The FAIR Model: An Objective Approach to Risk Measurement
Cynthia Tran, Senior Consultant - Security & Privacy, Protiviti and Tyler Ross, Manager - Cybersecurity and Privacy, Protiviti | October 26, 2021
With the right tools, companies can move from a subjective approach to cyber risk management to one that is more objective using historical data and subject matter expertise. Cyber risk quantification using the Open FAIR™ model is one of the tools that support informed decision-making for risk assessment and treatment. Earlier this year, we had the pleasure of presenting during LogicGate’s Agility 2021 conference. Below, we share some of the key highlights from our session, “FAIR Executive Overview.”
What is the FAIR model?
The FAIR (Factor Analysis of Information Risk) model enables organizations to quantify the impact of cyber risks so they can be managed consistently. By translating the impact of cyber threats into dollars and cents, stakeholders can better understand their risk posture and make risk-informed decisions.
Complementary to existing frameworks such as ISO, COSO, NIST, and others, cyber risk quantification provides the information and clarity needed to make better-informed decisions. When you use FAIR for risk analysis, you can consistently identify, measure, analyze and report risks and help your company shift from random estimation to a more calculated approach.
How does cyber risk quantification using the FAIR model work?
Discover Assets: Identify the assets of business value within your organization, such as Personally Identifiable Information (PII) or platform availability
Identify Threats: Determine threat actors and threat vectors that could pose harm to the assets
Gather Data: Collect internal or external data inputs regarding the estimated frequency and magnitude of loss events
Perform Analysis: Leverage a risk quantification method that makes use of statistical methods
Report Results: Develop reporting for key stakeholders to communicate the financial impact of threats
Supported by a growing community of risk professionals, FAIR is the leading quantification model for cyber risk and has already been adopted by 30% of Fortune 100 companies.
Benefits of FAIR
FAIR’s top-down risk approach helps companies assess risks specific to their environment. It substitutes random estimation with a more rigorous model of expected financial impact. By understanding how loss in asset confidentiality, availability, or integrity affects your firm, you can make informed risk treatment decisions to protect your most critical assets.
FAIR provides a tactical approach to risk analysis by focusing on discrete details for a specific risk scenario. Companies can build a more realistic and consistent understanding of their risk profile by analyzing scoped risk scenarios and aggregating these scenarios to understand potential loss exposure. Measuring risk helps to enable prioritization. With FAIR, you can take a more strategic view of your risk profile. From looking at narrowly scoped risks, to the risks facing a specific asset, to your company’s risks in the aggregate, you can build a comprehensive view of where your company is most likely to be impacted. FAIR’s more rigorous approach to risk analysis helps you make calculated and defensible decisions on which risks to treat.
Another critical benefit of risk quantification and the FAIR model is its ability to help risk professionals report financial impact in monetary terms. Quantified risks distilled in dollars and cents are more easily understood and communicated, resonating with key business leaders and allies. Generating consensus around risk decisions is easier when everyone clearly understands the stakes.
Getting Started with FAIR
The FAIR model provides a framework to reduce uncertainty and improve consistency in risk analysis. FAIR helps risk professionals take a rigorous and quantitative approach to generate meaningful metrics that can be easily understood and communicated to stakeholders and can inform better decision-making.
Companies at any level of risk management maturity can benefit from cyber risk quantification using the FAIR model. The intent is not to change your existing risk organization and processes but to improve your risk management toolset. The key is starting where you are with whatever resources, assets, and data you have available.
Protiviti provides clients with consulting and managed solutions in finance, technology, operations, data, analytics, governance, risk and internal audit through its network of more than 85 offices in over 25 countries. To learn how Protiviti can help your organization evaluate cyber risk, visit Protiviti.com/fair. If you’d like to learn how LogicGate can help you on your risk quantification journey, check out Risk Cloud Quantify® or download our new eBook, The Definitive Guide to Risk Quantification.
FAIR Executive Overview with Protiviti was a client session during Agility 2021, Risk Reimagined. Protiviti’s Tyler Ross, Manager of Cybersecurity and Privacy, and Cynthia Tran, Senior Consultant covering Security & Privacy, took a deep dive into the FAIR model and how it can benefit all organizations, no matter where they are in their risk management maturity.