FrankenFAIR: The Result of Performing Surgery on an International Standard
There are two kinds of changes we have seen over the years:
- Changes to the language of the ontology
This change is common because of internal struggles - sometimes political in nature - to adopt the language set forth in FAIR. This is why we see it as critical to establish a consistent risk language your organization can use. Getting this wrong means that stakeholders continue to talk past each other when discussing risk. We believe the established international standard language is ideal for most organizations.
- Changes to the underlying structure of the ontology
Reworking the ontology structure may be benign or catastrophic, depending on the change. Implemented poorly, the underlying formulas and logic are forced to do acrobatics for which they aren’t limber. These inaccurate results are arguably more dangerous to an organization than continuing to stick a wet finger in the air and making a pure guess at risk. Even if the underlying logic isn’t violated, you are almost guaranteed to tell a less powerful story about your risk. In either case, these changes can be the death knell of a quantitative, risk-based security program.
As with any analytic framework, FAIR will continue to evolve. Changes, however, should be vetted with as many FAIR experts as possible to ensure that they represent fundamental improvements rather than merely the integration of pre-established “common practice” or opinions of people who aren’t well versed in how and why FAIR works the way it does.