March 14, 2024
Cyber Risk

The FAIR Model Explained in 90 Seconds

Essential stuff you need to know about the standard for cyber risk quantification.

By Jeff B. Copeland

How do you eat an elephant? One bite at a time. You’ve probably heard this joke before about solving complex problems. It relates to risk, too.

The big elephant in today’s boardroom is information and cyber risk. It’s a complex topic that increasingly threatens the bottom line of the business.

Fear not. FAIR—the recognized standard model for cyber risk quantification—breaks down cyber risk into bite-size pieces to facilitate the analysis that Board- and C-suite level executives need to make better, more cost-effective decisions on cybersecurity.

What is FAIR?

FAIR (Factor Analysis of Information Risk) is a model that codifies risk terminology and quantifies risk as loss events. It breaks down risk by identifying and defining the factors that describe the frequency of occurrence or magnitude of impact of loss events. These factors and the relationships among them can be measured mathematically and assigned dollar values, so that ultimately risk can be calculated as financial loss exposure. See a visual representation of the model.

What does FAIR enable your organization to do?

Translating the impact of cyber risk into financial terms enables the type of normal business planning that your organization practices in the non-cyber world: prioritizing effectively, making trade-offs, calculating ROI of security investments, and choosing cost-effective solutions. Say hello to economically driven cyber risk management.

Why is FAIR better than what you’re doing now?

Chances are that your cybersecurity practice is falling victim to a common approach focused on complying with industry or government standards or checking off lists of controls or best practices. While these approaches are needed and helpful, they can’t answer questions like:

  1. What are the organization’s top cyber risks and how much exposure do they represent?
  2. Which cyber risk management investments matter most?
  3. Are we investing enough (or too much) in cyber risk management?

FAIR normalizes loss exposure in financial terms across risks, enabling comparison of alternatives to clarify business decisions.

Got another 90 seconds? We have more for you…

What does a FAIR risk analysis look like?

FAIR analysis quantifies the frequency (or likelihood) of a cyber loss event (say, a data breach), expressed as a percentage, and the magnitude (or impact) of the event in dollars. In considering security investments, decision-makers always need to weigh frequency vs. magnitude: a high impact event could be low frequency and vice versa.

Output from a SAFE One analysis showing probably frequency and loss magnitude of a risk scenario.

What is a FAIR risk scenario?

Risk scenarios are the building blocks of FAIR. The better defined the scenario, the more accurate the analysis result. A scenario is a statement of the risk with

  1. A threat actor (e.g. cyber criminals)
  2. A method of attack (ransomware and data exfiltration)
  3. A targeted business resource (IP and trade secrets data)
  4. The protective controls around the resource (data encryption)
  5. Resulting in a loss

Each element can be quantified for probable frequency of occurrence or magnitude of impact or efficacy of a control and mathematically modeled to analyze the scenario.

Where does the data for FAIR analysis come from?

The SAFE One platform stores industry standard data (for instance, on reported data breaches), company-specific data (for instance, response team costs) and pulls in real-time attack surface data via APIs. The platform is the first to implement the FAIR Controls Analytics Model (FAIR-CAM) for measuring control effectiveness and the FAIR Materiality Assessment Model (FAIR-MAM), for a more granular breakdown of loss magnitude, two derivative standards of FAIR.

Why should I trust a FAIR cyber risk analysis to give a true picture of my risk?

The Open Group, the international standards-setting body for IT, has validated FAIR as a standard. The National Institute of Standards and Technology recommended FAIR as an informational resource for risk analysis and management in the Cybersecurity Framework (NIST CSF). But here is a critical insight to know: FAIR analysts always quantify risk not as a single value but a range of probable outcomes to account for the uncertainty of any business decision.

How does Safe Security implement FAIR?

Safe Security is the creator of the FAIR standard and the technical adviser to the FAIR Institute. The SAFE One Platform stands alone in the marketplace as the only cyber risk management solution that embeds FAIR – every SAFE One output is powered by FAIR. SAFE One automates the entire FAIR process from alignment with risk frameworks to real-time data gathering to risk scenario creation to on-demand analysis reporting to prioritizing among risks for loss exposure to quantifying controls effectiveness for risk reduction.

Contact Safe Security to learn how we can bring the benefits of FAIR cyber risk quantification to your risk management.