Difference between revisions of "Factor Analysis of Information Risk (FAIR)"
| Line 7: | Line 7: | ||
| − | '''Components of the FAIR Framework''' | + | '''Components of the FAIR Framework'''<br /> |
The FAIR framework contains four primary components – threats, assets, the organization itself, and the external environment. Everything within a scenario falls into one of these categories, and each has attributes, or factors, that contribute positively or negatively to risk. | The FAIR framework contains four primary components – threats, assets, the organization itself, and the external environment. Everything within a scenario falls into one of these categories, and each has attributes, or factors, that contribute positively or negatively to risk. | ||
| − | *Threats: threats are anything (e.g., object, substance, human, etc.) that are capable of acting against an asset in a manner that can result in harm. A tornado is a threat, as is a flood, as is a hacker. The key consideration is that threats apply the force (water, wind, exploit code, etc.) against an asset that can cause a loss event to occur. Practically anyone and anything can, under the right circumstances, be a threat agent – the well-intentioned, but inept, computer operator who trashes a daily batch job by typing the wrong command, the regulator performing an audit, or | + | *Threats: threats are anything (e.g., object, substance, human, etc.) that are capable of acting against an asset in a manner that can result in harm. A tornado is a threat, as is a flood, as is a hacker. The key consideration is that threats apply the force (water, wind, exploit code, etc.) against an asset that can cause a loss event to occur. Practically anyone and anything can, under the right circumstances, be a threat agent – the well-intentioned, but inept, computer operator who trashes a daily batch job by typing the wrong command, the regulator performing an audit, or the squirrel that chews through a data cable. |
| − | the squirrel that chews through a data cable. | ||
*Assets: Assets Within the [[Information Risk Management (IRM)|information risk]] landscape, we can define Asset as any [[Data|data]], device, or other component of the environment that supports information-related activities, and which can be affected in a manner that results in loss. Assets have characteristics related to value, liability, and controls strength that represent [[Risk Analysis|risk factors]]. | *Assets: Assets Within the [[Information Risk Management (IRM)|information risk]] landscape, we can define Asset as any [[Data|data]], device, or other component of the environment that supports information-related activities, and which can be affected in a manner that results in loss. Assets have characteristics related to value, liability, and controls strength that represent [[Risk Analysis|risk factors]]. | ||
| − | *The Organization: Risk exists within the context of an organization or entity. In other words, harm to assets affects one or more of the [[Organization|organization’s]] [[Value Proposition|value propositions]]. It is the organization that loses resources or the ability to operate. | + | *The Organization: Risk exists within the context of an organization or entity. In other words, harm to assets affects one or more of the [[Organization|organization’s]] [[Value Proposition|value propositions]]. It is the organization that loses resources or the ability to operate. Characteristics of the organization also can serve to attract the attention of certain threat communities, which may increase the frequency of events. |
| − | Characteristics of the organization also can serve to attract the attention of certain threat communities, which may increase the frequency of events. | ||
*The External Environment: The environment in which an organization operates plays a significant role in risk. Various external characteristics, such as the regulatory landscape, competition within the industry, etc., all help to drive the probability of loss. | *The External Environment: The environment in which an organization operates plays a significant role in risk. Various external characteristics, such as the regulatory landscape, competition within the industry, etc., all help to drive the probability of loss. | ||
| + | |||
| + | |||
| + | '''Stages in FAIR Analysis'''<br /> | ||
| + | Basic FAIR Analysis is comprised of ten steps in four stages: | ||
| + | *Stage 1 – Identify scenario components | ||
| + | **1. Identify the asset at risk | ||
| + | **2. Identify the threat community under consideration | ||
| + | *Stage 2 – Evaluate Loss Event Frequency (LEF) | ||
| + | **3. Estimate the probable Threat Event Frequency (TEF) | ||
| + | **4. Estimate the Threat Capability (TCap) | ||
| + | **5. Estimate Control strength (CS) | ||
| + | **6. Derive Vulnerability (Vuln) | ||
| + | **7. Derive Loss Event Frequency (LEF) | ||
| + | *Stage 3 – Evaluate Probable Loss Magnitude (PLM) | ||
| + | **8. Estimate worst-case loss | ||
| + | **9. Estimate probable loss | ||
| + | *Stage 4 – Derive and articulate Risk | ||
| + | **10. Derive and articulate Risk | ||
Revision as of 21:16, 17 December 2019
Factor Analysis of Information Risk (FAIR) is a methodology for Quantifying and Managing Risk in Any Organization FAIR is the only international standard quantitative model for cyber security risk.
- Provides a model for understanding, analyzing and quantifying cyber risk in financial terms
- Unlike risk assessment frameworks that focus their output on qualitative color charts or numerical weighted scales
- Builds a foundation for developing a scientific approach to information risk management
- The OpenFAIR standard is maintained by The Open Group, a global consortium that enables the achievement of business objectives through IT standards[1]
Components of the FAIR Framework
The FAIR framework contains four primary components – threats, assets, the organization itself, and the external environment. Everything within a scenario falls into one of these categories, and each has attributes, or factors, that contribute positively or negatively to risk.
- Threats: threats are anything (e.g., object, substance, human, etc.) that are capable of acting against an asset in a manner that can result in harm. A tornado is a threat, as is a flood, as is a hacker. The key consideration is that threats apply the force (water, wind, exploit code, etc.) against an asset that can cause a loss event to occur. Practically anyone and anything can, under the right circumstances, be a threat agent – the well-intentioned, but inept, computer operator who trashes a daily batch job by typing the wrong command, the regulator performing an audit, or the squirrel that chews through a data cable.
- Assets: Assets Within the information risk landscape, we can define Asset as any data, device, or other component of the environment that supports information-related activities, and which can be affected in a manner that results in loss. Assets have characteristics related to value, liability, and controls strength that represent risk factors.
- The Organization: Risk exists within the context of an organization or entity. In other words, harm to assets affects one or more of the organization’s value propositions. It is the organization that loses resources or the ability to operate. Characteristics of the organization also can serve to attract the attention of certain threat communities, which may increase the frequency of events.
- The External Environment: The environment in which an organization operates plays a significant role in risk. Various external characteristics, such as the regulatory landscape, competition within the industry, etc., all help to drive the probability of loss.
Stages in FAIR Analysis
Basic FAIR Analysis is comprised of ten steps in four stages:
- Stage 1 – Identify scenario components
- 1. Identify the asset at risk
- 2. Identify the threat community under consideration
- Stage 2 – Evaluate Loss Event Frequency (LEF)
- 3. Estimate the probable Threat Event Frequency (TEF)
- 4. Estimate the Threat Capability (TCap)
- 5. Estimate Control strength (CS)
- 6. Derive Vulnerability (Vuln)
- 7. Derive Loss Event Frequency (LEF)
- Stage 3 – Evaluate Probable Loss Magnitude (PLM)
- 8. Estimate worst-case loss
- 9. Estimate probable loss
- Stage 4 – Derive and articulate Risk
- 10. Derive and articulate Risk