Recognized by the National Institute of Standards (NIST) and the Payment Cards Industry (PCI) Data Security Standard as a standard model for information security and operational risk analysis…used by risk managers at Hewlett Packard Enterprises, Chevron, and other sophisticated cybersecurity teams…the FAIR model (that’s Factor Analysis of Information Risk) is rapidly catching on among organizations urgently looking for a better way to measure risk and enable well-informed decision-making.
But what exactly can FAIR do for your organization? Here’s a high-level list of benefits:
1. A way to speak about risk in one common language that all can understand
A common issue within the risk profession is the absence of adopted standard definitions for risk terminology. This causes ineffective communication, poor understanding and confusion when discussing risk across an organization. FAIR standardizes risk terminology so any organization can speak in the same language from IT to the board—the language of financial analysis.
The terminology is laid out in a taxonomy that’s logical and easy to grasp; see for yourself with a free download of Chapter 3 of the book Measuring and Managing Information Risk: A FAIR Approach (register for free membership in the FAIR Institute, then go to the Member Resources page).
2. An enterprise scalable risk model
Along with not having common risk terminology, organizations also lack a shared analytical model so risk analysis—and ultimately decision-making—can move ahead in a coherent and coordinated way. The FAIR model breaks down risk into discrete factors that can be quantified, then run through the model for accurate estimates of risk that in turn can empower management to make choices among competing options, based on meaningful measurements of risk.
Run your first FAIR risk analysis with the free FAIR training app called FAIR-U.
3. A value-add to your existing risk management frameworks
The majority of cyber risk frameworks are less methods for risk analysis and more processes for assessing risk. Most frameworks leave out how to compute risk or they encourage use of any method you prefer to calculate risk. Other frameworks such as NIST 800-30 attempt to measure risk, but fall short as they rely on qualitative scales and flawed definitions. FAIR helps fill those gaps by providing a proven and standard risk quantification methodology that can be leveraged on top of those frameworks.
4. A way to manage risk proactively
Your organization already manages risk. The question is whether it’s being done proactively or reactively. With the reactive approach to cyber risk management, organizations make sure they are in compliance using a framework like NIST CSF, have controls in place to counter what they feel are top risks, and are reactive in their risk posture since there is little control of the outcome from loss exposure. In order to be proactive, companies need specific, quantifiable risk targets to actively manage against. Making explicit choices based on actionable, easy-to-understand financial risk data greatly increases the chance for an organization to improve its risk posture.
Gathering and analyzing this financial data with FAIR solutions such as RiskLens will help you understand your trade-offs between the level of investments you are ready to make and the amount of risk you are willing to accept. Leverage FAIR to approach risk proactively and get ahead of the curve.
Want to learn more about FAIR?
- You can start by becoming a member of the FAIR Institute. Membership is free, courtesy of FAIR Institute sponsors.
- Get FAIR trained and certified through accredited training courses.