If you’re looking to try Factor Analysis of Information Risk (FAIR™) in a lightweight way, these tools and resources will get you started – all of them offered by the FAIR Institute or shared by Institute members, particularly in sessions at the annual FAIR Conference.
1. FAIR Model on a Page
This infographic of the FAIR model shows all the factors for frequency and magnitude of loss events. Your objective will be to fill in quantitative data for the ones relevant to your risk scenario. (This version of the model to the right shows the units of measurement.)
2. Risk scenario builder
Identifying a risk scenario for FAIR analysis -- with a threat actor impacting an asset resulting in an effect – is a critical first step. In this video, Institute member Taylor Maze shows how to scope a FAIR scenario with a mind map application.
3. Data finder
To fill in the FAIR factors for frequency and magnitude of loss events, start with readily available industry data. These blog posts -- Find Data for Every One of the FAIR Factors by Wade Baker and Shopping for Cyber Loss Data by Allison H. K. Seidel – point you to public sources.
Sponsored message from RiskLens: Discover the Impact of Your Industry’s Greatest Cyber Risks in This NEW Report
4. SME Interview Record Keeper
To customize the frequency/magnitude data inputs for your organization, you’ll be talking to subject matter experts, and that will require some detailed record-keeping on both the numbers they give you and the rationale for the estimate ranges you set based on your conversations. In these videos, members Robert Immella and Seth Mowbray show and discuss their record-keeping spreadsheets. (Here’s a close-up of Rob’s interview records template.)
4. Risk Analysis Application
Solutions here run from do-it-yourself spreadsheet versions to the enterprise-grade RiskLens Cyber Risk Quantification Platform but to get a taste of FAIR quantitative risk analysis, we recommend the FAIR Institute’s free FAIR-U web training application, built by RiskLens. It will guide you through the data entry and produce analysis results for one scenario at a time. Unlike do-it-yourself spreadsheets, FAIR-U is guaranteed by the Institute to produce FAIR-compliant results. Take a video tour of FAIR-U.
NOTE: The FAIR-U tool is a great training application in conjunction with FAIR fundamentals training officially approved by the Institute. Learn more about FAIR training and certification.
6. Monte Carlo Simulation Engine
An integral part of FAIR analysis is Monte Carlo simulation to calculate the range of loss exposure (in dollar terms) of the modeled risk scenarios and produce the final results of the analysis. It’s included in FAIR-U.
7. Risk Analysis QA Cheat Sheet
Time for a reality check. Take five to 10 minutes to follow the steps in this FAIR analysis QA sheet to make sure the reporting is consistent with what you heard from the SME’s and in ranges that sound reasonable based on your organization’s past experiences and data.