惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园 - Franky
Hacker News - Newest:
Hacker News - Newest: "LLM"
雷峰网
雷峰网
人人都是产品经理
人人都是产品经理
Last Week in AI
Last Week in AI
爱范儿
爱范儿
美团技术团队
V
Visual Studio Blog
P
Proofpoint News Feed
GbyAI
GbyAI
Y
Y Combinator Blog
博客园 - 司徒正美
IT之家
IT之家
Google DeepMind News
Google DeepMind News
F
Full Disclosure
aimingoo的专栏
aimingoo的专栏
宝玉的分享
宝玉的分享
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
博客园_首页
M
MIT News - Artificial intelligence
V
V2EX
C
CXSECURITY Database RSS Feed - CXSecurity.com
A
Arctic Wolf
B
Blog
P
Proofpoint News Feed
MongoDB | Blog
MongoDB | Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
The GitHub Blog
The GitHub Blog
SecWiki News
SecWiki News
I
Intezer
P
Palo Alto Networks Blog
S
Security Affairs
L
LangChain Blog
C
Cisco Blogs
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The Cloudflare Blog
Martin Fowler
Martin Fowler
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Webroot Blog
Webroot Blog
Schneier on Security
Schneier on Security
Spread Privacy
Spread Privacy
H
Heimdal Security Blog
有赞技术团队
有赞技术团队
量子位
D
Docker
S
Secure Thoughts
N
News | PayPal Newsroom
The Last Watchdog
The Last Watchdog
H
Hacker News: Front Page
H
Hackread – Cybersecurity News, Data Breaches, AI and More

Search Security Resources and Information from TechTarget

It's time to update incident response for the AI era How to build AI security guardrails without blocking innovation The prosecution gap: Why cybercrimes go unpunished AI in cyberdefense: Learning from threat actors' playbooks Top identity and access management risks CISO role changes as cyber-risk appetites in the C-suite grow CISO's guide to data minimization Researchers build autonomous AI worm that can reason and adapt How to secure data at rest, in use and in motion Lost in translation: Cybersecurity board reporting for CISOs How to prepare security controls for future AI regulations EO 14390 raises stakes for enterprise cybersecurity First month of Mythos Preview testing exposes 10K flaws OT attacks shift from recon to physical control, raising stakes For CISOs, dawn of OpenAI Daybreak brings good and bad news Gartner Security & Risk Management Summit 2026: Adapting for AI | TechTarget Inside business email compromise attacks: Real-world examples Verizon 2026 DBIR: 6 key takeaways for CISOs Identity security for AI agents: The proliferation challenge How to build a business impact analysis checklist Taking care of business: The CISO's role in a cyber crisis What CISOs need to know about AI audit logs SOC vs. MDR: What CISOs need to consider Instructure cyberattack reignites ransom payment debate Transform SIEM rules with behavior-based threat detection CISO's guide: How to test an incident response plan How to implement zero trust for AI Data after the breach: Economics of the dark web The breakup: Why CISOs are decoupling data from their SIEMs News brief: Security worries and warnings as AI use expands How to construct an effective security controls evaluation 5 leading enterprise password managers to consider Claude Mythos changes the AI security threat matrix Buyer's guide for CISOs: Cloud security posture management 6 things to check in your cyber insurance policy fine print How cyber insurance helped with breach recovery -- or not News brief: Critical infrastructure, OT cybersecurity attacks Tape's strategic role in modern data protection Top zero-trust use cases in the enterprise What every CISO should consider before a SIEM migration CISO's guide to centralized vs. federated security models Shadow code: The hidden threat for enterprise IT How to fix cybersecurity's agentic AI identity crisis 5 top SIEM use cases in the enterprise Top 8 e-signature software providers for 2026 How do digital signatures work? News brief: AI woes continue for security leaders Deepfake era demands proof-based security, not just awareness Is SOAR dead or alive? Sort of The push for digital sovereignty: What CISOs need to know Beyond awareness: Human risk management metrics for CISOs Cybersecurity in the age of AI means bigger, faster threats At RSAC 2026, AI optimism and anxiety -- and an MIA U.S. government Inside the SOC that secured RSAC 2026 Conference How to roll out an enterprise passkey deployment How to improve the SOC analyst experience -- and why it matters How contact centers detect and prevent fraud News brief: Iranian cyberattacks target U.S. water, energy CISO checklist: Cybersecurity platform or marketing ploy? RSAC 2026 Conference: Key news and industry analysis | TechTarget Next-generation firewall buyer's guide for CISOs Contact center monitoring best practices for CX leaders RSAC 2026: Cyber insurance and the rise of ransomware Agentic AI's role in amplifying and creating insider risks RSAC 2026 recap: AI security and network security trends Identity security at RSAC 2026: The new enterprise dynamics Meaningful metrics demonstrate the value of cyber-resiliency What to know about red team testing and the law News brief: Iran cyberattacks escalate, U.S. targets named 5 top SOC-as-a-service providers and how to evaluate them Cloud security architecture: Enterprise cloud blueprint for CISOs Contact center compliance checklist for modern workforces How AI caught a malicious North Korean insider at Exabeam Watch your words: Tim Brown's advice for CISOs News brief: U.S. absence at RSAC sparks leadership concerns Network security management challenges and best practices 10 enterprise secure remote access best practices
How to find cyber-risk data sources for a FAIR analysis
Alissa Irei · 2026-06-04 · via Search Security Resources and Information from TechTarget

