Cyber Security
Targeting cyber security investment - the FAIR approach By Denny Wan, peer reviewed by Chip Block and Donna Gallaher
Targeting can be applied to the following tasks in the investment decision process based on the potential financial loss against an asset: 1. Prioritising the risk assessment scope 2. Prioritising the recommendations on remediation actions In this article, I reflect on the discussions with Chip and Donna on the business need for targeting cyber security investments. We discussed how to apply the FAIR approach to the cyber security budget prioritisation process leveraging the above targeting effort. We are seasoned cyber security executives and chairs of our local FAIR Institute Chapters, which I will address later. The paper concludes by explaining how to use the security ROI dashboard and scorecard to assist in the investment prioritisation process IMF forecasted a weakening of the global economy in
18 | Asia Pacific Security Magazine
2019 which, for most firms, will inevitably result in some level of budget cuts. Unfortunately, cyber security spending is often the target for the cut because it generally does not result in direct revenue impact. However, executives must approach risk prioritisation decisions with caution since cyber breaches can impact customers and other third parties along the supply chain. If the organisation is found to be negligent in their risk management decisions, putting profit before customer security without due considerations, they can be exposed to significant punitive fines and damages which are not covered by cyber insurance. The Open Group FAIR (Factor Analysis of Information Risk) methodology is a structured approach to quantifying potential financial losses attributed to cyber risk. This is a powerful defence for organisations to justify their budget prioritisation decisions.