OCTAVE FORTE and FAIR Connect Cyber Risk Practitioners with the Boardroom

SEI-CERT Brett TuckerOrganizations with a mix of cutting-edge technologies and legacy systems need adaptable, agile frameworks that provide executives with a real-time view of cyber risks. They also need tools and processes to ensure that everyone from executives to practitioners practice sound, consistent risk management.

For more than 20 years, the Software Engineering Institute (SEI) has been using the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) process to assess organizations’ technical risks. The Factor Analysis of Information Risk (FAIR) framework can be used in conjunction with the latest version of OCTAVE to provide a complete qualitative and quantitative picture of organizational risk.

Cyber threats have increased in volume and sophistication; this increase demands that executives gain greater visibility into the nature of the threats, potential impacts, and the options they can use to respond to these threats. Organizations must also manage cybersecurity risk effectively across multiple domains, both technical and non-technical in nature.

The SEI connects technical expertise with executive decision makers using Enterprise Risk Management (ERM) principles, tools, and processes. This connection helps organizations understand and prioritize complex risks while balancing other competing enterprise risks. OCTAVE FORTE (aka FORTE), the latest version of the OCTAVE risk management process, uses ERM techniques to provide a compelling business case for cyber risks. The SEI has recently updated OCTAVE to better meet risk management challenges that organizations face.

Brett Tucker is Technical Manager, Cybersecurity Risk Management, for the Software Engineering Institute at Carnegie Mellon University

FORTE focuses on building an ERM program for organizations with nascent risk management programs or existing programs that need improvement. ERM can drive risk management with a process that spans the lifecycle from identification through closure.

Unlike OCTAVE Allegro, OCTAVE FORTE starts by developing a governance structure that provides advocacy and a boardroom focus for leadership. FORTE embraces steps found in OCTAVE Allegro that enable risk identification, such as developing a risk appetite and identifying high-value assets. More importantly, FORTE embodies practices suggested by standards such as NIST’s Risk Management Framework (RMF), SP 800-37. FORTE also enables leaders to tailor their processes to accommodate new frameworks, tools, and techniques that fit their industry and organization.




FAIR is a practical framework for understanding, measuring, and analyzing information risk, and ultimately, for enabling well-informed decision making. Originally developed by Jack Jones and now a standard of The Open Group, FAIR is a method that can be used with FORTE, especially in Step 5—Analyze the Risk. Although FORTE suggests basic tools for measuring risk, such as a simple appetite statement with a red-yellow-green grading scale, FAIR provides greater opportunity for organizations to improve their risk measurement capabilities, starting with FAIR’s recommended risk taxonomy and the related quantification model.

For example, during Step 5 of the FORTE process, risk managers can facilitate loss event frequency and loss magnitude. FORTE advances the goal of establishing a common lexicon that links the boardroom with the practitioner; FAIR bolsters these concepts, which are important when comparing cyber risks with other enterprise risks.




FAIR risk model

Massive phishing campaigns, for example, could have very high threat event frequency. To respond to this risk, organizational vulnerabilities can be mitigated significantly because executives can be educated to advocate for training and adherence to cyber hygiene policies. Continuing with that example, the FAIR analysis of loss magnitude can enhance the process by identifying secondary risks spawned by a primary risk, which can lead to a cascade of issues that could result in a major disruption of the business.

A primary risk might be an organization identifying the possibility of its employees leaving in great numbers. A secondary risk might be that their departure not only impacts the organization through lost productivity, but also a loss of critical skills and reputation in the job market.

FAIR encourages executives and subject matter experts to calibrate and understand their ability to estimate values. For example, some subject matter experts may be overconfident or biased to think that their organization can withstand the phishing scenario mentioned earlier. However, once presented with data, such as operator surveys and incident data, subject matter experts learn to think carefully about their ability to qualify and quantify risk analyses.

Ultimately, FAIR complements OCTAVE FORTE by enabling practitioners to meaningfully measure an organization’s risks in economic terms, especially in Step 5 of the FORTE process. FAIR’s scoping rigor encourages its users to consider the loss event, the location of the loss event, the nature of the threat, the type of event, and the manner in which the event occurred. Coupled with trained subject matter experts, executive confidence in risk assessments will grow and perpetuate as the organization progresses through FORTE’s remaining steps.

FORTE and FAIR provide a powerful combination that organizations can use to tackle the risks that affect their operations, customers, and future.

Learn from the experts on OCTAVE and FAIR: Attend FAIRCON18 in Pittsburgh, October 16 and 17, 2018, hosted by the FAIR Institute and Carnegie Mellon University’s Software Engineering Institute (SEI) and the Heinz College of Information Systems and Public Policy, 

Learn more:

Standards Groups and Regulators Recognize FAIR 

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37