Your Top Five Cyber Risks in Five Clicks with the Free Cyber Risk Analysis

FREE RISK ANALYSIS
Request Demo

Cyber Risk Quantification, FAIR

The FAIR Risk Model: A Practical Guide for Organizations

down-arrow

With the increased interest by Boards and executive leaders in cybersecurity, CISOs and security teams need a cyber risk assessment template that can easily translate cyber risk data into financial insights. Cybersecurity data can be pretty technical and is not easily understood by business-side professionals. Yet, these insights can no longer be glossed over because they seem daunting. Security professionals can leverage the Factor Analysis of Information Risk (FAIR) model to assess cyber risks in financial terms.

FAIR is the only international standard quantitative model for information security and operational risk. This model translates the impact of these risks by analyzing risk scenarios and aggregating the scenarios to quantify potential loss exposure in financial terms. 

The FAIR approach is unique compared to other cyber risk quantification approaches as it delivers actionable and transparent insights, unlike black-box risk scores that provide a risk score based on unknown calculations. Security teams might be given a score of 3 out of 5. What does this mean for the team? What actions can the team take to improve? What areas exactly need improvement? And, most importantly, what can the Board understand from a score of 3? 

The FAIR Risk Model Explained 

The FAIR model uses three concepts to calculate risk metrics. 

  • Annualized loss expectancy (ALE): ALE is the average expected annual loss from a loss event.
  • Annualized rate of occurrence (ARO): ARO is the frequency with which a loss event is expected to occur over a given period. The ARO is calculated by estimating the likelihood of a threat exploiting a vulnerability and causing a loss event. This can be done using historical data, industry benchmarks, and expert judgment.
  • Loss magnitude (ML): ML is the average financial impact of a loss event. The ML is calculated by estimating the financial impact of a loss event, considering factors such as the cost of repairing damage, the cost of downtime, and the cost of reputational damage.

By multiplying the ARO by the ML, risk teams get an ALE that can be used to decide how to mitigate the risk. 

Let’s look at an example of a FAIR calculation. Suppose an organization has a customer information database worth $50 million. The security team has identified a vulnerability that may lead to data exploitation. The group estimates that the ARO is 20% and the ML is $15 million. 

ALE =

ARO x ML

ALE =

20% x 15,000,000

ALE =

$3,000,000

This calculation means that the company expects to lose an average of $3 million per year due to the database vulnerability. Security teams can report on this metric to executives to underscore the importance of mitigating this risk and provide mitigation tactics to deploy. They should also use these calculations as a starting point to track risk remediation over time and changes in ALE.  

The FAIR model also considers the effectiveness of controls in reducing the risk of a loss event—the more effective the controls, the lower the ARO and ML.

FAIR Model Ontologies 

The FAIR risk model is one of the most comprehensive risk quantification approaches. Take a look at the several ontologies that represent the various concepts involved in CRQ. 

Ontology

Description

Asset Ontology

This ontology considers the different types of assets that can be affected by cyber risks.

Vulnerability Ontology

This ontology refers to the different types of vulnerabilities that threat actors exploit.

Control Ontology

This ontology represents the different types of controls organizations can implement to mitigate cyber risks.

Threat Ontology

This ontology represents the different types of actors and events that pose a cyber risk.

Loss Event Ontology

This ontology refers to the adverse outcomes that can occur when threats exploit vulnerabilities and controls fail.

 

Depending on the CRQ tool your organization is leveraging, this set of ontologies will be used to complete FAIR cyber risk quantification. The FAIR ontologies are designed to be interoperable so that organizations can combine different ontologies to meet their needs. Overall, the FAIR model aims to compile as much contextual information as possible to enhance the calculation of ALE. 

Learn more about cyber risk quantification frameworks here

CyberSaint’s Approach to FAIR 

The CyberStrong platform offers FAIR-based assessments, NIST 800-30, and accommodates custom risk models. Honing in on contextualizing cyber risk data to deliver more accurate data as FAIR does, with the availability of multiple risk models - CyberStrong users can leverage multiple models to quantify risk at all maturity levels. 

The FAIR risk model connects two essential components in cyber risk management: cyber risk assessment data and executive reporting. This quantitative model translates critical information to encourage executive buy-in and interest.

Discover more about FAIR in our webinars.

Schedule a conversation with the CyberSaint team to learn more about our approach to CRQ.

You may also like

Putting the “R” back in GRC - ...
on October 22, 2024

Cyber GRC (Governance, Risk, and Compliance) tools are software solutions that help organizations manage and streamline their cybersecurity, risk management, and compliance ...

October Product Update
on October 17, 2024

The team at CyberSaint is thrilled to announce the latest additions and updates to the CyberStrong solution. To start off, we’ve made it easier to create an assessment and risk ...

Transforming Cyber Risk ...
on October 12, 2024

In today’s complex cyber landscape, managing risks effectively isn’t just about identifying threats—it’s about understanding their impact and knowing how to prioritize ...

Step-by-Step Guide: How to Create ...
on September 23, 2024

Cyber risk management has become more critical in today's challenging digital landscape. Organizations face increased pressure to identify, assess, and mitigate risks that could ...

From Fragmentation to Integration: ...
on September 17, 2024

Organizations are often inundated with many security threats and vulnerabilities in today's fast-paced cybersecurity landscape. As a result, many have turned to point ...

How to Create a Comprehensive ...
on September 9, 2024

Cyber threats are becoming more frequent, sophisticated, and damaging in today's rapidly evolving digital landscape. Traditional approaches to cyber risk management, which often ...