Factor Analysis of Information Risk (FAIR) - Revision history

User at 13:50, 22 December 2022

2022-12-22T13:50:13Z

User at 12:53, 11 November 2022

2022-11-11T12:53:28Z

User: The LinkTitles extension automatically added links to existing pages (https://github.com/bovender/LinkTitles).

2021-02-06T15:51:00Z

The LinkTitles extension automatically added links to existing pages (https://github.com/bovender/LinkTitles).

User at 18:38, 18 December 2019

2019-12-18T18:38:53Z

User at 18:34, 18 December 2019

2019-12-18T18:34:42Z

User at 16:51, 18 December 2019

2019-12-18T16:51:22Z

User at 16:21, 18 December 2019

2019-12-18T16:21:22Z

User at 21:16, 17 December 2019

2019-12-17T21:16:20Z

User at 20:43, 17 December 2019

2019-12-17T20:43:47Z

User at 19:56, 17 December 2019

2019-12-17T19:56:17Z

@@ Line 16: / Line 16: @@
 FAIR's main document is "An Introduction to Factor Analysis of Information Risk (FAIR)", [[Risk Management]] Insight LLC, November 2006;
-The contents of this white paper and the FAIR [[framework]] itself are released under the Creative Commons [[Attribution]]-Noncommercial-Share Alike 2.5 license. The document first defines what risk is. The Risk and [[Risk Analysis]] section discusses risk concepts and some of the realities surrounding risk analysis and probabilities. This provides a common foundation for understanding and applying FAIR. The Risk Landscape Components section briefly describes the four primary components that make up any risk scenario. These components have characteristics (factors) that, in combination with one another, drive risk. Risk Factoring begins to decompose information risk into its fundamental parts. The resulting [[taxonomy]] describes how the factors combine to drive risk, and establishes a foundation for the rest of the FAIR framework.
+The contents of this white paper and the FAIR [[framework]] itself are released under the Creative Commons Attribution-Noncommercial-Share Alike 2.5 license. The document first defines what risk is. The Risk and [[Risk Analysis]] section discusses risk concepts and some of the realities surrounding risk analysis and probabilities. This provides a common foundation for understanding and applying FAIR. The Risk Landscape Components section briefly describes the four primary components that make up any risk scenario. These components have characteristics (factors) that, in combination with one another, drive risk. Risk Factoring begins to decompose information risk into its fundamental parts. The resulting taxonomy describes how the factors combine to drive risk, and establishes a foundation for the rest of the FAIR framework.
-The Controls section briefly introduces the three dimensions of a controls landscape. Measuring Risk briefly discusses [[measurement]] concepts and challenges, and then provides a high-level discussion of risk factor measurements.
+The Controls section briefly introduces the three dimensions of a controls landscape. Measuring Risk briefly discusses measurement concepts and challenges, and then provides a high-level discussion of risk factor measurements.
 '''Components of the FAIR Framework<ref>Components of the FAIR Framework [ftp://mail.im.tku.edu.tw/Prof_Liang/IRM/10%20An%20Introduction%20to%20Factor%20Analysis%20of%20Information%20Risk.pdf Jack A. Jones]</ref>'''<br />
 The FAIR framework contains four primary components – threats, assets, the organization itself, and the external environment. Everything within a scenario falls into one of these categories, and each has attributes, or factors, that contribute positively or negatively to risk.
-*Threats:  threats are anything (e.g., object, substance, human, etc.) that are capable of acting against an [[asset]] in a manner that can result in harm. A tornado is a threat, as is a flood, as is a hacker. The key consideration is that threats apply the force (water, wind, exploit code, etc.) against an asset that can cause a loss event to occur. Practically anyone and anything can, under the right circumstances, be a threat agent – the well-intentioned, but inept, [[computer]] operator who trashes a daily batch job by typing the wrong command, the regulator performing an audit, or the squirrel that chews through a [[data]] cable.
+*Threats:  threats are anything (e.g., object, substance, human, etc.) that are capable of acting against an [[asset]] in a manner that can result in harm. A tornado is a threat, as is a flood, as is a hacker. The key consideration is that threats apply the force (water, wind, exploit code, etc.) against an asset that can cause a loss event to occur. Practically anyone and anything can, under the right circumstances, be a threat agent – the well-intentioned, but inept, computer operator who trashes a daily batch job by typing the wrong command, the regulator performing an audit, or the squirrel that chews through a data cable.
-*Assets: Assets Within the [[Information Risk Management (IRM)|information risk]] landscape, we can define Asset as any [[Data|data]], [[device]], or other component of the environment that supports information-related activities, and which can be affected in a manner that results in loss. Assets have characteristics related to [[value]], [[liability]], and controls strength that represent [[Risk Analysis|risk factors]].
+*Assets: Assets Within the [[Information Risk Management (IRM)|information risk]] landscape, we can define Asset as any data, device, or other component of the environment that supports information-related activities, and which can be affected in a manner that results in loss. Assets have characteristics related to value, [[liability]], and controls strength that represent [[Risk Analysis|risk factors]].
 *The Organization: Risk exists within the context of an organization or entity. In other words, harm to assets affects one or more of the [[Organization|organization’s]] [[Value Proposition|value propositions]]. It is the organization that loses resources or the ability to operate. Characteristics of the organization also can serve to attract the attention of certain threat communities, which may increase the frequency of events.
-*The [[External Environment]]: The environment in which an organization operates plays a significant role in risk. Various external characteristics, such as the regulatory landscape, competition within the [[industry]], etc., all help to drive the probability of loss.
+*The [[External Environment]]: The environment in which an organization operates plays a significant role in risk. Various external characteristics, such as the regulatory landscape, competition within the industry, etc., all help to drive the probability of loss.

