What is FAIR?
(Factor Analysis of Information Risk) is an industry standard risk model for Information Security and Operational Risk. Where other risk assessment standards focus their output on qualitative color charts or numerical weighted scales, the FAIR model specializes in financially derived results tailored for enterprise risk management. FAIR has been widely accepted and used within the Finance, Government, Healthcare, and Retail industries.
Information security practices, to-date, have generally been inadequate in helping organizational leadership effectively manage information risk. The shortcomings are primarily the result of information security being practiced as an art rather than science – i.e., a heavy reliance on practitioner intuition, experience, industry lore, and best practices. Although intuition, experience, and best practices all provide value, they do not consistently enable management to make effective, well-informed decisions. The absence of a working, logical foundation that determines risk means risk management efforts are highly subject to individual bias, myth, dogma, and misinterpretation of the relatively sparse empirical data that exists.
The result? Organizations spend too little or too much time and money, or spend resources in the wrong places as they attempt to reduce their risk.
CXOWARE’s Quantitative Risk Model
FAIR provides a model for understanding, analyzing, and measuring information risk. The outcomes are more cost-effective information risk management, greater credibility for the information security profession, and a foundation from which to develop a scientific approach to information risk management.
FAIR allows organizations to:
- Speak in one language concerning their risk
- Consistently study and apply risk to any object or asset
- View organizational risk in total
- Challenge and defend risk decisions using an advanced risk model
- Understand how time and money will impact your security profile
Specific components of the model include:
- A taxonomy for information and operational risk
- Standard nomenclature for risk terms
- A framework for establishing data collection criteria
- Measurement scales for risk factors
- Integrates into a computational engine for calculating risk
- A modeling construct for analyzing complex risk scenarios
Is FAIR credible?
Yes. In fact The Open Group has adopted FAIR as a key component in its approach to risk management, and ISACA references FAIR in its RiskIT framework. Furthermore, FAIR has been vetted at various points in its development with professionals who are experts in risk and quantitative analysis. See our Testimonials page and Resources page for more information.