FAIR Standards Update: New Artifacts and Expanding the Standards Committee

FAIRCON22 - Jack Jones - Bryan Smith - RiskLens

Developing and promoting cyber risk quantification and management (CRQM) standards are tenets of the FAIR Institute’s mission. This investment is leading to the development and refinement of not only our standards but our broader body of knowledge. An example of the latter is our recent white paper entitled, A FAIR Framework for Effective Cyber Risk Management, but this is just the start. Over time, the committee will direct and oversee the creation of additional CRQM standards from the FAIR Institute.

Author Todd Tucker is Managing Director of the FAIR Institute. 


Image: FAIR creator Jack Jones introduced the FAIR-CAM standard at the 2022 FAIR Conference. 

In this post, I’ll share how the Standards Committee has evolved, how we’ve refined the criteria we use to define a standard, and newly released standard artifacts for the FAIR Model and FAIR-CAM.

Establishing and Evolving the Standards Committee

Over the last year, the way we develop FAIR Institute standards has evolved and matured. First, we established a formal Standards Committee, chaired by FAIR author Jack Jones and supported by the Institute’s Director of Standards and Research, Pankaj Goyal, and myself (as committee secretary). The inaugural committee included voting members Denny Wan (Sydney Chapter Chair for the FAIR Institute), Mike Radigan (Cyber Risk Advisor for Cisco), Alex Holbrook (Principal at BCG), and Michael Coden (Cofounder of Cybersecurity at MIT Sloan).

Over the last few months, we developed and approved the Standards Committee Charter to clarify its role, operations, and members' duties and responsibilities. The committee is pivotal in establishing, maintaining, and evolving the FAIR standards as it oversees standards developed and proposed by working groups. In select instances, it may develop or refine standards artifacts directly.

Today, I’m happy to announce three additional members of the standards committee:

  • Rob Moore, VP of Technology Risk Management for Mastercard
  • Pierre Olodo, Senior Lead Cyber Risk for Richemont
  • Jan Reich, Director of Data Protection & Risk Management for Novartis

We are excited to have them on board and look forward to including their perspectives in our work. It must be noted that all Standards Committee members serve as individual volunteers and do not represent their employers on the Standards Committee; they represent themselves. They base their input and decisions on the experience and knowledge they have gained as risk management professionals and leaders.

Refining the Definition of FAIR Standards

We’re improving our process by formalizing the artifacts that we publish. In the past, the FAIR Institute published numerous documents, videos, and other content covering the topics of the FAIR Model (sometimes called the FAIR Ontology), FAIR-CAM, FAIR-MAM, FAIR-TAM and FAIR-AIR. This was confusing, as some of this content (i.e., the FAIR Model, FAIR-CAM, and FAIR-MAM) clearly represented a FAIR Institute standard, and other content (e.g., FAIR-TAM and FAIR-AIR) represent best practice use cases of the FAIR Standards.

To address the confusion, we felt it necessary to clarify the criteria by which a piece of knowledge can be proposed and approved as a standard by the FAIR Institute. We’ve settled on the following criteria:

  1. Formalization and Endorsement: Codified and approved by the FAIR Institute Standards Committee.

  2. Foundational Role: Core to the FAIR Cyber Risk Management Framework; enables interoperability or extends upon the FAIR Model.

  3. Repeatability and Consistency: Ensures uniform application across industries and scenarios. Also, changes infrequently, such as once a year or less often.

  4. Prescriptive Guidance: Defines non-negotiable principles and methodologies.

  5. Broad Applicability: Universally relevant to diverse organizations and geographies.

  6. Regulatory and Strategic Alignment: Supports compliance and aligns with the Institute’s vision.

We will apply these criteria going forward. As other content, such as the FAIR-AIR and FAIR-TAM best practices, evolves to meet these criteria, it would become a candidate for FAIR Institute standards. We are also considering other topics to address, such as cyber risk management program standards, cyber risk scenario definitions, and cyber risk metrics.

Recently Published Standards Artifacts

The Committee now publishes standards as artifacts. These formal documents have been versioned, reviewed, and approved by the Standards Committee. Any substantial changes to standards artifacts will be documented and communicated to the community. (Minor changes, like correcting typos or updating contact information, will not necessarily be communicated.)

I’m pleased to announce two new artifacts have been published:

  • FAIR Model (v3.0): This artifact formally documents the FAIR Institute’s standard for the FAIR Model, sometimes referred to as the FAIR Ontology. This document will help eliminate the confusion caused by having various versions of the model with different terms. Specifically, this latest version uses “Susceptibility” (instead of “Vulnerability”) and “Resistance Strength” (instead of “Difficulty”). It also provides standard abbreviations for all FAIR risk factors.

  • FAIR-Controls Analytics Model (FAIR-CAM) (v1.0): This documents FAIR-CAM, described previously in white papers, blog posts, and other media. It provides standard abbreviations for all FAIR-CAM components.

What about FAIR-MAM, you ask? The FAIR-MAM artifact is in process. We anticipate reviewing and approving FAIR-MAM at our next committee meeting in February.

As always, we welcome suggestions and feedback. To reach us about anything standards-related, please email us at Standards@FAIRInstitute.org.

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37