Build or Buy an Application to Run FAIR Cyber Risk Quantification?

October 22, 2020  Jeff B. Copeland

We recently spoke with a potential buyer of RiskLens software and services that is already running a home-grown solution for cyber risk quantification based on Factor Analysis of Information Risk (FAIR™) -- with mixed results. Quite a number of RiskLens customers started as do-it-yourselfers, and as the popularity of FAIR grows, we’re seeing more organizations taking a try-before-you-buy approach.

And that’s good. In fact, RiskLens makes available the FAIR-U application free of charge so anyone can try FAIR analysis on a very limited scale, for instance while taking a FAIR training class from the  RiskLens Academy. We’re confident that seeing the benefits of cyber risk quantification will whet your appetite to scale up to the enterprise-grade analysis, management and reporting capabilities of the RiskLens SaaS platform.

But to be clear, FAIR is an open standard, certified by the Open Group, recognized by the National Institute of Standards and Technology and other authoritative bodies, and supported by the nearly 10,000 members of the  FAIR Institute (RiskLens is the technical adviser to the Institute). That’s why FAIR has such high credibility as the model of choice for quantitative analysis of cyber and technology risk.

Because it’s an open standard, FAIR can be run on spreadsheets or DIY apps. But should you do it? As we talked to this potential client, some of their frustrations with their spreadsheet/app solution came to the fore:


Their app is just a calculator, and that only covers one part of a quantified risk analysis.  An analyst has to jump back and forth from spreadsheets to app to wrangle the elements she needs to scope a scenario for FAIR analysis: assets, threats, loss types, loss events.

>>The RiskLens platform walks the user through the analysis process to build out a scenario with a simple workflow, much like tax software, with the user selecting assets, etc., from dropdown menus.  


The DIY solution is amnesiac. To fill out the scenario, the analyst needs to repeatedly pull together data for input from the multiple business units of the company.

>>The RiskLens platform stores a vast array of elements for repeat use in analysis such as assets, risk scenarios, loss tables, risk assessments and data points such as incident response costs, loss event frequency, threat actors and controls strength - to name a few.


Their solution can’t aggregate or compare risk within or among the business units for an overall picture of loss exposure or to confidently identify top risks. To even approach those goals, they must run multiple analyses one at a time, a time suck. More importantly, if they can’t reliably identify top risks, they may have millions of dollars in unknown loss exposure hanging over them or millions more in misdirected risk mitigation efforts.

>>The RiskLens platform’s Rapid Risk Assessment capability  in minutes organizes and compares top risks based on ranges for dollar values of probable loss. 

Comparative or cost-benefit analyses to evaluate risk treatments

By altering the variables for FAIR factors, they can get a rough idea of the effect of controls or other risk mitigations, then eyeball controls cost figures for some not-very-reliable cost/benefit analysis. It’s an immediate problem: This organization wants to hit maturity goals for the NIST CSF, and needs help choosing among the many controls recommended by that framework.

>>The RiskLens Risk Treatment Analysis  capability has all this automated, from assessing the baseline risk, to seeing the effect on the baseline of controls or process changes, to inputting the cost figures, to final reporting that compares how various treatment options quantifiably change baseline risk and, the return on investment (ROI) of options

RiskLens Platform - Risk Treatment Analysis



For a DIY solution, this organization is going it alone on support. As experienced FAIR shops know, FAIR is more than a platform – it’s a program, and one that often involves a cultural change to move to risk-based, financially sound cyber risk management.

>>RiskLens fields the most experienced team in the world at setting up a quantified risk management program, from kickoff workshops to give the team hands-on experience with risk analysis, to ongoing support to share the latest insights gathered from the largest customer base of FAIR practitioners. 

This organization is already on the way to joining the ranks of RiskLens + FAIR-powered risk management teams.. Let us show you the power of the RiskLens platform –  schedule a demo now.