uses subjective data, such as a rating of excellent, good, fair or poor; a rating from 1 to 5, where 1 is excellent and 5 is poor; or a rating of blue, green, yellow, orange or red, where blue is excellent and red is poor.</p>
<p>Quantitative risk analysis is more challenging but also generally more substantive and useful than qualitative analysis. <a href=”https://www.techtarget.com/searchsecurity/tip/Cyber-risk-quantification-benefits-and-best-practices”>Cyber-risk quantification (CRQ)</a> requires data that reflects reality as closely as possible and is objectively accurate, if not precise. For example, if the precise but unknown value is 63%, a range — say, between 60% and 70% — is imprecise yet accurate.</p>
<p>The <a href=”https://www.techtarget.com/searchsecurity/tip/Using-the-FAIR-model-to-quantify-cyber-risk”>Factor Analysis of Information Risk (FAIR) model</a> is a widely respected, mathematically based open standard for CRQ that enables CISOs to translate cyber-risk into financial risk. One of the <a href=”https://www.techtarget.com/searchsecurity/tip/Cyber-risk-quantification-challenges-and-tools-that-can-help”>biggest challenges of using the FAIR model</a>, however, is that its analytical output is only as good as its data inputs — and finding accurate data to feed the model is not always easy or intuitive.</p>
<section class=”section main-article-chapter” data-menu-title=”Don’t aim for certainty — aim for less uncertainty”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>Don’t aim for certainty — aim for less uncertainty</h2>
<p>According to the FAIR Institute, most FAIR analyses start with incomplete and imperfect data, which CISOs should not view as a barrier to success. Even without much or any empirical data, CRQ results can still be highly credible, useful and defensible — if practitioners transparently and consistently document their sources, assumptions, estimations and confidence levels.</p>
<p>The organization also <a target=”_blank” href=”https://www.fairinstitute.org/hubfs/FAIR%20CRM%20Body%20of%20Knowledge/FAIR%20Institute%20–%20Analysts%20Guide%20to%20Cyber%20Risk%20Data%20Sources%20(May%202025).pdf” rel=”noopener”>notes</a> that the goal of CRQ is not to predict the future with certainty, but “to reduce uncertainty to a level that supports informed decision-making.” With that in mind, informed, calibrated estimates — based on structured interviews with internal or external subject matter experts (SMEs), for example — can be as useful as empirical data.</p>
<p>In identifying data for a FAIR analysis, the goal is often to arrive at a reasonable range rather than a single data point. “There is literally nothing we will likely ever need to measure where our only bounds are negative infinity to positive infinity,” CRQ expert Douglas Hubbard wrote in his book <i>How to Measure Anything: Finding the Value of “Intangibles” in Business.</i></p>
<blockquote class=”main-article-pullquote”>
<div class=”main-article-pullquote-inner”>
<figure>
There is literally nothing we will likely ever need to measure where our only bounds are negative infinity to positive infinity.
</figure>
<figcaption>
<strong>Douglas Hubbard</strong>Owner, Hubbard Decision Research
</figcaption>
<i class=”icon” data-icon=”z”></i>
</div>
</blockquote>
<p>In a FAIR Institute <a target=”_blank” href=”https://www.fairinstitute.org/blog/no-data-no-problem” rel=”noopener”>blog post</a>, Jack Jones, creator of the FAIR methodology, offered the following tips for estimating an accurate range:</p>
<ul class=”default-list”>
<li>Start with an absurd estimate — e.g, the person is likely taller than an inch and shorter than 10 feet.</li>
<li>Use references and logical reasoning to continually narrow the range.</li>
<li>Challenge your team’s reasoning throughout the calibration process.</li>
<li>Remember t
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: