FAIR stands for Factor Analysis of Information Risk. It is a framework for cyber risk quantification that helps organizations understand and measure information risks. It is the only international standard quantitative information security and operational risk model.
FAIR (Factor Analysis of Information Risk) is a model that breaks down different aspects of risk and monetizes the elements. Allowing security teams to break down the factors and relationships between risk factors lets companies gain a broader insight into how risk is addressed and where the gaps may be. Ultimately, FAIR assigns a monetary value to risk factors, successfully defining risk in a business context. This newer way to frame risk is crucial because it allows businesses to translate cyber risk into a business context and create a narrative to help get executive buy-in on cybersecurity initiatives. It will enable CISOs to calculate return on security investment (RoSI), allowing for more transparency and risk visibility. The FAIR risk methodology allows businesses to measure, analyze, and understand risk concretely.
The nice thing about the FAIR model is that it can augment current security programs and, by doing so, strengthen the organization's security posture. Only once the risk is understood can CISOs make informed decisions about risk scenarios and taxonomy.
The FAIR model provides several benefits:
To better understand how FAIR works, you can develop your own FAIR model examples by using this calculation:
|
ALE = |
ARO x ML |
See the core competencies of an Open FAIR Risk Analysis tool.