The FAIR Risk Model (Factor Analysis of Information Risk) is a quantitative risk analysis model that helps organizations assess cyber risks specific to their environment. The model translates the impact of these risks into a mathematical risk estimate by analyzing scoped risk scenarios and aggregating these scenarios to quantify potential loss exposure in monetary terms. The goal is to help organizations make sense of complex risk scenarios in order to determine where they are most likely to be impacted by a cyber-attack and what their potential financial loss is likely to be. FAIR is designed, maintained, and promoted by the FAIR Institute and is recognized by the Open Group as an international standard for quantifying cyber risk.
FAIR Framework
The FAIR model provides a framework for breaking down risk into measurable factors and using statistics and probabilities to estimate risk in quantitative terms. The objective is to analyze carefully scoped risk scenarios, identify data for quantification, and understand the relationship between these risk factors.
The FAIR standard is probabilistic rather than predictive. Risk is, therefore, defined as “the probable frequency and probable magnitude of future loss.” In other words, FAIR assesses risk based on a combination of Loss Event Frequency (LEF) and Loss Magnitude (PLM), where:
The frequency and magnitude of a loss are tied to an asset. According to FAIR, identifying an asset and its value is key to defining and measuring risk. An asset is any device, data, or another component of the organization with intrinsic value, which can be affected in a manner that results in a loss. When determining the value of an asset, FAIR considers the following losses:
- Productivity – Reductions incurred by an organization due to an inability to deliver key products and services.
- Response – Resources spent responding to a risk or threat immediately after it happens.
- Replacement – Costs of replacing any compromised assets.
- Reputation – Missed opportunities or sales due to diminishing shareholder or brand perception.
- Competitive advantage – Missed opportunities or costs of losing a competitive edge, like intellectual property or a market share.
- Judgments and fines – Costs of the legal procedures or fines deriving from the threat event.
An event or situation capable of acting against an asset in a manner that can result in any of the losses listed above is referred to by the FAIR framework as a “threat agent” or “threat community.” An example of such an event or situation is a natural disaster or a malware attack against a network.
FAIR Methodology
The FAIR methodology provides a way to assess the impacts and probabilities of risk in order to quantify risk. As indicated before, the methodology is a probabilistic approach rather than a deterministic approach and therefore assumes randomness in the data used for analysis. It focuses on the assets most critical to the organization’s operations and accounts for the most probable risk scenarios.
To apply the FAIR methodology, risk is quantified by considering the probable frequency (Loss Event Frequency) and probable magnitude of loss (Loss Magnitude). These two characteristics of risk are broken down into multiple factors, as shown in the risk model diagram below, and then assigned a monetary value to measure risk in quantitative terms. The values from the frequency side of the flowchart are multiplied by the corresponding magnitude figures to produce risk estimates.
The FAIR Model Diagram
The FAIR Model (source: The FAIR Institute) To understand the risk quantification FAIR methodology (Loss Event Frequency x Loss Magnitude), it’s important to look at each side of the model in greater detail.
- Loss Event Frequency (LEF) – Calculates the number of times or at the rate at which a given loss event is likely to occur within a timeframe. Loss event frequency can be broken down into two factors:
- Threat Event Frequency (TEF)- The number of times a threat or risk might occur.
- Vulnerabilities (Vul)- The probability that a threat will result in a loss event.
These branches work to quantify events that could become a risk, as well as how likely it is to happen. This calculation is informed by additional detail:
- Contact Frequency (CF)- The number of times or the rate at which an asset will come in contact with a threat.
- Probability of Action (PoA)- The probability that a threat will act against an asset upon contact.
- Threat Capability (TCap)- The level of force a threat, given its skills and resources, can apply against an asset.
- Resistance Strength (RS)- The ability of an asset to resist a threat’s attempts to compromise it.
The other side of the model, Loss Magnitude (LM), captures the factors that drive loss magnitude when threat events occur – Primary and Secondary – that are defined as follows:
- Primary Loss (PL)- The direct loss incurred by the primary stakeholder due to a threat event.
- Secondary Loss (SL)- The loss incurred to the primary stakeholder due to secondary stakeholders reacting negatively to the loss event.
Ultimately, the FAIR model helps minimize possible chances of risks by identifying the factors contributing to them. Organizations are left with two ways of decreasing loss exposure across the organization: reducing the number of times that a loss event occurs or mitigating the financial losses that would arise from these events.
Four stages of the FAIR methodology risk assessment
An organization looking to apply the FAIR methodology to perform a risk assessment can do so in four stages:
Stage 1. Identify Risk Scenarios
This stage involves identifying the assets at risk and sources of threat agents or threat communities being considered.
