Inherent risk, likelihood, vulnerability: concepts in everyday use in risk analysis that you think you have down pat. Read these three blog posts, and, if you're new to FAIR, we guarantee to make your assumptions topple. If you’re already a FAIR practitioner, you'll learn how to plug these foundational concepts into the FAIR model to solve whatever scenarios come your way.
Inherent risk, the level of risk absent any controls, is a widely used starting point for risk analysis – and wrongly used, says Jack Jones in this post. Jack explains (with Hannibal Lecter as an example) why the common understanding of inherent risk makes a shaky starting point for analysis. Yet Jack is a fan of the concept, and he shows how the FAIR model can bring it into sharper focus. For more details and examples, see this blog post by Evan Wheeler on applying FAIR to inherent risk.
What's the purpose of a risk assessment? To inform decision makers of "the likelihood that harm will occur”, says the National Institute of Standards NIST SP 800-30, and a shelf of other risk standards and foundational texts on risk, which then proceed to wander off into the woods in search of a definition of “likelihood.” In this post, Steve Poppe cuts through to the ground truth that “likelihood is a probability and a probability is a number” applicable to FAIR analyses.
“Our profession has done a great job confusing ourselves” about vulnerability, Steve Poppe writes, and in information security, the definition is especially fuzzy. Steve translates vulnerability with the FAIR model into a simple, elegant concept that’s useable to calculate a probability.