Skip to main content
Download the Buyer’s Guide for Cyber Risk Quantification Solutions
Download Guide
Request a Demo

Recognizing the Limitations of FAIR

Cyber risk quantification dashboard

Story time.  I recently had the opportunity to work with a large organization in the healthcare insurance industry.  They wanted to adopt cyber risk quantification (CRQ) and really liked the FAIR model.  The customer came to ThreatConnect and stated “we don’t need all the bells and whistles; we just want to be able to use FAIR” within our CRQ solution Risk Quantifier (RQ).  They had already put in a lot of work around gathering data and even worked with a consulting group to help. However, they also recognized the challenges of going to a fully FAIR-based CRQ program.  In short, the amount of time and effort it takes to implement FAIR (both from a scoping and data collection) was A LOT!  

The organization asked to do a trial of the ThreatConnect RQ platform and was very clear that they wanted a FAIR-only approach. That was easy as our platform supports the use of FAIR, but also takes risk quantification beyond FAIR through the use of AI/ML and the MITRE ATT&CK framework.  

Fast forward a few weeks. The organization realized that continuing down the FAIR path would ultimately be detrimental to their program because of the overhead with implementing FAIR – training staff (both analysts and SMEs), finding time amongst everyone’s busy days, and gaining consensus with every analyst for the analysis process would be too much work and would take too much time for the organization to absorb.  This got them wondering if they could leverage an AI-powered approach to risk quantification for most of their risks and reserve the manual FAIR-based approach for specific scenarios.  

This organization realized that using the data-driven approach provided by ThreatConnect RQ would also help them scale their program.  This was because they could use their own data from their existing tools (CMBD/asset lists, vulnerability scans, GRC, etc.) and let RQ do all the hard work.  Even with that desire, they also began to worry that maybe the data in their tools wasn’t good enough. But they quickly realized that even if it wasn’t perfect data, the decision to improve the data in their tools could be an outcome of a risk assessment.  Starting with the industry data provided by ThreatConnect will allow them to focus on their biggest areas of risk.  The lightbulb went off, and they decided this was indeed the easier and faster way to measure their cyber risk quantitatively.  They could always improve upon their data in the future as their program matures.  In leveraging this approach, they could start communicating risk in a way that actually moves the needle and really action upon risk.  

Fast forward a few weeks. They were able to quantify over 300 business applications within less than 30 days by simply using the AI-driven approach offered by ThreatConnect RQ.  This allows them to spend their resources on managing the risk instead of trying to figure out how to measure it.  

Throughout this endeavor (and now as a customer), this organization realized that with the help of ThreatConnect RQ and the experienced Customer Success team, they could truly make risk management actionable within their organization.  All without the requirement of spending thousands upon thousands of extra dollars on professional services to help them set up, train them, implement it and measure risk for them.  

Want to achieve the same CRQ benefits?

If you want to learn more about how ThreatConnect can help you move beyond FAIR and scale your cyber risk quantification program, reach out to one of our experts today. Want to see more of ThreatConnect RQ? Take a guided tour of RQ right now.

About the Author

Tim Wynkoop

Tim Wynkoop is a Senior Solution Architect at ThreatConnect. He has been a FAIR practitioner and consultant for over 7 years and has been in the world of Risk Management for over 15 years.