FAIR and RQ: It’s time to evolve the conversation

I can’t wait until the day when cars can fully drive themselves. While I love driving I hate wasting time in traffic. And the number of accidents caused by human error is significantly larger than any self driving has caused to date in testing. Yet a lot of my friends aren’t there yet. They might play with the adaptive cruise control a bit but aren’t willing to give up control.

Why start a blog about CRQ talking about self driving cars? Because there are parallels to draw. We believe that the future of CRQ lies in automation – automation of losses, attack analysis, and remediation. But we also realize that not everyone is ready for that level of automation just yet.

That’s why I’m so excited to announce the release of version 6.0 of RQ. Version 6.0 represents a major milestone for RQ and for cyber risk quantification. RQ 6.0 is the culmination of years of work by the team to create a product that encompasses what we believe the vision for CRQ should be (automation) while also creating a path from the present to the future (adaptive cruise control).

Simply put – in version 6.0, we have added  the ability to create scenarios that comply with the FAIR standard. If you’re using FAIR today we can support your efforts. And yet, that’s not the big news…

While we’ve always been big fans of FAIR we’ve hesitated to put it directly into RQ. Why? Because we’ve heard from the community (users, practitioners, partners, friends, and other experts) that while the standard is great, using it – and deriving value from it in a timely manner is challenging. That’s why my excitement around version 6.0 isn’t the introduction of FAIR scenario’s into RQ – it’s around the introduction of Semi-Automated FAIR scenarios.

Semi-Automated FAIR scenarios are our vision for how you transition from a fully manual cyber risk quantification program today towards the fully automated vision of tomorrow. We realized that by providing a mechanism to work with what you know today (FAIR) and by adding a small step towards automation that provides huge value (think adaptive cruise control), we can provide the CRQ space current and future value all in one step.

Now let’s talk about what a “semi-automated FAIR scenario” actually means.

 

Applying automation to FAIR

The financial losses you face related to cyber attacks are directly related to the actor, attack and defenses you have in place. The FAIR taxonomy covers that concept through the Loss Event Frequency tree.  But anyone who’s tried to create a FAIR scenario using Resistance Strength Threat Capability and other technical pieces know that it’s challenging. 

Semi-automated FAIR scenario’s will allow users to create scenarios that compute the Loss Event Frequency (LEF) side of the calculation using RQ’s attack modeling capabilities. RQ takes into account the controls that exist, the CVE’s that are present, and the likelihood that an attacker will target your environment (all tunable of course). 

Combine that with your own Primary and Secondary Loss Magnitude information and you’ve got a scalable, data driven and actionable option for looking at your financial risk to cyber attacks. Why actionable? Because by using RQ’s calculations for LEF, you can get ROI based recommendations which typically aren’t part of a FAIR assessment.

To those who will object saying – “semi-automated FAIR isn’t pure FAIR” –  we say you’re right, it isn’t. It’s the next evolution in FAIR, it’s a way to leverage the best of FAIR and the best of automation. Our commitment to the FAIR standard, the community and the greater CRQ space is that we will support the standard and work to ensure that it’s easier to adopt, communicate and use throughout your organization. This is just the beginning of our direct involvement with the standard and how we’re applying innovation and automation to the CRQ problem.

If you’re on the CRQ journey – whether thinking about it, struggling to adopt it, or wondering why the business isn’t adopting your analysis, RQ 6.0 is a “must see” – request a demo here.

 

Jerry Caponera
About the Author
Jerry Caponera

Jerry Caponera is VP Cyber Risk Strategy at ThreatConnect, and leads the effort to quantify cyber risk in financial terms. He’s been working on cyber risk quantification efforts for a number of years and has a broad background in cyber, having worked for incident response, malware analysis, and services companies. He has spoken at a number of conferences worldwide including ISS World MEA, InfoSecurity Russia, and TM World Forum. He holds an MBA from the University of Massachusetts, an MS in Computer Science from the University of Pennsylvania, and a BS in Electrical Engineering from the University of Buffalo.