Automating FAIR™

Promise and Problems of Automating FAIR

FAIR™ (Factor Analysis of Information Risk) has revolutionized the practice of cyber risk analysis. With the power of cyber risk quantification (CRQ), CISOs and other security and risk management leaders can communicate to the business in the financial terms the business best understands.

But many organizations have held back from implementing CRQ, uncertain how to clear these barriers:

  • Staffing a dedicated analytics team with special skills in FAIR techniques
  • Scaling – Keeping up with rapid changes in the threat landscape and attack surface – particularly making sense of the flood of data from telemetry
  • Timeliness – Analysts producing “point-in-time” assessments that don’t keep up with the rapid-reaction needs of decision-makers

Thanks to advancements in cybersecurity applications, the promise of easy-to-use, flexible, real-time CRQ can be fulfilled through automation – but only if we get it right.

“With automation, inaccuracy is often replicated at scale, exponentially increasing its negative effects.  So, when we automate, we need to do so carefully.”  --Jack Jones, Author of FAIR

What Is FAIR Automation?

The ideal FAIR automated system would ingest threat data up to the minute, actively monitor the status of controls and assets at risk and pull in the latest loss data from trusted vendors of industry statistics and from the organization’s own logs.

Based on those inputs, the system would deliver automated, on-demand FAIR analysis that quantifies the probable frequency of cyber events and probable magnitude of losses – in the dollar terms that drive business decisions.


Benefits of Automating FAIR

  • Rapid prioritization for cybersecurity spending projects based on return on investment for risk reduction.
  • Quick identification and reporting on material risks to the board and regulators – meet the SEC’s 4-day risk disclosure rule.
  • Streamline security operations – consolidate tools and staff to focus on the risks that matter most, when they most matter.


AI vs. Automation in Cyber Risk Analysis: What’s the Difference?

Both play a role in rapid delivery of quantitative risk analysis. Artificial intelligence (AI) can be a vital tool to aggregate signals and data from across the attack surface and generate reporting, complementing automated FAIR analysis. A technical difference: In AI, the analytics model is learned through training on data, as opposed to a designed model such as FAIR.


The 3 Must-Haves to Do FAIR Automation Right

A clear scope of what’s being measured — the assets at risk, the relevant threats, the type of event (outage, data compromise, fraud, etc.) that together inform the creation of a risk scenario that can be analyzed in FAIR terms. If the scope is off, the analysis fails; ideally, an automated system would pre-define scenarios to control for errors.

The FAIR™ model – FAIR sets the parameters needed to perform the analysis, and how data are used to generate a result. But as FAIR creator Jack Jones has written, the FAIR model by itself “does not fully support automation” because it doesn’t account for how controls affect risk; a complete automated solution also requires the FAIR Controls Analytics Model (FAIR-CAM™). Learn about FAIR-CAM.

Data. We have more data for cybersecurity than ever before from threat intel, vulnerability scans, SIEM reporting, endpoints and many more forms of telemetry. The data challenge for FAIR automation is aggregating data into a coherent view. 


FAIR Model Pic

Video: Jack Jones Keynote on “The Future of Risk Analysis in an AI and Automation World”