Stage 2. Evaluate Loss Event Frequency
This stage is used to collect information and make estimations on Threat Event Frequencies (TEF), Threat Capability (TCap), Resistance Strength (RS), Vulnerability (Vul), and Loss Event Frequency (LEF).
Stage 3. Evaluate Loss Magnitude
This stage is used to discover how much loss an organization can expect from a primary or secondary loss event and the magnitude of impact that a threat event will cause within and outside the organization.
Stage 4. Derive and Articulate Risk
This stage focuses on classifying factors that comprise risk, measuring these factors and their corresponding level of loss, and presenting a computational model that reflects the relationship between these identified factors. It also involves using a simulation model, like the Monte Carlo simulation, to analyze risk scenarios and determine their probable financial impact.
What questions does FAIR attempt to address?
FAIR attempts to provide organizations with a means to evaluate the financial loss impact from individual threat events, or in aggregate, across multiple events. Organizations are looking to assess various cyber threats and gain deeper insight into how these threats affect key business units or stakeholders. They are looking to answer questions like:
- What are the main cyber risks?
- Which assets are most at risk?
- What is the potential financial impact of this threat event?
- How many times can this threat event occur in a given time interval?
- How, and how much, to invest in reducing these risks?
- Between two control solutions, which one would reduce the risk most effectively?
By extension, the FAIR analysis method also gives organizations an opportunity to make business decisions about their cyber security budget, determine which insurance policy best suits their risks and choose the risk reduction solution that will yield the best return on investment. FAIR analysis can also facilitate regulatory compliance.
Drawbacks to using the FAIR risk model
Quantifying cyber risk based on the FAIR four-step method has several drawbacks.
Stage 1 of FAIR typically involves a group of people assessing a set of considered threats and their estimated loss and filling up a questionnaire in a FAIR tool based on their qualitative knowledge. This stage is:
- Time-consuming and costly
- Requires a deep understanding of the FAIR risk ontology
- Entails manual data collection
- Requires input from scenario-related experts or consultants
- Uses subjective information that can lead to inaccuracies
Stage 2 and Stage 3 of FAIR involve collecting information based on identified risk scenarios and then estimating Loss Event Frequency and Loss Magnitude. This stage:
- Often yields unusable information and creates a false sense of certainty due to an overreliance on probability estimation.
Stage 4 of FAIR focuses on analyzing, articulating, and deriving the probable financial impact of risk using a simulation model. This stage:
- Does not prioritize vulnerabilities or provide actionable steps an organization can take to improve cybersecurity posture and reduce breach risk.
- Does not provide remediation guidance that can be used by security teams to quickly and effectively manage threats within their entire network because security controls are pinpointed for specific threats.
- Makes the remediation and mitigation of cyber threats in a continuous and repeatable manner challenging to operationalize.
FAIR’s many drawbacks stem from the fact that this methodology was created when detailed cybersecurity data was not readily available. This is no longer true.
Paul Kelly, former head of Cyber Risk Management at HSBC explains this very well: “The issue here is that in the digital age, IT environments are dynamic. New threats and vulnerabilities are identified on a frequent basis. Config updates, patches, upgrades, new code releases, etc, are a continuous feature of the modern technology landscape. If you want to understand your current risk exposure, you need a calculation engine that can keep up with the myriad of changes that happen daily. You need to be able to take swift, targeted, and efficient action to keep your risk exposure at an acceptable level.”
Alternatives to FAIR for Cyber Risk Quantification
FAIR is not the only quantitative methodology for calculating cyber risk in dollars. Organizations evaluating cyber risk quantification need to consider two important factors:
- How to operationalize whichever methodology they choose to align with their business
- How to automate Cyber Risk Quantification (CRQ) across their organization, so it leads to real risk reduction.
Lack of business context and automation are fundamental limitations of FAIR.
Balbix Cyber Risk Quantification
While FAIR requires a great deal of human intervention to collect and analyze data to calculate risk, solutions like Balbix Cyber Risk Quantification (CRQ) incorporate business context into the risk model and automate risk discovery and quantification.
Balbix automatically ingests data from an organization’s existing IT and security applications into a unified model of cyber risk in dollars. This solution calculates breach likelihood and impact on an asset-based level and provides risk-mitigation options so organizations can improve their security posture. As remediation actions are taken, Balbix automatically updates the risk calculations. The result is a more continuous, real-time, and accurate calculation of cyber risk. Balbix also automates board and executive-level risk reporting with comprehensive business-aligned dashboards.
