Using NIST CSF & the FAIR Risk Model Together | Webinar Included

Using NIST CSF & the FAIR Risk Model Together | Webinar Included



On the road to risk management maturity, most organizations start with some kind of maturity framework, most likely the NIST Cybersecurity Framework (NIST CSF). Frameworks are relatively easy to implement, and carry industry acceptance. But at this early stage of development, there is a misconception that maturity frameworks are either the same thing as, or close enough to, a well-vetted and defensible risk analysis model.


Over time, organizations learn the differences between the FAIR™ (Factor Analysis of Information Risk) model and CSF risk assessments. Then they may feel that the two are diametrically opposed and that one approach has to be chosen over the other, which is another common misconception.






In order to properly assess cyber risk, an organization must be able to identify specific risk scenarios, assess the loss magnitude of said scenarios, and then compare the results to the company’s risk appetite. Once an organization has that information, it can decide which risks need to be addressed and in what order.


In this post, I’m going to outline the differences between the NIST CSF andFactor Analysis of Information Risk (FAIR), the risk analysis model that powers theRiskLens platform, and show how the two can be used in a complementary way.



What Are the Desired Outcomes for NIST CSF and FAIR Assessments?


To make sure that expectations match desired outcomes, it’s important to understand what each is intended to achieve and the differences between them.


NIST CSF


using model together webinar included