@@ Line 47: / Line 47: @@
 ===See Also===
-[[IT_Governance|IT Governance]]<br />
+*[[IT Governance]]
-[[ITIL_(Information_Technology_Infrastructure_Library)|ITIL]]<br />
+*[[ITIL_(Information_Technology_Infrastructure_Library)|ITIL]]
-[[Val_IT_Framework|Val IT]]<br />
+*[[Val_IT_Framework|Val IT]]
-[[Risk_IT_Framework|Risk IT]]<br />
+*[[Risk_IT_Framework|Risk IT]]
-[[OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)]]<br />
+*[[OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)]]
-[[COBIT (Control Objectives for Information and Related Technology)]]<br />
+*[[COBIT (Control Objectives for Information and Related Technology)]]
-[[Business_Model_for_Information_Security_(BMIS)|Business Model for Information Security (BMIS)]]<br />
+*[[Business_Model_for_Information_Security_(BMIS)|Business Model for Information Security (BMIS)]]
-[[Committee_of_Sponsoring_Organizations_of_the_Treadway_Commission_(COSO)|COSO]]<br />
+*[[Committee_of_Sponsoring_Organizations_of_the_Treadway_Commission_(COSO)|COSO]]
-[[Capability_Maturity_Model_Integration_(CMMI)|CMMI]]<br />
+*[[Capability_Maturity_Model_Integration_(CMMI)|CMMI]]
-[[IT_Assurance_Framework_(ITAF)|IT Assurance Framework (ITAF)]]<br />
+*[[IT Assurance Framework (ITAF)]]
-[[IT_Governance_Framework|IT Governance Framework]]<br />
+*[[IT Governance Framework]]
-[[ICT_Investment_Framework|ICT Investment Framework]]<br />
+*[[ICT_Investment_Framework|ICT Investment Framework]]
-[[IT_Investment_Management_Framework_(ITIM)|Information Technology Investment Management (ITIM)]]<br />
+*[[The Open Group Architecture Framework (TOGAF)|The Open Group Architecture Framework (TOGAF®)]]
 ===References===
 <references/>

