
Explore how unstated assumptions distort risk assessments through a four-stage tire swing scenario, clarifying risk, vulnerabilities, and threats in Open FAIR cybersecurity risk.
Defines risk as a measurable quantity of future money loss from a specific scenario, using probable frequency and magnitude to forecast potential losses.
Quantify cyber risk with the FAIR model to replace subjective qualitative assessments with data-driven loss exceedance curves and probability estimates for informed management decisions.
Introduce the Open FAIR model for cybersecurity risk, defining risk as monetary loss from loss event frequency and magnitude, driven by threat event frequency, vulnerability, and primary and secondary losses.
Explore the fair model and its elements, using the cheat sheet as a reference throughout the course, and practice daily by drawing the model for five minutes.
Explore the five-layer risk management stack, from accurate modeling to effective risk management, and learn how quantitative risk analysis, reliable data, and effective comparisons enable well-informed decisions.
Contrast prediction with forecasting in risk measurement, showing how forecasts express probability and uncertainty, grounded in reliable data to estimate cybersecurity risk with Open FAIR.
Explore the difference between accuracy and precision and learn to use range estimates with a useful level of precision to achieve 90% confidence in cybersecurity risk assessments with Open FAIR.
Learn to create estimates with min, max, most likely value, and confidence level, to improve precision in cybersecurity risk assessments; apply Monte Carlo simulations to refine the results.
Frame risk from the primary stakeholder’s perspective and map the loss flow from threat actor to asset and secondary stakeholders, guided by Open FAIR.
Distinguish probability from possibility and focus on the probable risk scenarios in risk analysis, prioritizing high-probability risks over merely possible ones.
Explore the open FAIR model by defining risk as a measurable, forecasted loss over a time frame; learn to assess loss event frequency and loss magnitude across scenarios.
Understand loss event frequency as the number of times a loss event will occur in the next year, counting only successful incidents and excluding attempted or near misses.
Assess threat event frequency by counting both malicious and non-malicious attempts to cause loss, and relate it to loss event frequency using contact frequency and probability of action.
Explain contact frequency, the times a threat agent is within reach to cause harm, to estimate threat event frequency. Illustrate with random, regular, and intentional contact and practical examples.
Explore three forms of contact frequency—random, regular, and intentional—and see how each type shapes threat events, from untargeted encounters to targeted attacks in cybersecurity risk with Open FAIR.
Probability of action is the percentage of contact events that become threat events, influenced by value, effort, and risk, with thieves 5–10% and insiders 1–5%.
Learn how value, effort, and risk determine the probability of action for a threat actor, with value surpassing effort and risk driving action in car theft scenarios.
Calculate threat event frequency by multiplying contact frequency with probability of action. Apply this to an art gallery theft scenario to estimate 10–30 yearly attempts.
Understand threat capability as a risk factor for calculating vulnerability, and examine fret capability, the force a fret agent can apply, among communities from nation-sponsored to script kiddies.
Learn how the threat capability continuum uses the fair model to compare attacker capability with resistance. Compare script kiddies and nation-state attackers, and tie estimates to the loss scenario.
Calculate vulnerability by comparing threat capability and resistance strength with Monte Carlo simulations, using distributions and min-max estimates to predict whether a threat surpasses defenses.
Complete the loss event frequency analysis by calculating how many loss events occur each year. Then estimate how much each loss costs to determine loss magnitude and its risk factors.
Explore loss magnitude, the per-incident amount lost, using factor-based distributions and uncertainty ranges, including costs to reputation and response, from the primary stakeholder perspective.
Identify and explain the six forms of loss—productivity, response, replacement, competitive advantage, reputational damage, and fines and judgment—and how primary and secondary costs shape loss magnitude in cybersecurity risk.
Use the loss flow to measure secondary loss, analyzing stakeholder reactions and four forms: response cost, competitive advantage, loss fines, and judgement and reputation damage, plus loss frequency and magnitude.
Learn how secondary loss frequency gauges the probability that a loss event triggers secondary effects from stakeholders, with examples like credit monitoring sign-ups ranging from 20 to 70 percent.
Define secondary loss magnitude as the cost of secondary stakeholder reactions; multiply by secondary loss frequency to compute secondary loss, including reputation damage, fines, competitive advantage loss, and response costs.
Calculate secondary loss by multiplying secondary loss frequency by magnitude across all loss forms. Use credit monitoring with 20–70% frequency and $50–$100 per enrollment for 1000 employees to estimate totals.
Calculate loss magnitude by adding primary and secondary loss to estimate cost per loss event, using insider threat example to show how ranges yield 20,000–120,000 and influence total cost.
Complete the case study worksheet for cybersecurity risk assessment using Open FAIR, and answer the questions before moving on to the next video.
Use the Open Group’s Open FAIR Risk Analysis tool and user guide to input estimates at any level of the FAIR model, automatically calculate risk, and generate loss exceedance graphs.
Earn the official Open FAIR certification by mastering the Open Group risk taxonomy and risk analysis standards, with a closed-book exam and Udemy practice exams.
"How to Measure Anything in Cybersecurity Risk with Open FAIR" is designed to equip you with all the necessary tools and skills to achieve effective risk measurement. Throughout this course you get hands on experience with risk measurement techniques and tools which will elevate your risk measurement and quantification. You will learn how an accurate risk model allows us to make meaningful measurements and achieve unparalleled risk measurement and quantification.
This course teaches the Open FAIR approach to risk measurement and will transform the way you think about risks, threats and vulnerabilities. Imagine having the power to decipher risks with absolute precision and clarity. Open FAIR isn't just a framework; it's your gateway to understanding, measuring, and ultimately mastering information risk in a language your business understands.
You’ll learn a standardized approach to measurement, recommended by NIST, that transforms complex risks into tangible, quantifiable figures. Dive deep into advanced risk modelling techniques that go beyond conventional methodologies. This course introduces you to cutting-edge approaches in risk measurement, providing insights into probabilistic modeling, scenario analysis, and Monte Carlo simulations. With Open FAIR, you're not just navigating uncertainties; you're strategically measuring risks, comparing options, and making cost-effective decisions that safeguard your business.
This course is designed to cut through the jargon and deliver actionable insights from the first video. No fluff, no unnecessary complexities—just a clear, focused journey into understanding, applying, and mastering the Open FAIR approach to effective Risk Measurement and Management.
Upon completion of the course, you'll have the option to pursue the Open Fair Part 1 Certification, validating your expertise in risk measurement and quantification. This certification not only enhances your professional credibility but also opens doors to new career opportunities. With a recognized credential in hand, you'll stand out in the competitive landscape of risk management professionals.
If you have any questions or need guidance along the way, don't hesitate to reach out to me!