WHAT IS FAIR?

From a Compliance-based to a Risk-based Approach to Cyber Risk Quantification
and Operational Risk

Organizations are increasingly transitioning to risk-based approaches to information security and operational risk, as compliance to regulations alone provide only a minimum layer of security and fail to adequately protect them.

Information risk has become a business issue, not just a technology issue, as most business processes have digitalized.
Boards of directors and business executives want to understand an organization's loss exposure in financial terms to enable effective decision-making.
Risk and security professionals must become facilitators of the balance between protecting the organization and running the business.

FAIR: A Methodology for Quantifying and Managing Risk in Any Organization

417NjDVYgtL._SX404_BO1204203200_.jpg Factor Analysis of Information Risk (FAIR^TM) is the only international standard quantitative model for information security and operational risk.

FAIR provides a model for understanding, analyzing and quantifying cyber risk and operational risk in financial terms.
It is unlike risk assessment frameworks that focus their output on qualitative color charts or numerical weighted scales.
It builds a foundation for developing a robust approach to information risk management.

An Enterprise Scalable Risk Model

FAIR's risk model components are specifically designed to support risk quantification:

Basic FAIR Model_WEB.png

A standard taxonomy and ontology for information and operational risk.
A framework for establishing data collection criteria.
Measurement scales for risk factors.
A modeling construct for analyzing complex risk scenarios.
Integration into computational engines such as RiskLens for calculating risk.

Also free - a full-size version of the FAIR^TM risk model, available here for download.

The FAIR methodology was conceived as a way to provide meaningful measurements so that it could satisfy management's desire to make effective comparisons and well-informed decisions. FAIR has become the only international standard Value at Risk (VaR) model for cybersecurity and operational risk.

An International Standard by The Open Group

The Open Group has chosen FAIR as the international standard information risk management model. The Open Group has published two standards, O-RT, Risk Taxonomy Standard, and O-RA, Risk Analysis Standard, comprising Open FAIR.

The Open Group is a global consortium that enables the achievement of business objectives through IT standards.
It has more than 500 member organizations including companies such as HP, IBM, Oracle, Accenture, Cap Gemini and MITRE.
Standardization of Open FAIR was achieved following a most rigorous review and comparison with other risk methodologies, and development using an open, consensus standards process.
The Open Group has numerous publications available on Open FAIR, which are available here.
The Open Group accredits Open FAIR training courses and certifies individuals. Details regarding Open FAIR accreditation and certification are available here.

Complementary to Existing Risk Frameworks

FAIR's^TM risk analysis capabilities complement the existing risk management frameworks.

Risk frameworks from organizations such as NIST, ISO, OCTAVE, ISACA, etc. are useful for defining and assessing risk management programs.
They all prescribe the need to quantify risk, but for the most part, they leave it up to the practitioners to figure it out.
Some are silent on the subject of how to compute risk, while others are open in the allowance of 3rd party methods.
Frameworks such as NIST 800-30 attempt to measure risk, but fall short as they rely on qualitative scales and flawed definitions.
FAIR^TMhelps fill that gap by providing a proven and standard risk quantification methodology that can be leveraged on top of those frameworks.