The FAIR Controls
Analytics ModelTM

Measure The Value of Controls

Can you say which is the most valuable control in your cybersecurity program? The least valuable? Why are those questions for the cybersecurity and risk management professions difficult to answer? We have frameworks that list recommended controls but provide no insight into the effectiveness of those controls for risk reduction, either on their own or as a system. It’s like practicing medicine based on anatomy – an inventory of body parts – without physiology, the knowledge of how they work together.

The FAIR Controls Analytics Model™ (FAIR-CAM™), i.e. control “physiology”:

  • Enables empirical measurement of control efficacy and value
  • Accounts for individual control functionality as well as systemic effects
  • More effectively leverages cybersecurity telemetry


FAIR-CAM™ was created by Jack Jones, the author of FAIR™, the international standard for quantification of cyber and technology risk. FAIR-CAM™ is an extension of the FAIR standard that documents how controls physiology functions by describing how controls affect the frequency and magnitude of loss events. The FAIR-CAM™ model accounts for controls both with direct and indirect effects on risk, yielding a complete system view.

With FAIR-CAM™, the effect of each control on risk can be measured based on a specific unit (for instance frequency, probability, or time) as opposed to subjective ordinal values like "1-through-5" or "red/yellow/green." The result is an understanding of controls and control systems based on empirical measurements.

image 67

FAIR-CAM™ Complements Popular Control Frameworks from NIST, ISO, CIS and More

The FAIR-CAM™ model can readily be leveraged to make better use of existing control frameworks. Expert workgroups convened by the FAIR Institute have mapped, or are in the process of mapping the FAIR-CAM™ model to:

  • NIST 800-53
  • CIS Controls
  • ISO 2700

Work is being scheduled to map other common frameworks to the FAIR-CAM™ model.When combined with a well-defined control “anatomy-like” framework and solid risk measurement using FAIR, the FAIR-CAM™ model will improve an organization’s ability to focus on the controls that matter most, significantly reducing the odds of cybersecurity loss events and wasted resources.

Learn More


Must be a Contributing Member to view and download the white paper