Qualitative vs. Quantitative Risk Analysis (Comparison)
NIST CSF, ISO 2700X, and other standards say that cybersecurity risk and its contributing factors can be assessed in a variety of ways, including "quantitatively" or "qualitatively." But what's the difference? Which is the better form of risk measurement for your organization? Why would you conduct a qualitative versus a ... Read More
What Is Cyber Risk? The FAIR Definition
I was first introduced to the concept of cyber risk quantification when I began working with Factor Analysis of Information Risk or the FAIR Model (see a diagram of the model here).  With this model, an analyst can estimate cyber risk in financial terms (i.e., dollars and cents). In FAIR-based ... Read More