Cyber-risk quantification with FAIR can change the game for CISOs -- but sourcing enough accurate data for analysis can feel impossible. Learn how and where to find it.

By

Published: 03 Jun 2026

In today's enterprise, some degree of cyber-risk exposure is inevitable. CISOs must use limited resources to strategically address the most significant risks, in alignment with their organizations' cyber-risk appetites.

The easiest and fastest -- but also least reliably accurate -- way to assess relative cyber-risk is qualitatively. A qualitative analysis uses subjective data, such as a rating of excellent, good, fair or poor; a rating from 1 to 5, where 1 is excellent and 5 is poor; or a rating of blue, green, yellow, orange or red, where blue is excellent and red is poor.

Quantitative risk analysis is more challenging but also generally more substantive and useful than qualitative analysis. Cyber-risk quantification (CRQ) requires data that reflects reality as closely as possible and is objectively accurate, if not precise. For example, if the precise but unknown value is 63%, a range -- say, between 60% and 70% -- is imprecise yet accurate.

The Factor Analysis of Information Risk (FAIR) model is a widely respected, mathematically based open standard for CRQ that enables CISOs to translate cyber-risk into financial risk. One of the biggest challenges of using the FAIR model, however, is that its analytical output is only as good as its data inputs -- and finding accurate data to feed the model is not always easy or intuitive.

Don't aim for certainty -- aim for less uncertainty

According to the FAIR Institute, most FAIR analyses start with incomplete and imperfect data, which CISOs should not view as a barrier to success. Even without much or any empirical data, CRQ results can still be highly credible, useful and defensible -- if practitioners transparently and consistently document their sources, assumptions, estimations and confidence levels.

The organization also notes that the goal of CRQ is not to predict the future with certainty, but "to reduce uncertainty to a level that supports informed decision-making." With that in mind, informed, calibrated estimates -- based on structured interviews with internal or external subject matter experts (SMEs), for example -- can be as useful as empirical data.

In identifying data for a FAIR analysis, the goal is often to arrive at a reasonable range rather than a single data point. "There is literally nothing we will likely ever need to measure where our only bounds are negative infinity to positive infinity," CRQ expert Douglas Hubbard wrote in his book How to Measure Anything: Finding the Value of "Intangibles" in Business.

There is literally nothing we will likely ever need to measure where our only bounds are negative infinity to positive infinity.
Douglas HubbardOwner, Hubbard Decision Research

In a FAIR Institute blog post, Jack Jones, creator of the FAIR methodology, offered the following tips for estimating an accurate range:

  • Start with an absurd estimate -- e.g, the person is likely taller than an inch and shorter than 10 feet.
  • Use references and logical reasoning to continually narrow the range.
  • Challenge your team's reasoning throughout the calibration process.
  • Remember that the goal is accuracy, not precision.