@@ Line 1: / Line 1: @@
-'''Factor Analysis of Information Risk (FAIR)'''is a model that is based on the factors that contribute to [[Risk|risk]] and how each of them affects each other. It is a [[Risk Management Framework (RMF)|risk management framework]] that complies with the international standards, that aims to help organizations [[Information Risk Management (IRM)|understand, analyze and measure the information risk]].  FAIR is a standard [[Value at Risk|Value at Risk (VaR) framework]] that targets [[Cyber Security|cybersecurity]] and operational risk. It provides the standards and best practices that enable organizations to measure, manage and report on information risk from the business perspective to the [[Stakeholder|stakeholders]] such as information risk, cybersecurity, and business executives.<ref>Definition - What does Factor Analysis of Information Risk (FAIR) Mean? [https://www.cuelogic.com/blog/cybersecurity-frameworks Curlogic]</ref>
+'''Factor Analysis of Information [[Risk]] (FAIR)'''is a [[model]] that is based on the factors that contribute to [[Risk|risk]] and how each of them affects each other. It is a [[Risk Management Framework (RMF)|risk management framework]] that complies with the international standards, that aims to help organizations [[Information Risk Management (IRM)|understand, analyze and measure the information risk]].  FAIR is a [[standard]] [[Value at Risk|Value at Risk (VaR) framework]] that targets [[Cyber Security|cybersecurity]] and operational risk. It provides the standards and best practices that enable organizations to measure, manage and report on information risk from the [[business]] perspective to the [[Stakeholder|stakeholders]] such as information risk, cybersecurity, and business executives.<ref>Definition - What does Factor Analysis of Information Risk (FAIR) Mean? [https://www.cuelogic.com/blog/cybersecurity-frameworks Curlogic]</ref>
-FAIR is a methodology for Quantifying and Managing Risk in Any [[Organization]]. It is the only international standard quantitative model for cyber security risk.
+FAIR is a [[methodology]] for Quantifying and Managing Risk in Any [[Organization]]. It is the only international standard quantitative model for cyber security risk.
 *Provides a model for understanding, analyzing and quantifying cyber risk in financial terms
-*Unlike [[Risk Assessment Framework (RAF)|risk assessment frameworks]] that focus their output on qualitative color charts or numerical weighted scales
+*Unlike [[Risk Assessment Framework (RAF)|risk assessment frameworks]] that focus their [[output]] on qualitative color charts or numerical weighted scales
 *Builds a foundation for developing a scientific approach to [[Information Risk Management (IRM)|information risk management]]
 *The OpenFAIR standard is maintained by The Open Group, a global consortium that enables the achievement of [[Business Objective|business objectives]] through [[IT Standard (Information Technology Standard)|IT standards]]<ref>What is Factor Analysis of Information Risk (FAIR)? [https://www.risklens.com/why-risklens/built-on-the-fair-standard/ Risklens]</ref>
@@ Line 11: / Line 11: @@
 '''FAIR Adoption and Documentation<ref>FAIR Adoption and Documentation [https://en.wikipedia.org/wiki/Factor_analysis_of_information_risk Wikipedia]</ref>'''<br />
-As a standards body, The Open Group aims to evangelize the use of FAIR within the context of these risk assessment or management frameworks.
+As a standards body, The Open Group aims to evangelize the use of FAIR within the context of these risk assessment or [[management]] frameworks.
 ISACA cites FAIR and its concepts in its [[Risk IT Framework]] that extends COBIT.
 The Build Security In initiative of the United States Department of Homeland Security cites FAIR.
-FAIR's main document is "An Introduction to Factor Analysis of Information Risk (FAIR)", Risk Management Insight LLC, November 2006;
+FAIR's main document is "An Introduction to Factor Analysis of Information Risk (FAIR)", [[Risk Management]] Insight LLC, November 2006;
-The contents of this white paper and the FAIR framework itself are released under the Creative Commons Attribution-Noncommercial-Share Alike 2.5 license. The document first defines what risk is. The Risk and [[Risk Analysis]] section discusses risk concepts and some of the realities surrounding risk analysis and probabilities. This provides a common foundation for understanding and applying FAIR. The Risk Landscape Components section briefly describes the four primary components that make up any risk scenario. These components have characteristics (factors) that, in combination with one another, drive risk. Risk Factoring begins to decompose information risk into its fundamental parts. The resulting taxonomy describes how the factors combine to drive risk, and establishes a foundation for the rest of the FAIR framework.
