With pressure from the board to communicate risk in financial terms, more and more organizations are seeking to ramp up learning Factor Analysis of Information Risk (FAIR™) and move away from subjective, qualitative risk assessments and towards objectivity by introducing risk quantification into their enterprise risk management (ERM) programs.
We are frequently asked: “What are the most important FAIR concepts to learn to get us started?”
Based on over a decade of RiskLens experience training thousands of individuals here is our list:
The 4 Essential FAIR Concepts
Translating ‘Risk Concerns’ into a FAIR Scope
FAIR Measurement Concepts
FAIR Risk Analysis Process
Translating FAIR Results
Learn introductory and advanced FAIR principles and techniques with the world’s leading experts in quantitative cyber risk management - the RiskLens Academy.
1. Translating ‘Risk Concerns’ into a FAIR Scope
This is the first concept to learn and master. Here’s the problem: Stakeholders will ask us how much ‘risk’ we have on an abundance of general topics, including ransomware, migrating to the cloud, not following change management procedures, etc.
But for risk analysis in financial terms, we need to have a specific, quantifiable loss event. FAIR requires us to build a loss event by identifying the:
Threat – Acts upon the asset in a harmful way.
Effect – Consequence of loss to the asset focusing on a loss of confidentiality, availability, or integrity.
Asset – This is what is valuable to the organization so that there is a financial loss if a loss event occurs.
Method (optional) – Identifies how the loss effect occurs.
The acronyms T.E.A. or T.E.A.M. help us remember these required elements to scope the loss event.
If a stakeholder is concerned about data breaches, we would start by identifying the asset(s), threat(s), and loss effect(s), then compose a specific loss event scenario, such as:
“Analyze the risk associated with malicious external actors breaching the confidentiality of sensitive company data accessible on a lost/stolen mobile device.”
RiskLens recommends using the risk concern of data breach to build a risk assessment that will include all the likely loss event scenarios that are scoped using FAIR. Once you’ve mastered scoping, you will fly through running risk analyses.
Learn more: How to Scope a Risk Analysis Using FAIR
Author Bernadette Dunn is a RiskLens trainer. Learn more about RiskLens training services.
2. FAIR Measurement Concepts
The purpose of leveraging FAIR for risk analysis is to move from subjectivity towards objectivity. Most clients have already taken this step by leveraging data that support creating qualitative likelihood/impact heat maps. Building on these practices, FAIR introduces these necessary measurement concepts:
The FAIR Model – Download the FAIR Model Infographic – An ontology to measure the frequency of a loss event and loss magnitude if the event occurs.
4-Part Estimates & Calibration – FAIR requires 4-part estimates (minimum, maximum, most likely value, and confidence in most likely value) to ensure accuracy during the data input phase that translates to accurate and defensible results. Calibration is a proven technique that improves the accuracy of the 4-part estimates with a useful level of precision.
RiskLens recommends writing out The FAIR Model daily until it is memorized and working with a colleague to challenge the 4-part estimates to improve calibrating data inputs for accurate and defensible results.
Learn more: Calibrated Estimation for FAIR
3. FAIR Risk Analysis Process
Scope, Data Input, Run/QA, Report - these are the phases of running a FAIR risk analysis.
Phase 1: Scope – Create the loss event by identifying the threat, (loss) effect, asset, and (optional) method.
Phase 2: Data Input – Use FAIR measurement concepts to input the 4-part calibrated estimates for loss event frequency and loss magnitude.
Phase 3: Run/QA – Run Monte Carlo simulation to account for uncertainty in the calibrated data inputs and QA the results to ensure they are probable for the loss event scoped. Refine the data inputs if the results are not accurate.
Phase 4: Report – Once the results are accurate and defensible, report the range of probable annualized loss exposure for the risk concern of the stakeholder. Remember to translate back to their concern while including the quantitative measurements of the probable frequency and the probable loss magnitude of future loss.
Learn more: What Does RiskLens Reporting Tell Me?
Important: You can augment your organization’s data with industry data curated by the RiskLens Data Science team--also tap into a vast amount of ready-made loss event scenarios you can customize for your organization. Read this: Just-in-Time Data for Fast, On-Demand Cyber Risk Assessments.
4. Translating FAIR Results
This is more of an art than a science. If you are new to risk management and come from a security background, practice communicating the analysis results in the financial terms of annualized loss exposure. If you have a risk management background but are new to managing cyber risk, build trust with the subject-matter resources providing the data inputs. You automatically gain credibility by referencing your subject-matter resources when communicating the results to the stakeholder.
Finally, use what is already working. If your organization is communicating risk with color-coded heat maps and that resonates with your stakeholders, keep using it. Add a ledger that includes the annualized loss exposure. Provide solutions with a cost-benefit summary, including an ROI on dollars spent to reduce the risk. Keep it high level and visual while supplementing with the details where needed. Find additional pro tips on presenting risk analysis results.
Output from FAIR analysis on the RiskLens SaaS platform.
Get Trained in FAIR Risk Quantification Essentials
If your organization is ready to start its FAIR journey, FAIR training by the RiskLens Academy not only covers these four foundational FAIR concepts with hands-on activities, but also teaches you how RiskLens has operationalized FAIR in the RiskLens platform.