FAIR (Factor Analysis of Information Risk)

FAIR (Factor Analysis of Information Risk) is a framework for understanding, analyzing and measuring information risk. Information security practices to date have generally been inadequate in helping organizations effectively manage information risk since there is a heavy reliance on practitioner intuition and experience.  While these are valuable, they don't consistently allow management to make effective, well-informed decisions. 

FAIR is designed to address security practice weaknesses. The framework aims to allow organizations to speak the same language about risk; apply risk assessment to any object or asset; view organizational risk in total; defend or challenge risk determination using advanced analysis; and understand how time and money will affect the organization's security profile. 

The FAIR vernacular allows IT people and the business lines to talk about risk in a consistent manner. One of the advantages of the framework is that it doesn't use ordinal scales, such as one-to-10 rankings, and therefore isn't subject to the limitations that go with ordinal scales, for example, 'high, medium and low' is an example of an ordinal scale, as is 'red, yellow and green' and 'one, two and three. Imagine what the result will be if you add or multiply two medium values, or add or multiply yellow plus green. It will definitely have no meaning at all, yet we see many risk calculations in our industry that do exactly that when they use addition and/or multiplication with numeric ordinal scales.

FAIR uses dollar estimates for losses and probability values for threats and vulnerabilities. Combined with a range of values and levels of confidence, it allows for true mathematical modeling of loss exposures. Another plus is that FAIR has more detailed definitions of threats, vulnerabilities and risks. FAIR has a taxonomy that breaks down the terms on a more granular level. The taxonomy enables describing more easily and credibly how conclusions are made and that they are not based on assumptions but on actual measurable results.
The most important downside of FAIR is the fact that it can be difficult to use and it's not as well documented as some other methodologies.

Basic FAIR analysis is comprised of ten steps in four stages:

Stage 1 – Identify scenario components
1. Identify the asset at risk
2. Identify the threat community under consideration

Stage 2 – Evaluate Loss Event Frequency (LEF)
3. Estimate the probable Threat Event Frequency (TEF)
4. Estimate the Threat Capability (TCap)
5. Estimate Control strength (CS)
6. Derive Vulnerability (Vuln)
7. Derive Loss Event Frequency (LEF)

Stage 3 – Evaluate Probable Loss Magnitude (PLM)
8. Estimate worst-case loss
9. Estimate probable loss

Stage 4 – Derive and articulate Risk
10. Derive and articulate Risk

To sum up FAIR allows organizations to:

·        Speak in one language concerning their risk
·        Be able to consistently study and apply risk to any object or asset
·        View organizational risk in total
·        Defend or challenge risk determination using an advanced analysis framework.
·        Understand how time ad money will impact security profile

0 Response to "FAIR (Factor Analysis of Information Risk)"

Post a Comment