Information risk is not just a technical problem but affects the bottom line and daily activities of most businesses. FAIR – Factor Analysis of Information Risk is a model that allows organizations to analyze, measure and understand cybersecurity and operational risk, in terms that can be easily understood and applied practically to a business environment. It takes an organization beyond just compliance with regulations and ‘best practices’ and shows a broader overall picture of risk from different angles.
The FAIR risk model evaluates the factors that make up IT risk and assesses how they interact and impact each other. It breaks each risk down into basic building blocks, then takes these elements and mathematically assigns them a dollar value in order to measure risk in financial terms. FAIR methodology enables executives and cyber leaders to easily make business decisions by quantifying cyber risk and eliminating the doubt surrounding the practical understanding and impact of those risks.
Risk is defined by the FAIR assessment as “The probable frequency and probable magnitude of future loss”.
How does it work?
The FAIR Model Diagram:
FAIR splits up risk into Loss Event Frequency (measuring the time lost from a potential threat) and Loss Magnitude (the likely outcome of a successful threat).
- Loss Event Frequency is further broken down into a threats’ Contact with an asset (Random/Regular/Intentional), Action (probability of acting against the asset), and Vulnerability (will the asset be able to resist the threat).
- Loss Magnitude is broken down into Primary Loss Factors (what can be lost from an asset, its value and liability, the productivity impact, potential harm and the volume of the asset) and Secondary Loss Factors (what other factors can influence the loss of an asset, both organizational and external).
What are the advantages of FAIR?
The gap that previously existed between the Cybersecurity Department and the Executive Level is slowly closing as models like FAIR enable the two to communicate in a common language. Together, the risk and security professionals can work together with their colleagues to ensure the business is making informed and measured decisions that impact all aspects of the business and maximise it’s safety. This increased effective management will contribute to a more successful business.
The model is scalable and can be used as the risk landscape grows and changes. It is also useful that it can be used alongside other risk management frameworks enhancing overall analysis. FAIR has a solid system of classification and technology standard that is well defined and clear.
The FAIR framework produces a clear understanding of how outcomes involving time and money will impact the Cybersecurity posture.
Are there any drawbacks?
FAIR is not an exact science and a fair amount of estimation is involved. The lack of metrics isn’t appreciated by some, whilst others find the broader approach fits their purpose well. Additionally, FAIR has a comprehensive, common and stable set of risk categories that may be considered too tightly defined for some organizations.
As with all risk management systems, it is worth weighing up the pros and cons to see if it will benefit your organization. If communication with the Executive Level is a priority, if you struggle to provide risk mitigation strategies to upper-level management, FAIR is a great methodology to use.
FAIR & Cyber Insurance
The FAIR risk assessment tool is particularly useful to both insurance companies and their clients to quantify expected losses. A company must first calculate its potential losses in the event of a successful cyber threat actualizing in order to effectively transfer cyber risks to insurers. This is usually done with a variety of risk scenarios in mind. Failure to accurately quantify predicted losses in the event of a claim could lead to the company being under-insured, keeping a portion of the risk they anticipated transferring to their insurers, or being over-insured, resulting in needlessly expensive premiums. Understanding the process, which is made possible by cyber risk quantification tools, is crucial for translating enterprise risk appetite declarations into cyber insurance coverage. For both policyholders and insurers, this will assure sufficiency and long-term viability.
As with all risk management systems, it is worth weighing up the pros and cons to see if FAIR risk model will benefit your organization. If communication with the Executive Level is a priority, if you struggle to provide risk mitigation strategies to upper-level management, FAIR is a great methodology to use. Using the FAIR approach to understanding the financial impact of your cyber risk will drive cost-effective decisions, allocate resource effectively, and achieve more.