Frequently Asked Questions
- What is FAIR?
- How is FAIR different from other risk methodologies?
- Is FAIR complicated and/or hard to use?
- Is FAIR an open standard or proprietary?
- Who uses FAIR?
- Is FAIR credible?
- Is FAIR going to work well for my organization?
- My executives like Red/Yellow/Green risk indicators, so why should I be interested in FAIR?
- Does FAIR use a 1-to-5 or other quantitative scale?
- How do you measure intangibles like reputation damage?
- When would I use FAIR?
- Is there software for FAIR?
- I’ve heard that measuring risk isn’t possible. Is this true?
- I’ve heard that there’s more to FAIR than is documented in the introduction white paper. What else is there?
- How do I become trained in FAIR?
- Does FAIR training count as CPE credits?
- Where can I learn more?
FAIR stands for Factor Analysis of Information Risk. Simply stated, it is a framework of models that describe what risk is and how it works. The framework also includes methods and processes for using the models.
FAIR is a framework of analytic models, whereas most information security risk methodologies in use today are Capability Maturity Models (CMM) or checklists. Analytic models attempt to describe how a problem-space works by identifying the key elements that make up the environment and the relationships between those elements — e.g., Newton’s laws of the physical world described how things like gravity work. If the models are relatively accurate (no models are perfect), then analyses performed using the models should consistently align with our experience and observations. With those elements identified, measurements can be made that enable risk quantification and performance of what-if analyses, neither of which can be performed with checklist or CMM analyses.
The other methodologies answer different questions:
- Checklist methodologies (e.g., PCI, ISO, BITS, etc.) provide inventories of practices that an organization can use to evaluate and benchmark itself against. This can be useful for identifying gaps in controls and/or for comparison against other organizations. Checklists are not useful though, for determining how much risk exists or for understanding the effects of changes in the risk landscape (e.g., how much more or less risk will exist if…).
- CMM methodologies (e.g., SSE-CMM) provide a ordinal scale for rating the maturity of processes. This can be useful for evaluating the quality of processes, for setting goals, and for evaluating progress against those goals. CMM is not useful for quantifying risk or measuring the practical effect of changes in maturity.
FAIR provides the means to answer questions like:
- How much risk does X represent?
- How much risk do we have?
- How much more/less risk will we have if …?
- What are my most cost-effective options for managing risk?
Note that all three methodology types can be useful for most organizations, and should be complementary.
FAIR is conceptually very straightforward, even simple. That said, many of the risk scenarios we face in our profession are not. As a result, analyzing a complex scenario with even a simple modeling structure like FAIR can feel difficult, especially at first.
The good news is that besides being conceptually simple, FAIR is highly flexible. This allows the user to operate in “quick-and-dirty” mode or “down in the weeds”, whichever is appropriate given time, resources, and the significance of the problem being analyzed. In fact, the vast majority of FAIR analyses fall into the quick-and-dirty category because that’s all that is required in most instances.
As with any new skill though, there is a learning curve. Most of that curve is spent learning how to decompose scenarios so that they can be analyzed. Once a scenario is well-defined, the analysis itself is generally quite simple.
FAIR is proprietary, however the basic taxonomy and methods have been made available for non-commercial use under a creative commons license. In other words, you are free to use FAIR to analyze your own risk. Using FAIR to analyze someone else’s risk for commercial gain either through consulting or as part of a software application requires a license from RMI.
RMI welcomes partnerships with consulting and software firms who want to raise their game.
RMI clients have included companies from the following industries:
- High Tech
- Health Care
- Consultancies, and
Client size has ranged from small to Fortune 10.
Bottom line — understanding and measuring risk can be useful for organizations of any size in any industry.
Yes. In fact The Open Group has adopted FAIR as a key component in its approach to risk management, and ISACA references FAIR in its RiskIT framework. Furthermore, FAIR has been vetted at various points in its development with people who are experts in risk and quantitative analysis.
