Quiz Entry - updated: 2026.05.31
What does a FAIR-style risk report for a real organisation look like, and what does it answer?
A one-page card per risk: scenario description, owner, value-at-risk in CHF (distribution, not point), affected business unit, mitigation status, and the strategy chosen.
The Swisscom case study (published in ISACA Journal 2020 about a "Customer Portal Data Breach" scenario) shows the format:
Top of report — quantitative results:
- Distribution of Losses histogram (e.g. min CHF 38k, most-likely CHF 195k, 90th percentile CHF 549k, max CHF 904k)
- Annualised Loss Exceedance curve
- Per-event Primary and Secondary loss breakdowns
- Vulnerability %
Bottom — narrative + treatment:
- Risk scenario description (e.g. "data breach due to weak authentication — potential DSG/FMG violation")
- Risk Owner (Product Owner) and Security Responsible (Security Officer)
- Status of mitigations (Monitoring, throttling, identity management)
- Risk mitigation strategy chosen (Avoid / Reduce / Transfer / Accept)
- Bar chart: Current Risk vs Residual Risk after IT investment (e.g. CHF 800k → CHF 320k via CHF 120k investment = CHF 480k average risk reduction)
Why this format: it answers the executive's only question — "how much CHF will this cost us, and how much does the proposed control buy us?" — in one page.