The FAIR Model
We start with the FAIR model structured into a Bayesian belief network. The top level fields of the application respond data input and sophisticated calculations from lower levels of abstraction. From the most simplistic perspective, at the highest levels of abstraction we acknowledge that risk is “how often do bad things happen” (Loss Event Frequency, expressed as events per year) and “how bad can it be” (Loss Magnitude expressed with monetary values). Working at the lowest levels of abstraction on the taxonomy, we provide the analyst with detailed data collection tools necessary to establish the credibility of the final results. The illustration below represents the taxonomy for assessing Information Security and Operational risk.
- Bayesian belief network
- PERT distributions
- Monte Carlo Simulations
- Stochastic analysis