For some time now we heard the story about quantitative risk management and why it is so much better than our old loss-times-probability, green-yellow-red approach. Even outside the financial community we are supposed to throw out our old heatmaps and replace them with value-at-risk predictions.
How many standardized and established methods are there for quantitative risk management today? 1, 2, 3, more? I´m not asking for another tool…
I´m thinking first and foremost of Factor Analysis of Information Risk (FAIR) when it comes to quantitative risk management. I believe that Jack Freund and Jack Jones did a fantastic job for explaining and promoting this methodology. Their book “Measuring and Managing Information Risk: A FAIR Approach” is my go-to book for this topic. Same is true for the FAIR Institute (www.fairinstitute.org) and FAIR-U / RiskLense (fairu.net) and their effort in promoting a better as well as more robust risk management.
So why the provocative title?
For example, let’s log into the FAIR-U tool to perform a web-based risk analysis. The “What´s New in FAIR-U” banner is from August 17th, 2018. No update since then?
The icons for some of the educational partners on https://www.fairinstitute.org/fair-university-curriculum are broken, a sure sign that nobody looked at this page for some time.
A quick search for “Factor Analysis of Information Risk” and “FAIR” at Webster University and George Mason University returned no results. UMass shows a hit, but it is a class from 2017: https://infosec.cs.umass.edu/content/infosec-690r-information-risk-management-0 . The link to Arizona State returns an “Error 403 – access denied”, GCU returns “Page Not Found”, and so on.
The local chapters listed at www.fairinstitute.org are still very US-centric. There is a local chapter in London that seems to consist of a single person. Paris has a local chapter with two people from a training and consulting house. That’s it for Europe!
The Open Group (opengroup.org) Security Forum manages and updates Open FAIR. Many of the documents in their library seem to be old, e.g. “THE OPEN GROUP CERTIFICATION FOR PEOPLE: OPEN FAIR™ PROGRAM CONFIGURATION” with a last update from April 2017. Their FAIR blog has a single, lonely entry from 2017.
The recent fun I had with installing Oracle Crystal Ball and RiskKit let to my question above: Am I right, am I wrong? What is your opinion when it comes to quantitative risk management standards outside of the regulated financial industry and their Basel III accord?