Factor Analysis of Information Risk (FAIR)
FAIR (Factor Analysis of Information Risk) is a risk management framework specifically designed for understanding, analyzing, and quantifying information risk in financial terms. It is unlike traditional qualitative risk assessment methods and focuses on risk quantification in terms of probable frequency and probable magnitude of future loss.
Definition and purpose
FAIR provides a model for understanding, analyzing, and quantifying cyber risk and operational risk in a language that business leaders understand—money. The purpose of the FAIR framework is to help organizations make better decisions about security and operational risk, grounded in a solid understanding of the frequency and impact of risk events.
The FAIR framework was initially developed by Jack Jones and is now maintained and promoted by the FAIR Institute, an expert nonprofit organization that aims to propagate knowledge and best practices of the FAIR model.
The FAIR framework was developed in 2005. The FAIR Institute continues to develop and refine supporting guidance and training materials.
FAIR is industry-agnostic and can be applied across various sectors. It is beneficial for any organization that needs to understand, analyze, and quantify information risk. This includes but is not limited to financial services, healthcare, manufacturing, retail, and government entities.
Controls and requirements
FAIR does not have a traditional controls list but rather focuses on the factors that contribute to risk. When conducting a FAIR analysis, you would typically define, measure, and analyze the following factors:
- Threat Event Frequency: How often threat events are likely to occur.
- Contact Frequency: The interaction between threats and assets.
- Probability of Action: Likelihood that a threat action will result in loss.
- Vulnerability: The probability that an asset will be unable to resist the actions of a threat event.
- Loss Magnitude: The potential impact or loss from a threat event, which can include both primary and secondary losses.
Please refer to the official FAIR Institute's documentation for details on controls and requirements.
Audit type, frequency, and duration
Audits in the context of FAIR would involve an evaluation of the organization's risk management processes, specifically how risks are identified, analyzed, and quantified. The frequency of FAIR assessments is typically based on the organization's risk management policy, changes in the business environment, or in response to incidents.
The duration of a FAIR assessment can vary greatly depending on the scope of the risk scenarios being analyzed and the complexity of the organization's operations.