Why did FAIR™ (Factor Analysis of Information Risk) emerge as the de facto number-one standard model for cyber, technology and operational risk analysis? No other risk model supports defensible quantitative analysis in the financial terms that are increasingly in demand from boards, leaders in government and industry, regulators, auditors and insurance providers. No other counts as many practitioners.
Author Nick Sanna is President of the FAIR Institute
Consider these ten proof points:
1. 13,000 members of the FAIR Institute
Members come from 134 countries worldwide and close to 50% of the Fortune 1000 are represented.
2. Over 10,000 people have completed the FAIR Fundamentals training course
Learn FAIR with beginner and advanced training through the FAIR Institute
3. Over 1,200 have passed the OpenFAIR certification exam
And demonstrated their mastery of the standard risk taxonomy and of the standard risk analysis model.
4. 25 universities are teaching FAIR in academic classes
Including universities such as Carnegie Mellon University, Harvard and Macquarie University.
5. FAIR is the only risk model that has been independently evaluated and adopted by a standards organization
FAIR has been vetted and selected as a standard by The Open Group, a global standards organization.
6. The only risk analysis standard extensively licensed for commercial use
More than two dozen vendors have acquired licenses to market FAIR-based products and services.
7. The only true open and defensible standard risk analysis model
Protection against ‘black boxes’ and proprietary models that use fuzzy math on ordinal scales or CVSS scores that have proven to be inherently flawed.
Learn more: FAIR vs Proprietary Risk Analysis Models: What’s the Difference?
8. A holistic analytics model for Cyber, Technology and Operational Risk
A major driver behind the success of FAIR is its neutrality across risk categories, unlike other models that can be applied to only specific categories of risk. FAIR works equally well to quantify loss from ransomware, earthquakes, power failures, human error, and other hazards.
Use Case: Risk Analysis for a Power Plant with FAIR
9. Supports Value-at-Risk analyses
When used in conjunction with statistical simulation techniques, FAIR is a true VaR model. VaR models have traditionally been used to quantify the level of financial risk within a firm or investment portfolio over a specific time frame.
10. Complements current controls and risk management frameworks
FAIR is the perfect risk analysis complement to risk management and controls frameworks such as NIST CSF, ISO31000/2700x, CIS, COSO, HITRUST, etc. by providing a consistent risk taxonomy and measurement model.
Learn more: How to Assess Risk Quantitatively for the Major Standards and Frameworks
