« Return to Blog Listing

Mistakes of Modifying the FAIR Model

Mistakes of Modifying the FAIR Model

by Isaiah McGowan on Jan 15, 2016 10:36:58 AM
Factor Analysis of Information Risk (FAIR) has evolved over its twelve year history to become a very stable and comprehensive framework for analyzing and measuring risk.  Even still, we at RiskLens have seen organizations make changes to the model that yield unintended consequences.


FrankenFAIR: The Result of Performing Surgery on an International Standard

There are two kinds of changes we have seen over the years: 

  • Changes to the language of the ontology

This change is common because of internal struggles - sometimes political in nature - to adopt the language set forth in FAIR. This is why we see it as critical to establish a consistent risk language your organization can use. Getting this wrong means that stakeholders continue to talk past each other when discussing risk. We believe the established international standard language is ideal for most organizations. 

  • Changes to the underlying structure of the ontology

Reworking the ontology structure may be benign or catastrophic, depending on the change.  Implemented poorly, the underlying formulas and logic are forced to do acrobatics for which they aren’t limber. These inaccurate results are arguably more dangerous to an organization than continuing to stick a wet finger in the air and making a pure guess at risk.  Even if the underlying logic isn’t violated, you are almost guaranteed to tell a less powerful story about your risk. In either case, these changes can be the death knell of a quantitative, risk-based security program.

As with any analytic framework, FAIR will continue to evolve.  Changes, however, should be vetted with as many FAIR experts as possible to ensure that they represent fundamental improvements rather than merely the integration of pre-established “common practice” or opinions of people who aren’t well versed in how and why FAIR works the way it does.

Schedule a Demo
This post was written by Isaiah McGowan

Isaiah McGowan is a Cyber Risk Scientist for RiskLens

Connect with Isaiah

Sign Up for Blog Updates

Recent Posts

Popular Posts