Precise definitions of the factors that go into an accurate risk analysis – that may be the bottom line advantage of the FAIR approach. For a great example, take Vulnerability, loosely defined as "weakness" most often, but FAIR gives it a focussed and more useful meaning: “the probability that a threat event will become a loss event.”
For an explanation, watch this short video.
(And to dig more into Vulnerability in FAIR analysis, read this blog post: What Is Vulnerability?).
The word Vulnerability is used differently in world of FAIR than it is in the world of security,
But before we can understand Vulnerability we need to know what Factor Analysis of Information Risk or FAIR is.
FAIR decomposes risk in discrete factors to allow for the quantification of information and operational risk. Take a look at where Vulnerability is within the FAIR model.
So what is Vulnerability in FAIR? The FAIR definition of Vulnerability is the probability that a threat event will become a loss event.
What does this mean?
Let’s look at an example; let’s take your house. You notice you have one of the nicer houses on the street. You want to determine what is the risk associated with a burglar breaking into it and stealing your TV.
Well, there a couple different parts to this equation: Loss Event Frequency and Loss Magnitude.
The first is what is the Loss Event Frequency for our scenario (we will actually be discussing this in another post).
So we need to ask the question, What do we know? We know that a break in has never occurred at your house before.
This means we need to go a little lower in the FAIR model. So, what is our Threat Event Frequency (just like Loss Event Frequency we will discuss this in a future post), You find out from the local police that there were two attempted break-ins in your neighborhood over the past year.
Great, but that still doesn’t answer the question of how much risk there is.
This is where we need to ask what is our vulnerability, or in other words what is the probability that a burglar breaks into your house and steals your TV.
There are a couple things we need to consider for our scenario in order to answer this question. Your house, which on a well-lit street, has window and door locks and a state-of-the-art alarm system.
All of these things considered could help reduce how susceptible your house is to a burglar. So, when thinking about Vulnerability in a FAIR analysis think Susceptibility.
Another thing to note for our scenario is that vulnerability is a factor of the burglar’s abilities and the strengths of the locks or alarm system.
So, for our scenario, our Vulnerability we could estimate to be pretty low, maybe around 1-10%.
The only other thing needed in this risk analysis would be the costs associated with the break-in.
In the real world we most often apply FAIR to cyber security, so instead of locks on your doors think firewalls.
Should you want more information, you can read more about FAIR and cyber risk on our blog.