Quantifying cyber risk at Netflix, Highmark Health: Case studies
Show me the money: In these case studies, learn how the FAIR model helped a nonprofit healthcare company and a streaming giant quantify cyber risk in financial terms.
In 2019, CISO Omar Khawaja set out to transform the compliance-driven security culture at Highmark Health -- a nonprofit healthcare company based in Pittsburgh -- to one focused on business outcomes and risk.
Khawaja turned to the Factor Analysis of Information Risk (FAIR) methodology, a mathematics-based framework for cyber-risk quantification (CRQ) developed by the nonprofit FAIR Institute. Users run data through the model's mathematical algorithms to calculate the potential financial implications of specific risk scenarios. Executives can then use that information to make decisions, such as prioritizing threat remediations and determining whether security controls are justified.
FAIR struck Khawaja as the "Goldilocks of risk frameworks" -- substantive without being overengineered, overly complex or too academic. "It was practical, and it gave us [at Highmark] a common language on risk," he said.
From gut instinct to data-driven decisions at Highmark Health
After securing stakeholder support and identifying and gathering necessary data inputs, Khawaja's team used a spreadsheet to calculate and track financial loss exposures across specific risk scenarios. The model enabled him to make data-driven decisions rather than relying on instinct.
"In many organizations, security decisions are made from the CISO's gut, which is honed by years or decades of experience," said Khawaja, now field CISO at Databricks, a data intelligence services provider, and a FAIR Institute board member. "FAIR gives us a more sophisticated view: 'Here's what may likely happen, and we'll show you all the math and analysis behind it.'"
That was especially helpful when determining if a business initiative was worth pursuing, he added. "We'd calculate the cyber risk on a yearly basis. If the risk is less than the [anticipated return], then it's a good idea."
FAIR analyses also informed security tool buying decisions and helped Khawaja translate cyber risk issues into terms that top executives understood. "We could actually have a conversation, which the business really appreciates and respects," he said.
Finally, in eliminating the qualitative labels security teams have traditionally ascribed to risk -- e.g., red, yellow and green or high, medium and low -- FAIR also enabled Highmark's team to evaluate risk at scale. "It reduced the time and effort needed to make decisions," Khawaja said. "It made us more efficient and effective, and it reduced the pain."
Hurdles to FAIR adoption
Quantifying cyber risk is not without its challenges, however. Khawaja said it took him and his team time to learn FAIR and to persuade the organization that it was a valuable tool.
"You find a lot of friction happens when onboarding FAIR," said Jack Freund, head of technology risk at Acrisure, a member of the ISACA IT Risk Committee and co-author of the book, Measuring and Managing Information Risk: A FAIR Approach. Adoption, he added, requires significant education, training and data gathering, plus some understanding of statistics and a willingness to consider probabilistic -- rather than deterministic -- answers.
"There is a skills and training hump that people have to get over," agreed Ryan Patrick, executive vice president at HITRUST, which provides information risk management and compliance assessments and certifications. "It also takes a cultural change, and like anything else in business, if senior leadership isn't making this a priority or driving the change, then it's doomed to failure."
Slowly and steadily scaling CRQ at Netflix
When Tony Martin-Vegue launched FAIR at Netflix, where he was an information security risk engineer from 2019 to 2025, he had the advantage of strong executive support. Senior managers were unhappy that the data-driven streaming giant still relied on qualitative measurements -- red, yellow or green -- when it came to cyber risk.
"When you have such a huge company and so many technical risks, bucketing into three categories doesn't really help you," said Martin-Vegue, now a security risk consultant and the author of Heatmaps to Histograms: A Practical Guide to Cyber Risk Quantification. "The C-suite wanted better decision-making capabilities."
Despite having buy-in from Netflix's senior leadership, Martin-Vegue started slowly, aiming to ease the organization into CRQ. His team began with a single risk assessment, using a spreadsheet and the FAIR model for measurements, analysis and quantification.
"You can't walk in and say 'We're using FAIR now.' It's too much of a leap to ask people to do that," Martin-Vegue said. But, he added, by the time they had completed 15 assessments, everyone on the information security team understood how to consume cyber risk data and interpret FAIR results.
The gradual rollout generated organic internal demand, as security and business leaders witnessed the benefits of having a rigorous, data-driven CRQ program to inform decision-making.
Netflix's FAIR program expanded accordingly, said Martin-Vegue, with additional investments in staff and technology. Risk analysis became continuous, reflecting ongoing changes in business conditions, the IT environment, the threat landscape and security controls. Ultimately, CRQ became embedded across Netflix's daily security operations, as well as board-level governance and budgeting decisions.
Mary K. Pratt is an award-winning freelance journalist with a focus on covering enterprise IT and cybersecurity management.
