With the increased interest by Boards and executive leaders in cybersecurity, CISOs and security teams need a cyber risk assessment template that can easily translate cyber risk data into financial insights. Cybersecurity data can be pretty technical and is not easily understood by business-side professionals. Yet, these insights can no longer be glossed over because they seem daunting. Security professionals can leverage the Factor Analysis of Information Risk (FAIR) model to assess cyber risks in financial terms.
FAIR is the only international standard quantitative model for information security and operational risk. This model translates the impact of these risks by analyzing risk scenarios and aggregating the scenarios to quantify potential loss exposure in financial terms.
The FAIR approach is unique compared to other cyber risk quantification approaches as it delivers actionable and transparent insights, unlike black-box risk scores that provide a risk score based on unknown calculations. Security teams might be given a score of 3 out of 5. What does this mean for the team? What actions can the team take to improve? What areas exactly need improvement? And, most importantly, what can the Board understand from a score of 3?
The FAIR Risk Model Explained
The FAIR model uses three concepts to calculate risk metrics.
- Annualized loss expectancy (ALE): ALE is the average expected annual loss from a loss event.
- Annualized rate of occurrence (ARO): ARO is the frequency with which a loss event is expected to occur over a given period. The ARO is calculated by estimating the likelihood of a threat exploiting a vulnerability and causing a loss event. This can be done using historical data, industry benchmarks, and expert judgment.
- Loss magnitude (ML): ML is the average financial impact of a loss event. The ML is calculated by estimating the financial impact of a loss event, considering factors such as the cost of repairing damage, the cost of downtime, and the cost of reputational damage.
By multiplying the ARO by the ML, risk teams get an ALE that can be used to decide how to mitigate the risk.
Let’s look at an example of a FAIR calculation. Suppose an organization has a customer information database worth $50 million. The security team has identified a vulnerability that may lead to data exploitation. The group estimates that the ARO is 20% and the ML is $15 million.
ALE = |
ARO x ML |
ALE = |
20% x 15,000,000 |
ALE = |
$3,000,000 |
This calculation means that the company expects to lose an average of $3 million per year due to the database vulnerability. Security teams can report on this metric to executives to underscore the importance of mitigating this risk and provide mitigation tactics to deploy. They should also use these calculations as a starting point to track risk remediation over time and changes in ALE.
The FAIR model also considers the effectiveness of controls in reducing the risk of a loss event—the more effective the controls, the lower the ARO and ML.
FAIR Model Ontologies
The FAIR risk model is one of the most comprehensive risk quantification approaches. Take a look at the several ontologies that represent the various concepts involved in CRQ.
Ontology |
Description |
Asset Ontology |
This ontology considers the different types of assets that can be affected by cyber risks. |
Vulnerability Ontology |
This ontology refers to the different types of vulnerabilities that threat actors exploit. |
Control Ontology |
This ontology represents the different types of controls organizations can implement to mitigate cyber risks. |
Threat Ontology |
This ontology represents the different types of actors and events that pose a cyber risk. |
Loss Event Ontology |
This ontology refers to the adverse outcomes that can occur when threats exploit vulnerabilities and controls fail. |
Depending on the CRQ tool your organization is leveraging, this set of ontologies will be used to complete FAIR cyber risk quantification. The FAIR ontologies are designed to be interoperable so that organizations can combine different ontologies to meet their needs. Overall, the FAIR model aims to compile as much contextual information as possible to enhance the calculation of ALE.
Learn more about cyber risk quantification frameworks here.
CyberSaint’s Approach to FAIR
The CyberStrong platform offers FAIR-based assessments, NIST 800-30, and accommodates custom risk models. Honing in on contextualizing cyber risk data to deliver more accurate data as FAIR does, with the availability of multiple risk models - CyberStrong users can leverage multiple models to quantify risk at all maturity levels.
The FAIR risk model connects two essential components in cyber risk management: cyber risk assessment data and executive reporting. This quantitative model translates critical information to encourage executive buy-in and interest.
Discover more about FAIR in our webinars.
Schedule a conversation with the CyberSaint team to learn more about our approach to CRQ.