TL;DR

Fair is a methodology for quantifying and managing risk in organisations of any size. It helps organisations specify, describe and analyse their risks; enabling them to be effectively managed. FAIR aids analysts and organisations to express probable likelihoods and impacts in monetary values, which allows business leaders to make informed prioritisation and treatment decisions. 

What is FAIR™?

FAIR stands for Factor Analysis of Information Risk. It is a risk methodology used to quantify cyber and operational risks in financial terms. This enables comparison and prioritisation with other business risks and supports the business case for managing risks appropriately. 

The FAIR methodology was created by Jack Jones and more information about the framework and resources can be found on the FAIR Institute’s website

FAIR™ Taxonomy

The FAIR methodology breaks risks down into levels of abstraction, however, you only need to go as far down this model as is appropriate depending on the data you have available. 

The model helps you analyse and quantify risks, and aids in the development in a robust and defensible case for the appropriate management of risk.  

It also provides organisations with a common language for discussing risks, reduces the chance of misinterpretation, ensures that all assumptions have been documented, and provides reasoning for why risks have been included or discounted. This ensures the organisation can repeat the risk analysis, enabling trend comparisons over time.

5 incredibly useful tips

Focus on probability in risk assessments rather than possibility. 

All things are possible, given enough time. Instead, focus on what is probable in a given timeframe to enable better, risk-informed  decisions to be made.  

When using FAIR we are forecasting the elements of risk (i.e., how often) rather than making predictions. 

We cannot state that a a risk will happen on a specific date and will cost a defined amount (prediction) but we can forecast how often it is likely to occur and how much it is likely to cost.

When using the FAIR taxonomy only go as far down the model as you need to i.e., if the data you need to analyse your risk is available at level two, you do not need to waste time and effort going all the way down to level four. 

Keep it simple for yourself as the analyst. 

Ensure you document your assumptions so that people can see what you have included and excluded and that the assumptions you have made are valid. 

This also supports repeat assessments as people can re-validate the assumptions and conduct a comparable risk analysis and track risk over time. 

Remember we need a useful degree of precision, not 100% precision. 

If you’re asked the length of a cruise ship, for example, you wouldn’t need to know to the exact centimetre (unless you were an engineer on the boat). Instead you’d want to know to the nearest metre or ten meters. That’s a useful degree of precision.

How we can help

We use the FAIR methodology in our security and privacy consulting services to benefit our clients take a proportionate and risk-based view of their security and privacy activities. 

Principle Defence is also an Approved Training Centre with The Open Group for our accredited Open FAIR™ Foundation Course. We can train risk professionals and those in organisations who want to use the FAIR™ methodology.

 

Leave a Reply