Where to find data for a FAIR analysis

Every risk calculation depends on the following fundamental pieces of data:

  1. The likelihood of an event occurring. The FAIR model uses the term loss event frequency.
  2. The severity or impact of the event if it does occur. The FAIR model uses the term loss event magnitude.

Where to find data for loss event frequency

Loss event frequency represents the number of times a disruptive operational event is likely to occur in a designated timeframe, typically a year.

Practitioners can either estimate loss event frequency using empirical data or derive it by multiplying the following factors:

  • Threat event frequency. The statistical likelihood of an event. For example, the odds of a home in a particular ZIP code being robbed, based on recent crime data.
  • Susceptibility. Vulnerabilities that increase the event's likelihood. For example, how often residents of the home leave doors unlocked.

The FAIR Institute suggests practitioners use the following data sources to inform loss event frequency, as well as its contributing factors, threat event frequency and susceptibility.

Data sources for loss event frequency:

Internal data sources:

  • Incident response (IR) logs from past security events.
  • Security operations center logs detailing successful exploits.
  • Historical loss event logs from risk registers or ticketing systems.

External data sources:

Threat event frequency data sources:

Internal data sources:

  • Intrusion detection system and intrusion prevention system logs.
  • Security information and event management alerts.
  • Auth logs.
  • Firewall logs.
  • Access records.
  • Identity and access management systems.
  • Internal threat profiling.

External data sources:

  • Threat intel feeds -- e.g., Mandiant, now part of Google; Recorded Future; and CrowdStrike.
  • Verizon DBIR.
  • Architecture models.
  • Mitre ATT&CK mappings.
  • Threat profiling.
  • Adversary behavior reports.

Susceptibility data sources:

Internal data sources:

  • Red team results.
  • Incident forensics.
  • Pen test results.
  • Patch management metrics.
  • Vulnerability scan outputs.
  • Third-party risk assessments.

External data sources:

  • Industry breach reports.
  • Mitre ATT&CK.
  • Threat intel feeds -- e.g., Mandiant; Recorded Future; and CrowdStrike.
  • InfraGard bulletins.
  • Industry-specific ISACs.
  • Security control maturity benchmarks.
  • Audit reports.

Where to find data for loss event magnitude

Loss event magnitude reflects the operational and financial effects of a given event. It might factor in both direct or primary losses, such as ransomware payments and lost productivity, and indirect or secondary losses, such as regulatory fines and reputational damage.

The loss event magnitude value should be computed in financial terms -- e.g., lost revenue.

The FAIR Institute suggests practitioners use the following data sources to inform loss event magnitude.

Data sources for loss event magnitude:

Internal data sources:

  • Financial and accounting records related to past security incidents.
  • Business impact assessments from business continuity planning.
  • IR case management or time-tracking records.
  • Ticketing logs indicating resource hours and resolution times.
  • Asset valuation.
  • Impact logs.
  • Legal case records and cost tracking.
  • Compliance records.
  • Legal settlements.
  • Customer support communication logs.
  • PR response history.
  • PR and media spending.
  • Customer churn models.
  • Reputational damage assessments.
  • Insurance claims documentation.
  • SME interviews with PR, media, legal, finance and compliance leaders.

External data sources:

  • IBM's annual "Cost of a Data Breach" report.
  • Cyentia's annual "Information Risk Insights Study."
  • Ponemon Institute.
  • FAIR Institute's "How Material Is That Hack" website.
  • Securities and Exchange Commission (SEC) disclosures.
  • Crisis reports.
  • Regulatory disclosures and enforcement databases -- e.g., General Data Protection Regulation and the SEC.
  • Public breach databases.
  • Breach follow-on reports from Cyentia, Deloitte and legal analysis firms.
  • Industry loss studies from Ponemon, Cyentia and Forrester.
  • Publicly disclosed fines or class-action settlements.
  • Market research on brand impact and consumer trust.
  • SME interviews with PR, crisis management, law and insurance firms.

Alissa Irei is senior site editor of Informa TechTarget Security.

Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.

Dig Deeper on Risk management

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。