Cyber-risk is an ever-present threat in today’s business landscape, but accurately identifying and communicating it can be a challenge. However, one model that is gaining traction in the cybersecurity field is the Factor Analysis of Information Risk (FAIR). Developed by former CISO Jack Jones in 2005, the FAIR model is a mathematics-based framework that aims to quantify and measure cyber-risk in financial terms.
The FAIR model works by identifying key data points, or risk factors, associated with specific cyber-risk scenarios. These figures are then inputted into FAIR’s mathematical algorithms, which calculate and quantify the risk in terms of probable financial losses. At its core, the FAIR model calculates risk by multiplying the frequency of a loss event by the magnitude of that event, as it relates to a specific asset.
The frequency of a loss event is determined by factors such as the likelihood of a specific threat occurring and the vulnerability of the asset. On the other hand, the magnitude of a loss event is based on the severity of the event, including both primary costs directly caused by the threat and secondary costs arising from third-party stakeholders’ experiences and reactions to the event.
It’s important to note that while some risk factors can be objectively measured, others require estimations based on available data, statistical concepts, and professional judgment. Risk analysis, whether qualitative or quantitative, deals in probabilities rather than certainties. Therefore, a FAIR analysis strives to identify accurate risk ranges rather than precise values.
There are several ways to utilize the FAIR model for cyber-risk quantification. Firstly, practitioners can opt for a do-it-yourself approach using spreadsheets. This may range from basic to more advanced depending on the individual’s skills and experience. Alternatively, the FAIR Institute offers a free web training application called FAIR-U that guides users through data entry and analysis for a single risk scenario at a time. They also provide additional educational materials, training classes, and professional accreditation.
Another option is the Open FAIR, an initiative by the vendor-neutral security and risk consortium, The Open Group. Open FAIR has adopted FAIR as a global standard for quantitative risk management. It includes a Risk Analysis Standard, a Risk Taxonomy Standard, and provides extensive documentation, training, a risk analysis tool, and a professional certification program.
For organizations looking for a more comprehensive and enterprise-grade solution, RiskLens offers a paid cyber-risk quantification platform along with a free FAIR-U app. This platform provides guided workflows, automatic risk modeling and analysis, and generates reports in various formats.
Regardless of the chosen approach, a FAIR analysis typically follows four stages: identifying risk scenarios, evaluating loss event frequency, evaluating loss event magnitude, and deriving and articulating the final risk value. In the final stage, the FAIR Institute considers the Monte Carlo method integral, which uses computational algorithms to simulate thousands of possible financial loss outcomes for a given risk scenario. This allows senior management to make informed decisions based on the range of probable losses and their relative likelihood.
The FAIR model offers several benefits for organizations seeking to understand their cyber-risk posture in financial terms. By quantifying risk in dollars and cents, management can examine and compare various risk scenarios, prioritize response actions, and make informed decisions about addressing and mitigating specific cyber threats.
However, implementing the FAIR model does come with its challenges. It can be time-consuming and expensive, and the accuracy of the model’s output relies heavily on the quality of the data inputted. Organizations must have the necessary expertise to understand and utilize the FAIR model effectively. Additionally, the use of proprietary software from third-party vendors can simplify implementation but may come at an additional cost.
Nevertheless, for organizations looking to gain a better understanding of their cyber-risk exposure in financial terms, the FAIR model offers a powerful quantitative approach. By framing cyber-risk as a business issue that resonates with senior executives, the FAIR model can help organizations prioritize and allocate resources to effectively address cyber threats.