How the FAIR CRM Framework Builds On and Complements Open FAIR™

As cyber risk management matures, organizations face multiple standards and frameworks that build upon the foundational FAIR Model. Two of the most recognized approaches are the Open FAIR™ standards maintained by The Open Group and the FAIR Cyber Risk Management (CRM) Framework developed by the FAIR Institute.

Todd Tucker is Managing Director of the FAIR Institute

Both frameworks trace their lineage to the original FAIR Model created by Jack Jones in the early 2000s. While Open FAIR formalized the model through the O-RT (Risk Taxonomy) and O-RA (Risk Analysis) standards, the FAIR CRM Framework extends upon the FAIR Model to address broader programmatic, operational, and decision-making needs. This blog post compares their respective contributions, clarifies how they align and differ, and explains why they remain complementary rather than competitive.

Core Alignment: A Shared Foundation

The FAIR CRM Framework and Open FAIR are built on the same core ontology for risk analysis. They distinguish between loss event frequency and loss magnitude, define risk as a function of both, and include the six classical forms of loss.

The key semantic difference lies in terminology: the FAIR Model v3.0 (used in the CRM Framework) uses the term “Susceptibility,” while O-RT uses “Vulnerability.” We did this to avoid confusion with the narrower technical meaning “vulnerability” often implies in cybersecurity circles. Otherwise, the models are materially identical.

Treatment of Controls: FAIR-CAM Adds Structure and Depth

Open FAIR recognizes four categories of control influence:

1. Avoidance Controls – Reduce the frequency or probability of threat agents contacting assets.
2. Deterrent Controls – Reduce the probability that contact becomes a threat event.
3. Vulnerability Controls – Affect the likelihood that a threat event becomes a loss event, typically by increasing resistance strength.
4. Responsive Controls – Limit loss magnitude by reducing primary and secondary losses.

While conceptually useful, these categories do not systematically decompose how controls function (beyond their basic effects on the Open FAIR model) or interact with one another.

The FAIR Controls Analytics Model (FAIR-CAM), part of the FAIR CRM Framework, defines a more comprehensive and operationalized control model. It organizes controls into a hierarchy split across three functional domains:

• Loss Event Controls (LEC) – Controls that directly influence the frequency and magnitude of loss events, grouped into the following prevention, detection, and response functions.
• Variance Management Controls (VMC) – Controls that help ensure other controls operate consistently, addressing variance prevention, identification, and correction.
• Decision Support Controls (DSC) – Controls that affect the quality and alignment of decisions about risk, including expectations, incentives, and feedback mechanisms.

FAIR-CAM defines, in total, nearly two dozen controls and control components (e.g., Data, Analysis Model). This model's detail and depth enable scenario-level quantification of control performance, supporting dependency analysis, deficiency root cause analysis, and investment prioritization.

Treatment of Loss Magnitude: FAIR-MAM Brings Materiality Context

Open FAIR and the FAIR Model v3.0 both recognize six canonical forms of loss. The FAIR CRM Framework expands this through the FAIR Materiality Assessment Model (FAIR-MAM). FAIR-MAM was introduced to meet the increasing need for quantifiable, standardized assessments of the financial impact of cybersecurity incidents, especially as regulatory expectations evolve following the SEC Cybersecurity Disclosure rule in 2023. 

FAIR-MAM introduces:

• Ten categories and twenty-six subcategories of loss.
• Integration with financial, legal, and regulatory domains.
• A structure for estimating materiality under SEC and other disclosure rules.

This added granularity improves business impact assessments and supports alignment with regulatory expectations for cyber risk reporting. FAIR-MAM can be used both reactively when there has been a cybersecurity event and proactively when performing cyber risk assessments and quantification.

Scenario Definition: FAIR-CRS Standardizes Scenario Structure

While Open FAIR describes the need for well-scoped scenarios, it does not include a prescriptive taxonomy for scenario definition. O-RA comes close when describing the first stage of analysis (identify the loss scenario) by decomposing loss scenarios into Threat, Asset, Observable Loss Event, Direct Consequences, and Reaction from Others. 

