Which framework is better for risk quantification: NIST or FAIR?

I have a bias as I sit on the FAIR Institute Advisory Board, but my role is to be the 10th man: if 9 people agree, my job is to disagree. I was an early adopter of FAIR but after 1.5 years I threw it out. In terms of quantification schema and models it’s wonderful and pristine. It forces us to come up with detailed risk statements versus abstract, overarching ones which hide various components of risk. The models it uses for quantification make sense and are traceable back to statistical models that can be mapped using Monte Carlo simulations across the board. The challenge that I have with FAIR is that it tells me what the risk is but not how to fix it. Unless I am the size of a Walmart which has fully adopted it, what I want to know as a CISO is: “The risk is $50 million. What are the 3 things I can do to cut that in half?” Without that, it was useless to me. FAIR has begun to fix that problem to the point where its adoption in the mid tier will accelerate and take off. If it doesn't fix that problem, then NIST is your best alternative. But I genuinely think in terms of statistical accuracy, etc., FAIR is better.

Anonymous Author
I have a bias as I sit on the FAIR Institute Advisory Board, but my role is to be the 10th man: if 9 people agree, my job is to disagree. I was an early adopter of FAIR but after 1.5 years I threw it out. In terms of quantification schema and models it’s wonderful and pristine. It forces us to come up with detailed risk statements versus abstract, overarching ones which hide various components of risk. The models it uses for quantification make sense and are traceable back to statistical models that can be mapped using Monte Carlo simulations across the board. The challenge that I have with FAIR is that it tells me what the risk is but not how to fix it. Unless I am the size of a Walmart which has fully adopted it, what I want to know as a CISO is: “The risk is $50 million. What are the 3 things I can do to cut that in half?” Without that, it was useless to me. FAIR has begun to fix that problem to the point where its adoption in the mid tier will accelerate and take off. If it doesn't fix that problem, then NIST is your best alternative. But I genuinely think in terms of statistical accuracy, etc., FAIR is better.
2 upvotes
Anonymous Author
I like FAIR, and have seen it well enacted in organizations. It's actionable and specific, so I've seen people do a good job of implementing it. However, from my perspective as an auditor, we see risk assessment being pointing to an adjacent standard. If we're doing a FedRAMP assessment or an ISO certification, for instance, you see those mappings. For serious assessments the FAIR model works well, but I do think that a lot of companies feel the need to model around an open standard—like NIST 800-30 and ISO 27005—to be able to point to something to defend their risk assessment. That's important when it comes to certifications, and interactions with regulators, etc.
3 upvotes