CyberSaint Blog | Expert Thought

A Pocket Guide to Factor Analysis of Information Risk (FAIR)

Written by Maahnoor Siddiqui | September 9, 2022

FAIR, short for Factor Analysis of Information Risk, is a cyber risk quantification model founded to help businesses evaluate information risks. FAIR is the only international standard quantitative model framework that offers operational risk and information security. This methodology dramatically benefits mature organizations that utilize cyber risk management solutions

The primary objective of FAIR is to support the organization's existing frameworks and risk management strategies.

FAIR vs. Legacy Risk Quantification Methods

To see how FAIR distinguishes itself from other frameworks, we must understand that FAIR is not a cybersecurity framework like the NIST CSF. It cannot be used as a framework but is a complementary methodology that works alongside frameworks like NIST, ISO 2700x, and other industry-standard frameworks. 

With time, organizations develop gaps in compliance, and standard frameworks cannot predict the associated risks of these gaps. The FAIR methodology identifies an organization's risks, helps businesses efficiently utilize their resources to create decision-related risk gaps, and scales the threat levels, a feature most frameworks lack. 

As companies shift from a compliance-based approach to a risk-based approach, they need a risk quantification methodology to support it. Not only does FAIR support this shift in practices, but it also helps foster cyber interest among board members and non-technical leaders. The FAIR methodology is unique in that it translates an organization's loss exposure in financial terms, enabling improved communication between technical teams, non-technical members, and leadership. 

Unlike the FAIR model, legacy risk quantification models work on penetration testing without internal knowledge of the target system. The testers are unaware of the code and the designs that are not publicly available. 

Testers can determine the system's risks and vulnerabilities through this testing, but black-box testing cannot provide the risk's financial impact. Moreover, with limited knowledge, the test cannot identify all organizational models' threats and vulnerabilities. 

Compared to legacy methods or black-box testing, FAIR is a “glass-box,” transparent quantification method that provides leaders with insights into how the metrics were reached. This allows CISOs to drill down further when presenting to board leaders and executive stakeholders

The FAIR framework is imperfect despite the vast benefits, extensive security coverage, and excellent threat level identification. Some common drawbacks are: 

  • FAIR is comparatively difficult to use as it has no specific or defined documentation of its methods.
  • FAIR cannot assess risks independently. It is a complementary methodology that improves risk assessment by coordinating with other frameworks.
  • FAIR relies mainly on probability; although these probabilities are not baseless, they are not entirely accurate because of the different nature of cyber-attacks and their damage. 

Preparing for a FAIR Risk Assessment

To prepare for a FAIR risk assessment, organizations must start by identifying their cyber network security framework and understanding its complexity and metrics. Moreover, it is crucial to identify all third-party access to any asset or data.

Before a FAIR risk assessment, you must know the different types of risks. Different risks have different associated outcomes and consequences. You should be aware of the following risks while using this framework.

  • Compliance risks
  • Operational risks
  • Reputational risks 
  • Strategic risks 
  • Transactional risks

Once you understand the potential risks that can make your organization vulnerable, you can start the FAIR  risk assessment to develop strategies to reduce and resolve the challenges.

Leverage industry best practices and a detailed explanation of the FAIR Model here. 

Steps to Take for FAIR Assessment 

Use the approach listed below to successfully incorporate the FAIR assessment to reduce the chances of breaches and penalties.

  1. Organize your system (system identification, data, vendors, suppliers, accesses, data flow, any 3rd party access, or other factors depending on the company)
  2. Identify potential threats (data backup, exposed or breached data, unauthorized access, data exposed, and others)
  3. Organize risks and consequences (High, Medium, and Low) 
  4. Evaluate your controls (authentications, security, operations, administrative, and others)
  5. Calculate the impact of risks, threats, and possibilities.

Nonetheless, mature risk-oriented organizations usually use the FAIR framework.  A risk-first approach allows organizations to address broader risk categories and conduct in-depth analyses of external and internal risks.

FAIR Risk Assessment Checklist

For a company to run a FAIR risk assessment, they have to go through four stages of risk quantification:

Stage Details
Scenario Component Identification Two elements are at risk: an asset and the community. It is essential to identify the associated risk.
Loss Event Frequency Evaluation (LEF) LEF has sub-elements which are needed to be estimated. The following estimation of elements is required: TCAP (Threat Capability), CS (Control Strength), TEF (Threat Event Frequency), Derive Vulnerability, Derive LEF
Probable Loss Magnitude (PLM)
  • PLM needs two estimations of elements onboard; one is worst-case loss, and the other is probable loss.

Articulate and Derive The Risk

  • Once done with all the estimations, you can articulate and drive the risk.

 

How to Utilize Data from the FAIR Risk Assessment?

When the assessment is completed, and you have calculated LEF, loss magnitude, and other parameters, you obtain FAIR loss magnitude. It is a combination of secondary and primary losses, as secondary losses consist of penalties, customer loss, and damage done to the brand. In contrast, primary losses include recovery costs, asset losses, and other direct losses. 

The FAIR risk assessment method uses a confidence score for the security framework. Organizations can use the data obtained to improve their operating security framework by identifying gaps and reducing risks. The company's CISO can improve decision-making processes based on these KPIs, metrics, and results from the FAIR assessment.

Leverage a cybersecurity reporting tool, like CyberStrong that streamlines the CISO or security leaders' reporting requirements to secure executive interest and investment.

 

 

CyberStrong is Shaping the Cyber Risk Management Future

A FAIR risk assessment will deliver insights for risk scenario reporting and risk portfolio analysis and reporting. This risk assessment report will summarize the possible risks, the assets that face threats, and the potential financial loss because of the risks. These insights are crucial for C-level executives, board members, and non-technical business leaders. 

Not all organizational leaders are familiar with cybersecurity and risk terminologies. Frameworks other than FAIR provide complex insights that are challenging for non-technical members to understand, making decisions and organization communication complex. 

However, the data from FAIR presents the results in simple financial terms that decision-makers and team members can easily understand. The dollar loss can make anyone realize the severity of the risks and the prioritization of cyber-security defensive measures. 

Furthermore, the organization can allocate its budget to cybersecurity and estimate the ROI on investment.

The CyberStrong platform allows simple automation for your data with cyber risk management and security frameworks. It reduces the complexity of framework testing with the FAIR risk methodology.

Wrapping Up 

Your organizational data is at stake, as it is of high value to cybercriminals. Utilize the FAIR model risk assessment to conduct systematic cyber risk quantification analyses to understand risk in financial terms, gain clear insights into your security posture, and effectively decide on measures to improve your cyber strategy. 

Contact us to learn more about how you can quantify cyber risk with FAIR through CyberStrong.