Factor analysis of information risk

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Factor Analysis of Information Risk (FAIR) is the only international standard Value-at-Risk (VaR) model for information security and operational risks.[citation needed] It is both a taxonomy and an ontology of the factors that contribute to risk. It is primarily concerned with quantifying information and operational risk in financial terms and facilitate effective decision-making.

FAIR is complementary to existing information risk frameworks such as NIST CSF, ISO and Octave. These frameworks provide guidance on building risk management programs, but do not include methodologies for the actual quantification of information risk. FAIR can be used to strengthen,[citation needed] rather than replace these frameworks.

FAIR was developed by Jack Jones, a 3x CISO and Risk Officer and the foremost authority in information risk management, following requests by business management and boards to understand their risk exposure in financial versus technical terms and help drive decisions concerning prioritization of risk mitigation efforts, security budgeting and cyber insurance coverage.

An International Standard[edit]

FAIR is recognized and promoted as an international standard by The Open Group, an international consortium and standards body, that has published the Open FAIR Body of Knowledge and the related certification process.[1]

The FAIR book[edit]

The most comprehensive guide[citation needed] to FAIR is a book, authored by Jack Jones and Jack Freund, and that published in late 2014 under the name of ″Measuring and Managing Information Risk: A FAIR Approach" [2]

Although the basic taxonomy and methods have been made available for non-commercial use under a creative commons license, FAIR itself is proprietary. Using FAIR to analyze someone else’s risk for commercial gain (e.g. through consulting or as part of a software application) requires a license from RiskLens, Inc. .[3]

FAIR Software[edit]

RiskLens, Inc. is the software company that owns the right to the FAIR methodology and that provides a software that helps organizations quantify information risk based on FAIR.[4]

Main concepts[edit]

FAIR [5] underlines that risk is an uncertain event and one should not focus on what is possible, but on how probable is a given event. This probabilistic approach is applied to every factor that is analysed. The risk is the probability of a loss tied to an asset.


An asset’s loss potential stems from the value it represents and/or the liability it introduces to an organization.[5] For example, customer information provides value through its role in generating revenue for a commercial organization. That same information also can introduce liability to the organization if a legal duty exists to protect it, or if customers have an expectation that the information about them will be appropriately protected.

FAIR defines six kind of loss:[5]

  1. Productivity – a reduction of the organization to effectively produce goods or services in order to generate value
  2. Response – the resources spent while acting following an adverse event
  3. Replacement – the expense to substitute/repair an affected asset
  4. Fines and judgements (F/J) – the cost of the overall legal procedure deriving from the adverse event
  5. Competitive advantage (CA)- missed opportunities due to the security incident
  6. Reputation – missed opportunities or sales due to the diminishing corporate image following the event

FAIR defines value/liability as:[5]

  1. Criticality – the impact on the organization productivity
  2. Cost – the bare cost of the asset, the cost of replacing a compromised asset
  3. Sensitivity – the cost associated to the disclosure of the information, further divided into:
    1. Embarrassment – the disclosure states the inappropriate behaviour of the management of the company
    2. Competitive advantage – the loss of competitive advantage tied to the disclosure
    3. Legal/regulatory – the cost associated with the possible law violations
    4. General – other losses tied to the sensitivity of data


Threat agents can be grouped by Threat Communities, subsets of the overall threat agent population that share key characteristics. It’s important to precisely define threat communities in order to effectively evaluate impact (loss magnitude).

Threat agents can act differently on an asset:[5]

  • Access – read the data without proper authorization
  • Misuse – use the asset without authorization and or differently form the intended usage
  • Disclose – the agent let other people to access the data
  • Modify – change the asset (data or configuration modification)
  • Deny access – the threat agent do not let the legitimate intended users to access the asset

These actions can affect different assets in different ways: the impact varies in relationship with the characteristics of the asset and its usage. Some assets have high criticality but low sensitivity: denial of access has a much higher impact than disclosure on such assets. On the other hand an asset with highly sensitive data can have a low productivity impact if not available, but huge embarrassment and legal impact if that data is disclosed: for example the availability of former patient health data does not affect a healthcare organization's productivity but can cost millions of dollars if disclosed. [6] A single event can involve different assets: a [laptop theft] has an impact on the availability of the laptop itself but can lead to the potential disclosure of the information stored on it.

The key point is that it is the combination of an asset's characteristics and the type of action against that asset that determines the fundamental nature and degree of loss.

Important aspects to be considered are the agent motive and the affected asset characteristics.

See also[edit]