FAIR European Summit 2024 : 4 take-aways from this event dedicated to cyber risk quantification
Every year, the FAIR Institute organises the Fair European Summit, a day of exchanges and conferences for cyber risk management (CRM) professionals who use the FAIR method. This year’s annual event took place on 13 March in Paris.
The FAIR Institute is a not-for-profit organisation dedicated to developing the FAIR methodology and integrating it into cyber risk management.
The FAIR model (for Factor Analysis of Information Risk™) aims to quantify cyber risk in an objective and reproducible way. In addition to precise terminology and clarification of key concepts, the model proposes breaking down risks into measurable factors, enabling the use of statistics and probabilities to assess the frequency of occurrence of risks and the financial losses potentially incurred.
Citalid uses this methodology in its calculation models, enriching it with strategic cyber threat intelligence data and providing dynamic risk analyses that calculate metrics such as the frequency of attacks, the probability of successful attacks and the resulting financial impact. These indicators are then used to make informed decisions about how to manage the risks, whether through preventive measures such as the deployment of security solutions, or through risk sharing with insurance partners.
Although Cyber Risk Quantification is an emerging market in Europe and still requires some evangelism, this event was an opportunity to bring together a community that is convinced of the power of CRQ and to highlight some very advanced use cases from specific companies. Here are the key takeaways from the event.
1: Business lines need to be involved in the cyber risk management approach
Cyber risk management is no longer the preserve of IT teams. It is now clear that business teams are stakeholders in CRM:
- They are in a position to designate the elements of the information system that are most essential for the company to be able to fulfil its missions;
- They are the most competent to estimate the impact on the company’s business of a malfunction of these elements;
- They are necessarily affected by the implementation of security solutions and by the need to comply with current regulations.
During the event, a number of experiences were shared, demonstrating that cyber risk management is becoming a key element in the implementation of corporate digital projects in order to limit both the likelihood of attacks and their impact.
This approach is developing rapidly across the Atlantic, where companies are now legally obliged to share the cyber risks they face and any incidents they have suffered.
However, as Alstom pointed out when sharing its experience of assessing security controls for ISO 27001 compliance, it is not always easy to organise collaboration between IT and business teams, whose concerns and skills are very different. Cyber remains a highly technical area and business teams do not readily see the benefits of audit campaigns or security solution implementation projects. Implementing the FAIR model, as proposed by Citalid, to objectively assess the level of maturity achieved in terms of security controls and to obtain a financial quantification of cyber risks, helps to facilitate communication between teams. These teams can then share a common language, and business teams that understand the challenges associated with cyber risks can contribute to informed decision-making when it comes to dealing with these risks.
2: Education is the key to Cyber Risk Management
This collaboration between the various players in the organisation means that everyone needs to understand the benefits of carrying out audits, implementing security projects, applying for budgets, etc. However, this is sometimes difficult to understand because of the technical nature of the subject. IT or risk management teams, for example, can use cyber risk quantification to educate the various stakeholders about the importance of the actions to be taken and their business impact. In fact, the financial indicators derived from CRQ can give everyone a clearer picture of cyber risk and its consequences, and can therefore prove to be a real educational tool to facilitate collaboration.
3: Transparency is a game-changer
The European Union has adopted the DORA Regulation and the NIS2 Directive, two pieces of legislation that address the cybersecurity of organisations and are currently being transposed into national law.
The NIS 2 Directive, which should be transposed into French law by the second half of 2024 at the latest, defines more precisely than the previous NIS Regulation the obligation to notify the competent authorities (ANSSI in France) in the event of a security incident. The DORA regulation, which applies to organisations and companies in the banking, financial and insurance sectors, also includes a notification requirement.
This will change the way most companies approach cyber risk management, as these new measures require transparency. They will have to demonstrate that they are taking appropriate measures to ensure their cyber security, which could affect their reputation. This is a new lever, and why not a new commercial argument, that companies will be able to use and where cyber risk quantification is proving very useful.
The FAIR Institute, in a similar approach to that taken by Citalid with its clients and partners, is working with American companies to compare the loss estimates made before the incidents with the actual losses caused by the attacks. Transparency is an important element in ensuring that studies run smoothly, particularly when it comes to obtaining the data on which they are based. This means that the models used can be improved to produce more reliable results.
4 : The FAIR Institute is expanding its research and developing 4 frameworks
The work of the FAIR Institute reflects the key concerns of cyber risk management professionals.
- Materiality Assessment Model (MAM) : helps to more reliably determine the company’s losses (turnover, reputation, physical assets, fines, etc.) in the event of an incident ;
- Control Analytics Model (CAM) : enables you to assess the defensive maturity of organisations with automated data searches ;
- GenAI Risk : enables organisations to consider the risks associated with generative AI* ;
- FAIR-TAM : helps you understand and manage third-party risks.
*As is often the case, the use of generative AI and the risks it may pose have sparked debate: some cyber risk management experts believe that these risks should be managed in the same way as traditional cyber risks, while others believe that their nature is different and merits a tailored methodology and tools.
Cyber risk management, and by extension cyber risk quantification, has a promising future. According to Jack Jones, creator of the FAIR methodology, “cyber risk management is in the age of medieval medicine”. “We are only at the beginning of this practice,” he declared in his keynote address. Quantifying cyber risk offers many opportunities for companies and organisations, and it needs to evolve to become not only more effective, but also more essential.
