Complementary to Existing Risk Frameworks
FAIR's risk analysis capabilities complement the existing risk management frameworks.
Learn more in the FAIR Book
- Risk frameworks from organizations such as NIST, ISO, CERT, ISACA, etc. are useful for defining and assessing risk management programs.
- They all prescribe the need to quantify risk, but for the most part, they leave it up to the practitioners to figure it out.
- Some are silent on the subject of how to compute risk, while others are open in the allowance of 3rd party methods.
- Frameworks such as NIST 800-30 attempt to measure risk, but fall short as they rely on qualitative scales and flawed definitions.
- FAIR helps fill that gap by providing a proven and standard risk quantification methodology that can be leveraged on top of those frameworks.