Risk Analysis and Management

Mike Jerbic has led the development of the Open FAIR Quantitative cyber risk analysis standards and has contributed to guides and white papers expanding upon how that standard is used.  In his role as lecturer at San Jose State University, he has trained and certified undergraduate economics students in Open FAIR.  He is a recognized expert in cyber risk analysis, Open FAIR certification training, and in architecting and directing cyber risk analysis teams. 

The scope of a consulting engagements is, by nature, flexible.  Below are examples of the range of engagements clients have requested and are offered here simply as examples.  Contact us to discuss the right engagement for you.

The First Cyber Risk Analysis

Call it a pilot project, or an experiment, the first risk analysis entails

  • Introduction to the Open FAIR framework and method so that 
  • Define the purpose of the engagement:  What are the decisions management needs to make in effectively managing cyber risk?
  • Definition of one or more risk scenarios pertinent to the purpose of the engagement.
  • Interviews with subjects matter experts to triage those issues to identify the critical few for deep analysis.
  • Deeply analyze the critical few.
  • Report the results in economic terms meaningful to risk management decision makers.

Analyzing Cyber Security Program Costs and Benefits

Goes beyond completing the first cyber risk analysis as an experiment or pilot and conducts an analysis across many risk scenarios. Risk can be aggregated and presented as an enterprise risk.

This kind of engagement can expand to evaluating benefits of proposed cyber security programs, with those benefits being the value of the cyber risk reduction. Security controls are the means to the ends of managing and mitigating risk. The overall risk reduction from implementing controls is expresses as a tangible economic benefit, which can be compared to the proposed program(s) costs.


Standing Up a Cyber Risk Analysis Capability

Maybe you want to build an organization capable of independently performing quantitative cyber risk analysis. To do that we lead and help you

  • Develop a mission and vision for a quantitative cyber risk capability
  • Develop an organizational structure to support the process of analysis, the quality of the data used, and the quality of the results
  • Develop the analysis process and process steps
  • Develop the people through training and education, including Open FAIR certification as desired
  • Develop the process documentation that survives any individual engagement 
Contact risk genesis