Structured approaches to identifying, analyzing, and quantifying cybersecurity and enterprise risks.
- FAIR Institute: https://www.fairinstitute.org/
- FAIR Model Standard Artifact (V3.0): https://www.fairinstitute.org/resources/fair-model-standard-artifact-v3.0
- FAIR Controls Analytics Model (FAIR-CAM): https://www.fairinstitute.org/resources/fair-cam-standard-artifact-v1.0
- FAIR Cyber Risk Scenario Taxonomy: https://www.fairinstitute.org/resources/fair-cyber-risk-scenario-taxonomy
- Using the FAIR Model to Measure Inherent Risk: https://www.fairinstitute.org/blog/using-the-fair-model-to-measure-inherent-risk
- ISO/IEC 27005 Cookbook: https://publications.opengroup.org/c103
- pyfair: FAIR model written in Python for Monte Carlo simulations: https://github.com/Hive-Systems/pyfair
- FAIR Simulator: FAIR Risk Quantification Tool in Python: https://github.com/security-decision-science/security-decision-labs/tree/main/tools/fair-simulator
- riskquant: Netflix open-source library for quantifying risk: https://github.com/Netflix-Skunkworks/riskquant
- tidyrisk: Collection of R packages for quantitative risk management using OpenFAIR: https://tidyrisk.org/
- evaluator: Open source quantitative risk analysis toolkit: https://github.com/davidski/evaluator
- collector: R package for conducting SME interviews on risk scenarios: https://github.com/davidski/collector
- unsuR: Risk assessment with R: https://github.com/cneskey/unsuR
- A system to calculate Cyber Value-at-Risk: https://www.sciencedirect.com/science/article/pii/S0167404821003692
- Binary Risk Assessment: BRA helps discuss risk in a structured manner: https://binary.protect.io/
- Simple Risk (for engineers): https://magoo.github.io/simple-risk/reading.html
- Hubbard Research: https://hubbardresearch.com/
- Cyentia: https://www.cyentia.com/
- IRIS Risk Retina (data and analysis): https://www.cyentia.com/services/iris-risk-retina/
- RISK ANALYSIS QUALITY TEST: https://www.sra.org/resources/risk-analysis-quality-test/
-
Calibration Training: http://sethrylan.org/bayesian/
-
Bayesian Probability Fundamentals: https://www.youtube.com/watch?v=GShNozmkYlQ
SIRACon 2012: Tony Cox - Improving Risk Management Comparisons
- Advanced critique of risk matrices, scoring formulas, and ranking methods
- Demonstrates how standard rating/scoring methods often perform worse than random decision-making
- Proposes quantitative optimization models as superior alternatives
- Practical examples from information security, enterprise risk, and terrorism risk analysis
- Key insight: Better risk reduction at lower cost through mathematical optimization
IRIS 20/20 - Cyentia Institute
- 10 years of historical cyber incident data analysis
- Measures frequency and cost of actual cyber incidents
- Provides evidence-based data for risk assessment beyond "FUD" (Fear, Uncertainty, Doubt)
- Supports quantitative risk modeling with empirical data
If risk assessments exist to facilitate informed decision-making, understanding the science behind decision-making becomes essential. Decision science principles should inform how we:
- Design risk assessment methodologies
- Present risk information to stakeholders
- Make resource allocation decisions based on risk data
- Avoid cognitive biases in risk evaluation
- "The Theory That Would Not Die" (Book on Bayesian probability): https://www.amazon.com/Theory-That-Would-Not-Die/dp/0300188226/