Factor Analysis of Information Risk

Factor Analysis of Information Risk (FAIR) is a methodology for quantitative risk analysis. This methodology is the only international standard that provides a model for cyber risks understanding, analysis and monetary quantification.

FAIR consists of:

  • information and operational risks taxonomy and ontology (formalized description)
  • a process for measuring, collecting and evaluating data for risk calculation
  • a risk calculation methodology
  • risk mitigation measures ontology (formalized description)

FAIR allows:

  • terminology unification for risk management
  • justify decisions to (not) adopt measures using an advanced risk model
  • understand the impact of invested resources on company's security profile
  • explicit risk management (works to reduce specific risks) rather than implicit ("blindly" implement a standard / best practice / regulation and hope for a risk reduction)

FAIR provides the foundation for developing a robust approach to managing cyber risks:

It also fits into standards and frameworks from organizations such as NIST, ISO, OCTAVE, ISACA.

That prescribe the need to quantify the risk, but they do not outline how it should be done.