The FAIR CRM Framework introduces FAIR-CRS, the Cyber Risk Scenario taxonomy, which structures scenarios using four defining elements:

• Threat: anything or anyone capable of acting against an asset in a manner that can result in loss;
• Asset: anything of meaningful business value that can be affected in a manner that results in loss;
• Method: specific attack vector used to access or affect the asset; and
• Effect: the type of loss (both primary and secondary) expected to materialize from a threat actor attacking a specific asset.

The FAIR-CRS taxonomy provides specific examples for each defining element, offering a level of detail not found in Open FAIR. The other significant difference is FAIR’s inclusion of method as a defining element. 

This structure enhances consistency and clarity in scenario construction, ensuring alignment with downstream quantification activities, including FAIR-MAM and FAIR-CAM.

Operationalization: CRMS and CRMP Support Program Integration

There are two additional components of the FAIR CRM Framework that are being further defined by the FAIR Institute, which are beyond the scope of Open FAIR: the cyber risk management system (CRMS) and the cyber risk management program (CRMP). 

A CRMS operationalizes the FAIR CRM Framework by centralizing data, workflows, and analysis into a single, scalable platform. Depending on its design, it supports a data-driven approach by integrating live feeds from threat intelligence, vulnerability management, and other sources to update risk models on a continuous or near-continuous basis. The CRMS automates risk assessment activities, such as dynamically monitoring changes to FAIR factors and connecting components of the FAIR CRM Framework, such as FAIR-CAM and FAIR-MAM, to ensure effective control evaluation and materiality assessment. By streamlining risk management processes, a CRMS is designed to make FAIR-based cyber risk management more efficient, consistent, and actionable. In the coming months, we will publish more on this topic, including our view on the key capabilities needed for a modern CRMS.

Our forthcoming CRMP standard will provide a structured, comprehensive approach for building and managing cyber risk programs, moving beyond the ad hoc and reactive practices common today. It will harmonize existing authoritative guidance, regulations, and standards to help organizations meet the expectations of stakeholders and regulators. The CRMP standard will help boards and executives improve their oversight of cyber risks effectively, while allowing programs to be tailored to each organization’s unique needs. It will also serve as a practical guide for operationalizing cyber risk management, driving informed decision-making and resilience in a rapidly evolving threat landscape.

What Constitutes a FAIR Institute Standard?

As you can see, the FAIR CRM Framework includes the FAIR Institute’s standards, but is not necessarily limited to them. However, this begs the question: what qualifies as a FAIR Institute standard versus, say, a guide?

Our standards committee comprises ten professionals, including cyber risk management practitioners, advisors, and FAIR Institute staff (myself included). We have agreed to the following criteria for what the Institute may put publish as a standard:

• Formalization and Endorsement: The knowledge is codified and approved by the FAIR Institute Standards Committee.
• Foundational Role: It is core to the FAIR Cyber Risk Management Framework, enables interoperability, or extends upon the framework.
• Repeatability and Consistency: It ensures uniform application across industries and scenarios and changes infrequently, such as once a year or less often.
• Prescriptive Guidance: It defines non-negotiable principles and methodologies, although it may include negotiable elements.
• Broad Applicability: It is universally relevant to diverse organizations and geographies.
• Regulatory and Strategic Alignment: It supports compliance and aligns with the Institute’s vision.

Current standards include FAIR Model v3.0, FAIR-CAM v1.0, and FAIR-MAM. The FAIR Cyber Risk Scenario taxonomy and the CRMP proposed standard are progressing through the development and review processes.

Complementary, Not Competitive

The FAIR CRM Framework is not a replacement for Open FAIR. The FAIR Institute continues to extend the FAIR Model with standards that improve analysis, materiality assessment, control evaluation, and enterprise program design. These extensions honor the same foundational logic of Open FAIR while enabling broader adoption and operational maturity. (We continue to offer on-demand Open FAIR training.)

Organizations benefit from understanding both approaches and using them together. The result is a comprehensive, complementary ecosystem of standards for modern cyber risk management, grounded in a shared model and adapted to the evolving needs of business and regulators alike.

Stay in touch with the latest developments in the expanding field of FAIR quantitative risk management - Join the FAIR Institute.