For some time now we heard the story about quantitative risk management and why it is so much better than our old loss-times-probability, green-yellow-red approach. Even outside the financial community we are supposed to throw out our old heatmaps and replace them with value-at-risk predictions.
How many standardized and established methods are there for quantitative risk management today? 1, 2, 3, more? I´m not asking for another tool…
I´m thinking first and foremost of Factor Analysis of Information Risk (FAIR) when it comes to quantitative risk management. I believe that Jack Freund and Jack Jones did a fantastic job for explaining and promoting this methodology. Their book “Measuring and Managing Information Risk: A FAIR Approach” is my go-to book for this topic. Same is true for the FAIR Institute (www.fairinstitute.org) and FAIR-U / RiskLense (fairu.net) and their effort in promoting a better as well as more robust risk management.
So why the provocative title?
For example, let’s log into the FAIR-U tool to perform a web-based risk analysis. The “What´s New in FAIR-U” banner is from August 17th, 2018. No update since then?
The icons for some of the educational partners on https://www.fairinstitute.org/fair-university-curriculum are broken, a sure sign that nobody looked at this page for some time.
A quick search for “Factor Analysis of Information Risk” and “FAIR” at Webster University and George Mason University returned no results. UMass shows a hit, but it is a class from 2017: https://infosec.cs.umass.edu/content/infosec-690r-information-risk-management-0 . The link to Arizona State returns an “Error 403 – access denied”, GCU returns “Page Not Found”, and so on.
The local chapters listed at www.fairinstitute.org are still very US-centric. There is a local chapter in London that seems to consist of a single person. Paris has a local chapter with two people from a training and consulting house. That’s it for Europe!
The Open Group (opengroup.org) Security Forum manages and updates Open FAIR. Many of the documents in their library seem to be old, e.g. “THE OPEN GROUP CERTIFICATION FOR PEOPLE: OPEN FAIR™ PROGRAM CONFIGURATION” with a last update from April 2017. Their FAIR blog has a single, lonely entry from 2017.
The recent fun I had with installing Oracle Crystal Ball and RiskKit let to my question above: Am I right, am I wrong? What is your opinion when it comes to quantitative risk management standards outside of the regulated financial industry and their Basel III accord?
2 Antworten auf „Is Quantitative Risk Management Dead?“
To bolster my argument: In 2016 (!) the US Comptroller of the Currency, the Federal Reserve System, and the Federal Deposit Insurance Corporation started an advance notice of proposed rulemaking (ANPR) to define and receive comments on an enhanced cyber risk management standard addressing five categories of cyber standards: Cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness.
Section VII of the notice is titled “Approach to Quantifying Cyber Risk” and explicitly names FAIR and GQIM (a non-quantitative approach from CMU) as known methodologies. This should give people in the finance industry hope, right? Unfortunately, the rulemaking process is still in status “Proposed Rule Stage”, with the next milestone coming up on 10/00/2021 (no typo! I guess only a government system can allow a date like this).
Some people referenced the Cybersecurity Assessment Tool (CAT) from the US Federal Financial Institutions Examination Council (FFIEC) in their proposals. As Jack Jones from the FAIR Institute commented: „However, the tool itself, uses a qualitative scale (Least, Minimal, Moderate, Significant, Most) to determine risk vs. truly “measuring” risk in terms of dollars and cents.“. So it seems not everybody understood what the ANPR is asking for in section VII.
Another interesting fact: In its publication „Integrating Cybersecurity and Enterprise Risk Management (ERM)“ [NISTIR 8286] from last year the National Institute of Standards and Technology (NIST) mentions FAIR in chapter „Risk Analysis Types“ as a viable risk analysis methodologies – the only quantitative methodology.
NIST plans to present more details about these methodologies in the future: „A detailed consideration of risk analysis techniques, including worked examples, will be provided in a subsequent NIST publication.“. I am looking forward to this!