Factor Analysis of Information Risk (FAIR)

Factor Analysis of Information Risk (FAIR)is a model that is based on the factors that contribute to risk and how each of them affects each other. It is a risk management framework that complies with the international standards, that aims to help organizations understand, analyze and measure the information risk. FAIR is a standard Value at Risk (VaR) framework that targets cybersecurity and operational risk. It provides the standards and best practices that enable organizations to measure, manage and report on information risk from the business perspective to the stakeholders such as information risk, cybersecurity, and business executives.^[1]

FAIR is a methodology for Quantifying and Managing Risk in Any Organization. It is the only international standard quantitative model for cyber security risk.

• Provides a model for understanding, analyzing and quantifying cyber risk in financial terms
• Unlike risk assessment frameworks that focus their output on qualitative color charts or numerical weighted scales
• Builds a foundation for developing a scientific approach to information risk management
• The OpenFAIR standard is maintained by The Open Group, a global consortium that enables the achievement of business objectives through IT standards^[2]

FAIR is complementary to other methodologies like COSO, ITIL, ISO/IEC 27002:2005, COBIT, OCTAVE, etc. – it provides the engine that can be used in other risk models.

FAIR Adoption and Documentation^[3]
As a standards body, The Open Group aims to evangelize the use of FAIR within the context of these risk assessment or management frameworks. ISACA cites FAIR and its concepts in its Risk IT Framework that extends COBIT. The Build Security In initiative of the United States Department of Homeland Security cites FAIR.

FAIR's main document is "An Introduction to Factor Analysis of Information Risk (FAIR)", Risk Management Insight LLC, November 2006; The contents of this white paper and the FAIR framework itself are released under the Creative Commons Attribution-Noncommercial-Share Alike 2.5 license. The document first defines what risk is. The Risk and Risk Analysis section discusses risk concepts and some of the realities surrounding risk analysis and probabilities. This provides a common foundation for understanding and applying FAIR. The Risk Landscape Components section briefly describes the four primary components that make up any risk scenario. These components have characteristics (factors) that, in combination with one another, drive risk. Risk Factoring begins to decompose information risk into its fundamental parts. The resulting taxonomy describes how the factors combine to drive risk, and establishes a foundation for the rest of the FAIR framework. The Controls section briefly introduces the three dimensions of a controls landscape. Measuring Risk briefly discusses measurement concepts and challenges, and then provides a high-level discussion of risk factor measurements.

Components of the FAIR Framework^[4]
The FAIR framework contains four primary components – threats, assets, the organization itself, and the external environment. Everything within a scenario falls into one of these categories, and each has attributes, or factors, that contribute positively or negatively to risk.

• Threats: threats are anything (e.g., object, substance, human, etc.) that are capable of acting against an asset in a manner that can result in harm. A tornado is a threat, as is a flood, as is a hacker. The key consideration is that threats apply the force (water, wind, exploit code, etc.) against an asset that can cause a loss event to occur. Practically anyone and anything can, under the right circumstances, be a threat agent – the well-intentioned, but inept, computer operator who trashes a daily batch job by typing the wrong command, the regulator performing an audit, or the squirrel that chews through a data cable.
• Assets: Assets Within the information risk landscape, we can define Asset as any data, device, or other component of the environment that supports information-related activities, and which can be affected in a manner that results in loss. Assets have characteristics related to value, liability, and controls strength that represent risk factors.
• The Organization: Risk exists within the context of an organization or entity. In other words, harm to assets affects one or more of the organization’s value propositions. It is the organization that loses resources or the ability to operate. Characteristics of the organization also can serve to attract the attention of certain threat communities, which may increase the frequency of events.
• The External Environment: The environment in which an organization operates plays a significant role in risk. Various external characteristics, such as the regulatory landscape, competition within the industry, etc., all help to drive the probability of loss.

Stages in FAIR Analysis
Basic FAIR Analysis is comprised of ten steps in four stages:

• Stage 1 – Identify scenario components
  • 1. Identify the asset at risk
  • 2. Identify the threat community under consideration
• Stage 2 – Evaluate Loss Event Frequency (LEF)
  • 3. Estimate the probable Threat Event Frequency (TEF)
  • 4. Estimate the Threat Capability (TCap)
  • 5. Estimate Control strength (CS)
  • 6. Derive Vulnerability (Vuln)
  • 7. Derive Loss Event Frequency (LEF)
• Stage 3 – Evaluate Probable Loss Magnitude (PLM)
  • 8. Estimate worst-case loss
  • 9. Estimate probable loss
• Stage 4 – Derive and articulate Risk
  • 10. Derive and articulate Risk

See Also

• IT Governance
• ITIL
• Val IT
• Risk IT
• OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)
• COBIT (Control Objectives for Information and Related Technology)
• Business Model for Information Security (BMIS)
• COSO
• CMMI
• IT Assurance Framework (ITAF)
• IT Governance Framework
• ICT Investment Framework
• The Open Group Architecture Framework (TOGAF®)

References