+The contents of this white paper and the FAIR [[framework]] itself are released under the Creative Commons [[Attribution]]-Noncommercial-Share Alike 2.5 license. The document first defines what risk is. The Risk and [[Risk Analysis]] section discusses risk concepts and some of the realities surrounding risk analysis and probabilities. This provides a common foundation for understanding and applying FAIR. The Risk Landscape Components section briefly describes the four primary components that make up any risk scenario. These components have characteristics (factors) that, in combination with one another, drive risk. Risk Factoring begins to decompose information risk into its fundamental parts. The resulting [[taxonomy]] describes how the factors combine to drive risk, and establishes a foundation for the rest of the FAIR framework.
-The Controls section briefly introduces the three dimensions of a controls landscape. Measuring Risk briefly discusses measurement concepts and challenges, and then provides a high-level discussion of risk factor measurements.
+The Controls section briefly introduces the three dimensions of a controls landscape. Measuring Risk briefly discusses [[measurement]] concepts and challenges, and then provides a high-level discussion of risk factor measurements.
 '''Components of the FAIR Framework<ref>Components of the FAIR Framework [ftp://mail.im.tku.edu.tw/Prof_Liang/IRM/10%20An%20Introduction%20to%20Factor%20Analysis%20of%20Information%20Risk.pdf Jack A. Jones]</ref>'''<br />
 The FAIR framework contains four primary components – threats, assets, the organization itself, and the external environment. Everything within a scenario falls into one of these categories, and each has attributes, or factors, that contribute positively or negatively to risk.
-*Threats:  threats are anything (e.g., object, substance, human, etc.) that are capable of acting against an asset in a manner that can result in harm. A tornado is a threat, as is a flood, as is a hacker. The key consideration is that threats apply the force (water, wind, exploit code, etc.) against an asset that can cause a loss event to occur. Practically anyone and anything can, under the right circumstances, be a threat agent – the well-intentioned, but inept, computer operator who trashes a daily batch job by typing the wrong command, the regulator performing an audit, or the squirrel that chews through a data cable.
+*Threats:  threats are anything (e.g., object, substance, human, etc.) that are capable of acting against an [[asset]] in a manner that can result in harm. A tornado is a threat, as is a flood, as is a hacker. The key consideration is that threats apply the force (water, wind, exploit code, etc.) against an asset that can cause a loss event to occur. Practically anyone and anything can, under the right circumstances, be a threat agent – the well-intentioned, but inept, [[computer]] operator who trashes a daily batch job by typing the wrong command, the regulator performing an audit, or the squirrel that chews through a [[data]] cable.
-*Assets: Assets Within the [[Information Risk Management (IRM)|information risk]] landscape, we can define Asset as any [[Data|data]], device, or other component of the environment that supports information-related activities, and which can be affected in a manner that results in loss. Assets have characteristics related to value, liability, and controls strength that represent [[Risk Analysis|risk factors]].
+*Assets: Assets Within the [[Information Risk Management (IRM)|information risk]] landscape, we can define Asset as any [[Data|data]], [[device]], or other component of the environment that supports information-related activities, and which can be affected in a manner that results in loss. Assets have characteristics related to [[value]], [[liability]], and controls strength that represent [[Risk Analysis|risk factors]].
 *The Organization: Risk exists within the context of an organization or entity. In other words, harm to assets affects one or more of the [[Organization|organization’s]] [[Value Proposition|value propositions]]. It is the organization that loses resources or the ability to operate. Characteristics of the organization also can serve to attract the attention of certain threat communities, which may increase the frequency of events.
-*The External Environment: The environment in which an organization operates plays a significant role in risk. Various external characteristics, such as the regulatory landscape, competition within the industry, etc., all help to drive the probability of loss.
+*The [[External Environment]]: The environment in which an organization operates plays a significant role in risk. Various external characteristics, such as the regulatory landscape, competition within the [[industry]], etc., all help to drive the probability of loss.
@@ Line 36: / Line 36: @@
 **3. Estimate the probable Threat Event Frequency (TEF)
 **4. Estimate the Threat Capability (TCap)
-**5. Estimate Control strength (CS)
+**5. Estimate [[Control]] strength (CS)
-**6. Derive Vulnerability (Vuln)
+**6. Derive [[Vulnerability]] (Vuln)
 **7. Derive Loss Event Frequency (LEF)
 *Stage 3 – Evaluate Probable Loss Magnitude (PLM)

