Can you say which is the most valuable control in your cybersecurity program? The least valuable? Why are those questions for the cybersecurity and risk management professions to answer? We have frameworks that list recommended controls but provide no insight into the effectiveness of those controls for risk reduction, either on their own or as a system. It’s like practicing medicine based on anatomy – an inventory of body parts – without physiology, the knowledge of how they work together.
The FAIR Controls Analytics Model™ (FAIR-CAM™) control “physiology”:
*Must be an active FAIR Institute Contributing Member with to view and download.*
Become a FAIR Institute Member
The FAIR-CAM™ controls model was created by Jack Jones, the author of Factor Analysis of Information Risk (FAIR), the international standard for quantification of cyber and technology risk. The FAIR-CAM™ model is an extension of the FAIR standard that documents how controls physiology functions by describing how controls affect the frequency and magnitude of loss events. The FAIR-CAM™ model accounts for controls both with direct and indirect effects on risk, yielding a complete system view.
1. Unprecedented clarity and insights into the controls environment
2. Simplified and improved reliability of FAIR risk analysis
3. Reliable, defensible support for decisions to invest in, or eliminate, controls
With the FAIR-CAM™ model, the effect of each control on risk can be measured based on a specific unit (for instance frequency, probability, or time) as opposed to subjective ordinal values like "1-through-5" or "red/yellow/green." The result is an understanding of controls and control systems based on empirical measurements.
*Must be an active FAIR Institute Member to view.* Become a FAIR Institute Member
The FAIR Institute's FAIR-CAM™ User Workgroup is an incubator for practical use cases in applying FAIR-CAM™ as a Diagnostic Tool to expose the root cause of control variance and decision gaps. These insights are used to inform the uplift in the design of Loss Event Controls. The workgroup is a supportive environment for members to work on and publish their research while being reviewed by Institute leaders.
The FAIR-CAM™ model can readily be leveraged to make better use of existing control frameworks. Expert workgroups convened by the FAIR Institute have mapped, or are in the process of mapping the FAIR-CAM™ model to:
Work is being scheduled to map other common frameworks to the FAIR-CAM™ model.
When combined with a well-defined control “anatomy-like” framework and solid risk measurement using FAIR, the FAIR-CAM™ model will improve an organization’s ability to focus on the controls that matter most, significantly reducing the odds of cybersecurity loss events and wasted resources.
*Must be an active FAIR Institute Contributing Member to view and download.*
Q: How does FAIR-CAM™ differ from FAIR?
A: FAIR is a model for measuring risk, whereas FAIR-CAM™ is a model that describes how controls affect risk. It doesn’t change how you measure risk. You should think of this as an extension of the FAIR model, which provides the means to more easily and reliably account for risk management controls when performing a FAIR analysis.
Q: What’s the need for FAIR-CAM™?
A: We tend to treat controls as if they operate independently and in isolation. For example, when an audit or vulnerability scan finds that a patch is missing from a system, we tend to rate the severity of that condition as if it’s the only element that’s in play. In fact, there can be many other controls in place that minimize or maximize the relevance of that missing patch.
For that matter, even if a control is currently operating as intended, how reliable is it, and is it providing enough risk reduction value to warrant its cost?
None of the security assessment methods used in the industry today consider the many factors that affect a control deficiency’s significance, which makes their results inherently unreliable.
Q: Is it necessary for me to use an application like RiskLens to use the model?
A: RiskLens has begun integrating the FAIR-CAM™ model analytics into its platform. That said, although leveraging a technology like RiskLens will make it easier to apply FAIR-CAM™ in an enterprise-scalable way, there isn’t anything about FAIR-CAM™ that prevents its use for analyses in spreadsheets or even on a whiteboard.
Q: Do I need the permission of the FAIR Institute to use FAIR-CAM™?
A: The FAIR-CAM™ model is intended to serve as an international standard for controls physiology. In order to support this objective this work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License (the link can be found at https://creativecommons.org/ licenses/by- nc-nd/4.0/legalcode). To further clarify the Creative Commons license related to FAIR-CAM content, you are authorized to copy and redistribute the content as a framework for use by you, within your organization and outside of your organization, for non-commercial purposes only, provided that (i) appropriate credit is given to the FAIR Institute, and (ii) a link to the license is provided. Additionally, if you remix, transform, or build upon the FAIR Controls Analytics Model, you may not distribute the modified materials. Users of FAIR-CAM are also required to refer to (http://www.fairinstitute.org/FAIR- CAM/) when referring to the model in order to ensure that users are employing the most up-to-date guidance. Commercial use of FAIR-CAM is subject to the prior approval of the FAIR Institute.