In order for any framework to be useful, management has to support its use. If management where you work is only interested in compliance with regulations and/or “best practice” and is not interested in understanding how much risk exists, how much risk is associated with non-compliance issues, or which risk management measures are likely to be most cost-effective, then an analytic framework like FAIR may not be a good fit.
FAIR can be extremely useful for performing qualitative analysis that generate simple outputs. In fact the introductory white paper describes one way it can be used in that fashion. Also, it’s simple to convert a quantitative value into a qualitative rating. For example, an organization can define parameters that match specific quantitative ranges to qualitative values — e.g., “Annualized exposure of between $100,000 and $1,000,000 risk will be considered “High Risk” (or Red on a color scale).” The advantage is that the analysis and numbers underlying the qualitative values can be referenced to explain how the rating was arrived at.
There are many analysis methods that use ordinal scales (e.g., 1 – 5, 1 – 10) to rate risk conditions. These frameworks are commonly mistaken to be quantitative because numbers are involved, however in each case the numeric scale could be replaced with colors or words (e.g., “High”, “Medium”, etc.) and be identical. In addition, common mathematical functions like addition, subtraction, multiplication, etc. can’t legitimately be performed on ordinal scales (e.g., you can’t multiply red times yellow).
FAIR analyses use quantitative values like frequencies, ratios, and monetary loss, which enables the use of true quantitative analysis.
Logically, the effects of damaged reputation have to materialize in some form or else we wouldn’t care. These effects are tangible. For a commercial enterprise these effects materialize as reduced market share, decreased stock price (if publicly traded), and potentially the cost of capital.
In my experience, organization executives have always been able to confidently estimate the effects of reputation damage. They understand their customers, competition, and other key business factors that would come into play from a reputation perspective. The key is to get these loss estimates from business executives, as it is extremely uncommon for information security or risk analysts to estimate these effects accurately.
Anywhere you have a need to know how much risk exists (or could exist if…). Examples include:
- Policy exception requests
- Audit findings
- Penetration test results
- Any time you need to compare risk issues. For example, “Does data leakage or web application security represent more risk to our organization?”
- Any time you need to compare risk mitigation options when the budget doesn’t allow for everything. For example, “Which is likely to be more cost-effective, training my web developers or implementing an application firewall?”
- If you need to build a business case for new security measures or for defending existing security expenditures.
Yes, CXOWARE’s FAIRiq software is the “quantitative risk engine” that provides the foundation for deriving risk. It accomplishes this by taking risk factor measurements and applying sound and sophisticated mathematical principles to derive risk. FAIRiq offers:
- Centralized analysis repository – quick glance overview of risk landscape
- Gain a view of aggregate risk
- Easy view to prioritize risk issues
- Common Asset Library Database
- Common repository for threat agents
- Common repository for scenario-based loss tables
- Enabling more consistent and accurate results across the team of analysts
- Iterative analysis capability – show risk trending over a period of time
- Dynamic reporting & Archive point-in-time reporting
- Centralized identity and access management
- Logical, easy to use, graphic scenario interfaces
The short answer is “No”, it’s not true. Unfortunately, there are a lot of commonly held misconceptions about risk, particularly in the information security profession. More information about some of the most commonly expressed concerns can be found here.
I’ve heard that there’s more to FAIR than is documented in the introduction white paper. What else is there?
The white paper was intended to provide an introduction to the concepts and methods within FAIR, but does not fully cover the framework. The full framework includes:
- Deeper taxonomy levels
- Models for controls analysis
- Models for analyzing an organization’s ability to manage risk over time
- The use of distributions rather than scales and matrices for describing variables
- The use of Monte Carlo functions to analyze highly uncertain data
- The use of sensitivity analysis to identify especially important risk factors in scenarios
- Calibration to improve the quality and utility of estimates where data are sparse
- Means of performing risk aggregation
Despite how complex some of that sounds, our tools simplify the process for the analyst and help to enable practical everyday use.
Please see our training page here.
Yes. You can apply the training hours against CPE requirements for various certifications.
Brief literature formatted for printing and viewing outside of a web browser:
- FAIR Summary .pdf A quick three page summary on FAIR.