← Older revision		Revision as of 18:38, 18 December 2019
Line 44:		Line 44:
	*Stage 4 – Derive and articulate Risk		*Stage 4 – Derive and articulate Risk
	**10. Derive and articulate Risk		**10. Derive and articulate Risk
		+
		+
		+	===See Also===
		+	[[IT_Governance\|IT Governance]]<br />
		+	[[ITIL_(Information_Technology_Infrastructure_Library)\|ITIL]]<br />
		+	[[Val_IT_Framework\|Val IT]]<br />
		+	[[Risk_IT_Framework\|Risk IT]]<br />
		+	[[OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)]]<br />
		+	[[COBIT (Control Objectives for Information and Related Technology)]]<br />
		+	[[Business_Model_for_Information_Security_(BMIS)\|Business Model for Information Security (BMIS)]]<br />
		+	[[Committee_of_Sponsoring_Organizations_of_the_Treadway_Commission_(COSO)\|COSO]]<br />
		+	[[Capability_Maturity_Model_Integration_(CMMI)\|CMMI]]<br />
		+	[[IT_Assurance_Framework_(ITAF)\|IT Assurance Framework (ITAF)]]<br />
		+	[[IT_Governance_Framework\|IT Governance Framework]]<br />
		+	[[ICT_Investment_Framework\|ICT Investment Framework]]<br />
		+	[[IT_Investment_Management_Framework_(ITIM)\|Information Technology Investment Management (ITIM)]]<br />
		+	[[The Open Group Architecture Framework (TOGAF)\|The Open Group Architecture Framework (TOGAF®)]]
		+
		+
		+	===References===
		+	<references/>

