This working group was created in 2015. Interest and activity in this field has grown tremendously over the past few years. Here is a list of organizations and their recent progress in the area of quantifying technology risk:
Center for Internet Security
In January 2022, CIS and Halock Security Labs jointly announced CIS Risk Assessment Method (CIS RAM). CIS RAM was authored by HALOCK Security Labs in partnership with the CIS to establish reasonable implementation of the CIS Controls. By leveraging CIS RAM, enterprises can methodically build what is reasonable and appropriate security safeguards (“reasonable” controls) for their specific environment. Not only does CIS RAM provide standardized methods to achieve compliance, but it also ensures enterprises devote the right amount of resources to maintain security
FAIR & Controls Analytics Model
FAIR-CAM™ model is a formal description of how risk management controls operate, both individually and within a system of other controls, to affect the frequency or magnitude of loss. FAIR is a model for measuring risk, whereas the FAIR-CAM™ model is a model that describes how controls affect risk. It doesn’t change how you measure risk. You should think of this as an extension of the FAIR model, which provides the means to reliably map and account for risk management controls when performing a FAIR analysis. When combined with FAIR, this enables FAIR analysts to more easily and reliably measure the risk reduction value of control.
The DoCRA Council maintains and educates risk practitioners on the use of the Duty of Care Risk Analysis (DoCRA) Standard that CIS RAM is based on. While DoCRA is applicable to evaluation of information security risk, it is designed to be generally applicable to other areas of business that must manage risk and regulatory compliance.