# Opener

FAIR Fatigue: A Deeper Dive

Published by David White

My recent blog post, How to Relieve FAIR Fatigue, generated some intense interest from within the cyber risk community. I received several comments from colleagues who agreed with my post’s central thesis. Namely, that many risk practitioners have voiced frustration with FAIR and their experiences with the CRQ vendors who preach its gospel. But I also received some pushback. Jack Jones, President of the FAIR Institute, took umbrage with my post. You can read his commentary here.

I appreciate Jack’s open candor, and I’d like to clarify some of the points [1] I made in the original piece in an effort to further the dialogue around advancing CRQ

The Fatigue is Real

“FAIR Fatigue” is a real phenomenon that I’ve observed through my experience working with security and risk leaders, including customers of Axio – and customers of all the leading CRQ software and services providers. Now, to be clear, I don’t think the FAIR methodology is a wrong approach to cyber risk quantification. There is no universal consensus in support or in opposition to the FAIR methodology, and there is a diverse range of perspectives and opinions about how to examine cyber risk quantitatively. Diversity is a good thing. Customers ultimately fare better when they have options from which to choose.

I have heard from many FAIR users that FAIR implementations can be complex, costly, and unwieldy, which I emphasized in my post. To be fair, let’s acknowledge that all cyber initiatives take time, require personnel, resources, and executive buy-in, and that those trade-offs need to be assessed and understood at the outset of any project, especially CRQ projects. Attackers are moving at pace and at scale; defenders need efficient and effective ways to keep pace with the risk. It’s important to note that my perspective here has been significantly influenced by security leaders who have switched or are considering switching to Axio. This is why I described it as “fatigue.”

That said, FAIR started a conversation and built a community around cyber risk quantification (CRQ); I congratulate Jack for that. I believe that CRQ can and should be an important element of an effective cyber risk management program. In fact, Axio has numerous users of our CRQ software that are FAIR-trained and continue to use the core tenets of FAIR. But it is not the only way.

An open standard?

There seems to be an air of righteous dogma around FAIR. I’ve heard many people describe FAIR as the international standard and use that phrase to distinguish it from other CRQ methods, but is it really an open standard? Of the six directors on the FAIR Institute board, two are executives at RiskLens, including Jack, the RiskLens Co-Founder and Nick Sanna, the Founder of the FAIR Institute and CEO of RiskLens. Another two directors are clearly clients of RiskLens and have provided quotations that are prominently displayed on RiskLens’ homepage. I suspect that the other two board members may have close ties to RiskLens. It also appears that both RiskLens and The FAIR Institute are headquartered on the same floor of the same building in Spokane, WA.

On their website, RiskLens claims that their software is the only risk quantification platform powered by the FAIR model. If the FAIR Institute is controlled by RiskLens employees and customers and RiskLens asserts that it is the only software powered by FAIR, is FAIR really an open standard? Why aren’t other CRQ software vendors who claim to be implementing FAIR involved in the FAIR Institute?

As Forrester notes in their recent report on CRQ, “The FAIR Institute currently dominates the CRQ space. While FAIR derives its status from the wider applicability and its status as an open standard adopted by the Open Group, it is not the only approach to CRQ. Feedback from recent Forrester inquiries indicates that clients are struggling with implementing FAIR, finding it overly academic, impractical to scale, and requiring a significant level of resourcing to sustain.”

Jack is someone with whom I share a lot of the same commitments and professional values. I do find it important to note that we’re both co-founders of software companies, RiskLens and Axio, which have significant financial interests at stake in promoting the philosophy and adoption of CRQ. Jack has a vested interest in seeing his paradigm adopted, and so do I.

If you’ve struggled with FAIR, it’s your own fault

In his blog post, Jack admits that organizations have struggled with adopting FAIR: “David is correct that some organizations have struggled with adopting FAIR, but this isn’t a function of FAIR itself. Rather it’s a function of how some organizations approached its use.” The implication here is that any struggles with FAIR is the fault of the practitioners of FAIR. Could it be that FAIR (the standard) or FAIR (the training) or FAIR (the RiskLens software) have overcomplicated CRQ, which has ultimately failed the users? As a CRQ community, we can’t blame the security and risk leaders who are working hard to make these methods produce informative results. They are spending their limited resources – financial, time, and personnel – on CRQ and we owe it to them to accelerate time-to-value.

My observations are not unique. Forrester writes in their market analysis: “CRQ methods like FAIR lack practical implementation-level guidance for correctly scoping a FAIR analysis. One vendor we spoke to said, ‘We often see that clients don’t really know where to start or what their scope and use cases are.”’

As George Box famously said, “All models are wrong, some models are useful.” Shouldn’t CRQ be about building models of risk that are useful? Shouldn’t those of us who are invested in CRQ be supporting user success and constantly striving to find ways to meet them where they are so that they can succeed?

We are in this together

Jack Jones and I clearly share a deep commitment to helping organizations understand and reduce cyber risk. We also want our respective software companies to grow. I’d be happy to meet and discuss further what we’re seeing in the market and how we might collaborate to help make CRQ a useful reality for companies struggling to make better decisions about risk.

Is FAIR the only way to achieve CRQ success? I would argue that it is not. Is Axio the only way to achieve CRQ success? I would argue that we are not, but we are one way where companies may experience faster results and fewer headaches.

We’re not hiding anything

If you’re curious to learn more about Axio’s CRQ software and method, we’d love to give you a demo, engage in a proof-of-concept engagement, or simply share more with you about our approach. Check us out or reach out directly to info [at] axio.com.

As one RiskLens/FAIR super user recently commented after sharing our output with their stakeholders and having an in-depth discussion about our approach: “Wow, you guys have built CRQ for the masses. Congratulations!”


[1] Jack appears to believe that I (or someone at Axio) took issue with his rebuttal and deleted his post from the blog. I don’t wish to spend time on this frippery in my response, so I’ll address it here. I assume he’s referring to the version published on Security Boulevard, which syndicates cybersecurity blog posts and moderates its own comments section. This is, of course, outside of Axio’s purview, and Security Boulevard can be reached via email at info [at] securityboulevard.com or on Twitter at @securityblvd.