@@ Line 1: / Line 1: @@
-'''Factor Analysis of Information Risk (FAIR)'''is a model that is based on the factors that contribute to [[Risk|risk]] and how each of them affects each other. It is a [[Risk Management Framework (RMF)|risk management framework]] that complies with the international standards, that aims to help organizations [[Information Risk Management (IRM)|understand, analyze and measure the information risk]].  FAIR is a standard [[Value at Risk|Value at Risk (VaR) framework]] that targets [[Cyber Security|cybersecurity]] and operational risk. It provides the standards and best practices that enable organizations to measure, manage and report on information risk from the business perspective to the stakeholders such as information risk, cybersecurity, and business executives.<ref>Definition - What does Factor Analysis of Information Risk (FAIR) Mean? [https://www.cuelogic.com/blog/cybersecurity-frameworks Curlogic]</ref>
+'''Factor Analysis of Information Risk (FAIR)'''is a model that is based on the factors that contribute to [[Risk|risk]] and how each of them affects each other. It is a [[Risk Management Framework (RMF)|risk management framework]] that complies with the international standards, that aims to help organizations [[Information Risk Management (IRM)|understand, analyze and measure the information risk]].  FAIR is a standard [[Value at Risk|Value at Risk (VaR) framework]] that targets [[Cyber Security|cybersecurity]] and operational risk. It provides the standards and best practices that enable organizations to measure, manage and report on information risk from the business perspective to the [[Stakeholder|stakeholders]] such as information risk, cybersecurity, and business executives.<ref>Definition - What does Factor Analysis of Information Risk (FAIR) Mean? [https://www.cuelogic.com/blog/cybersecurity-frameworks Curlogic]</ref>
-FAIR is a methodology for Quantifying and Managing Risk in Any Organization. It is the only international standard quantitative model for cyber security risk.
+FAIR is a methodology for Quantifying and Managing Risk in Any [[Organization]]. It is the only international standard quantitative model for cyber security risk.
 *Provides a model for understanding, analyzing and quantifying cyber risk in financial terms
-*Unlike risk assessment frameworks that focus their output on qualitative color charts or numerical weighted scales
+*Unlike [[Risk Assessment Framework (RAF)|risk assessment frameworks]] that focus their output on qualitative color charts or numerical weighted scales
-*Builds a foundation for developing a scientific approach to information risk management
+*Builds a foundation for developing a scientific approach to [[Information Risk Management (IRM)|information risk management]]
-*The OpenFAIR standard is maintained by The Open Group, a global consortium that enables the achievement of business objectives through IT standards<ref>What is Factor Analysis of Information Risk (FAIR)? [https://www.risklens.com/why-risklens/built-on-the-fair-standard/ Risklens]</ref>
+*The OpenFAIR standard is maintained by The Open Group, a global consortium that enables the achievement of [[Business Objective|business objectives]] through [[IT Standard (Information Technology Standard)|IT standards]]<ref>What is Factor Analysis of Information Risk (FAIR)? [https://www.risklens.com/why-risklens/built-on-the-fair-standard/ Risklens]</ref>
-FAIR is complementary to other methodologies like COSO, ITIL, ISO/IEC 27002:2005, COBIT, OCTAVE, etc. – it provides the engine that can be used in other risk models.
+FAIR is complementary to other methodologies like [[COSO Internal Control Integrated Framework|COSO]], [[ITIL (Information Technology Infrastructure Library)|ITIL]], [[ISO/IEC 27002:2005]], [[COBIT (Control Objectives for Information and Related Technology)|COBIT]], [[OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)|OCTAVE]], etc. – it provides the engine that can be used in other risk models.
 '''FAIR Adoption and Documentation<ref>FAIR Adoption and Documentation [https://en.wikipedia.org/wiki/Factor_analysis_of_information_risk Wikipedia]</ref>'''<br />
 As a standards body, The Open Group aims to evangelize the use of FAIR within the context of these risk assessment or management frameworks.
-ISACA cites FAIR and its concepts in its Risk IT Framework that extends COBIT.
+ISACA cites FAIR and its concepts in its [[Risk IT Framework]] that extends COBIT.
 The Build Security In initiative of the United States Department of Homeland Security cites FAIR.
 FAIR's main document is "An Introduction to Factor Analysis of Information Risk (FAIR)", Risk Management Insight LLC, November 2006;
-The contents of this white paper and the FAIR framework itself are released under the Creative Commons Attribution-Noncommercial-Share Alike 2.5 license. The document first defines what risk is. The Risk and Risk Analysis section discusses risk concepts and some of the realities surrounding risk analysis and probabilities. This provides a common foundation for understanding and applying FAIR. The Risk Landscape Components section briefly describes the four primary components that make up any risk scenario. These components have characteristics (factors) that, in combination with one another, drive risk. Risk Factoring begins to decompose information risk into its fundamental parts. The resulting taxonomy describes how the factors combine to drive risk, and establishes a foundation for the rest of the FAIR framework.
+The contents of this white paper and the FAIR framework itself are released under the Creative Commons Attribution-Noncommercial-Share Alike 2.5 license. The document first defines what risk is. The Risk and [[Risk Analysis]] section discusses risk concepts and some of the realities surrounding risk analysis and probabilities. This provides a common foundation for understanding and applying FAIR. The Risk Landscape Components section briefly describes the four primary components that make up any risk scenario. These components have characteristics (factors) that, in combination with one another, drive risk. Risk Factoring begins to decompose information risk into its fundamental parts. The resulting taxonomy describes how the factors combine to drive risk, and establishes a foundation for the rest of the FAIR framework.
 The Controls section briefly introduces the three dimensions of a controls landscape. Measuring Risk briefly discusses measurement concepts and challenges, and then provides a high-level discussion of risk factor measurements.