Getty Images/iStockphoto
Using the FAIR model to quantify cyber-risk
The Factor Analysis of Information Risk methodology helps organizations frame their cyber-risk exposure as a business issue and quantify it in financial terms. Learn how FAIR works.
Cyber-risk is a major factor in business today, but finding a credible way to identify, analyze and communicate it poses a perennial challenge. One methodology gaining significant traction in the cybersecurity field is the Factor Analysis of Information Risk, or FAIR, model.
Former CISO Jack Jones, now chairman at the nonprofit FAIR Institute, developed the cyber-risk quantification framework in 2005. FAIR is a mathematics-based model that aims to measure cyber-risk quantitatively and monetarily.
The FAIR model lets security leaders package cyber-risk as a business issue, framing loss exposure in financial terms that resonate with senior executives.
How the FAIR model works
In the FAIR methodology, users identify key data points, or risk factors, associated with given cyber-risk scenarios. They then feed those figures into FAIR's mathematical algorithms, which, in turn, calculate and quantify cyber-risk in terms of probable financial losses.
At a basic level, the FAIR model calculates risk by multiplying a value called loss event frequency by a value known as loss event magnitude, as they pertain to a given asset -- e.g., a system, a device, data, etc.
Loss event frequency represents the number of times an event is likely to occur within a specific period. It is, in turn, based on the following factors:
- Threat event frequency. How often a specific threat is likely to occur.
- Vulnerability. The likelihood the threat would cause loss, based on the threat's capabilities and the asset's defenses.
Loss event magnitude represents the severity -- i.e., scope and impact -- of an event. It is based on the following factors:
- Primary loss. Operational and financial costs directly caused by the threat actor or the organization's response -- e.g., asset repair and replacement, ransomware payments, lost productivity, incident response efforts, etc.
- Secondary loss. Operational and financial costs that arise as a result of third-party stakeholders' experiences of and reactions to the negative event -- e.g., regulatory fines, data exposure notifications, revenue loss due to reputational damage, etc.
Loss event frequency is recorded either as a percentage or other mathematical factor. Loss event magnitude is measured in dollars.
While some risk factors are objectively measurable, others require practitioners to make informed estimations based on available data; statistical concepts and techniques, such as calibration; and professional judgment. For example, senior business leaders can only estimate how reputational damage in a particular scenario affects an organization financially -- they cannot empirically know.
Any risk analysis, whether qualitative or quantitative, deals in probabilities rather than certainties. As such, a FAIR analysis strives to identify accurate risk ranges -- e.g., an 80% likelihood that losses fall between $100,000 and $150,000 in a given year -- rather than precise risk values.
Quantitative vs. qualitative cyber-risk analysis
Qualitative analysis is subjective and provides relative values based on personal perception and professional judgment. A given risk scenario might receive qualitative ratings, such as unacceptable, acceptable, good or ideal; red, yellow or green; or a figure on a scale of one to five.
Although subjective and potentially imprecise, qualitative risk analysis is relatively easy, efficient and accessible.
Quantitative risk analysis relies on objective values. As such, quantitative analysis may help senior management make more informed and strategic decisions.
That said, cyber-risk quantification requires hard data and is typically more challenging, complex and time-consuming to perform than qualitative analysis.
How to use the FAIR model for cyber-risk quantification
Practitioners have a variety of options when it comes to using the FAIR model, ranging from simplistic to sophisticated. These include the following:
- DIY FAIR. According to the FAIR Institute, it's possible to run DIY FAIR analysis using only spreadsheets. Depending on the practitioner's skills and experience, this approach could range from extremely rudimentary to relatively substantive.
- FAIR-U. The FAIR Institute offers a free web training application to guide users through data entry and analysis for a single risk scenario at a time. The app, called FAIR-U, was created by FAIR Institute technical advisor and cyber-risk management provider RiskLens. The FAIR Institute's chairman is also chief research scientist at RiskLens' parent company, Safe Security.
The FAIR Institute also offers a variety of free educational materials on its website, in addition to training classes, technical documentation and professional accreditation. - Open FAIR. The Open Group, a vendor-neutral security and risk consortium, has adopted FAIR as an open, global standard for quantitative risk management. Open FAIR consists of two main elements: Risk Analysis Standard and Risk Taxonomy Standard. The group provides extensive additional documentation and training, as well as the free Open FAIR Risk Analysis Tool and a professional certification program.
- RiskLens FAIR Enterprise Model. In addition to the free FAIR-U app, RiskLens also provides enterprise-grade FAIR analysis via its paid cyber-risk quantification platform. The software provides guided workflows, performs automatic risk modeling and analysis, and generates reports in a variety of formats.
Stages of a FAIR cyber-risk analysis
Any FAIR analysis -- whether a DIY, free or commercial version -- follows these four steps:
- Stage 1: Identify risk scenarios. Determine the asset at risk and the threat in question that could compromise it.
- Stage 2: Evaluate loss event frequency. Determine ranges of likely values for the threat event frequency and vulnerability variables, soliciting subject matter expert insight as needed. Calculate the likelihood of a specific cyber event, such as a successful ransomware attack, occurring.
- Stage 3: Evaluate loss event magnitude. Determine ranges of likely values for the primary and secondary loss variables, soliciting subject matter expert insight as needed. Calculate the probable financial impact if the cyber event occurred.
- Stage 4: Derive and articulate risk. Multiply loss event frequency by loss event magnitude to calculate the overall risk value.
Monte Carlo simulations in a FAIR cyber-risk analysis
The FAIR Institute considers the Monte Carlo method integral to the final stage of a FAIR cyber-risk quantification assessment. A Monte Carlo simulation uses a type of computational algorithm to repeatedly and randomly sample the ranges of possible data inputs identified in Stages 2 and 3 of a FAIR analysis.
The simulation then generates thousands of possible financial loss outcomes for a given risk scenario, as well as the relative probability of each occurring. This lets senior management make informed decisions based on the range of probable losses and their relative likelihood.
The Monte Carlo method enables practitioners to assign each variable a range of likely values, e.g., between 1 and 10, rather than a precise point value, e.g., 4. It then randomly mixes and matches these values to calculate all the permutations that could occur. In this way, its calculations account for uncertainty, aiming for accurate rather than precise predictions based on both possibility -- i.e., could it happen? -- and probability -- i.e., how likely is it to happen? Executives can then make more informed decisions, as they can see a full range of possible losses and their relative likelihood.
Both the free FAIR-U app and the paid RiskLens platform include Monte Carlo simulations, with the paid version offering more sophisticated capabilities and a greater variety of reporting formats.
Benefits of the FAIR model
Any organization that wants to better understand its cyber-risk posture, especially from a financial perspective, should consider FAIR.
FAIR's key differentiator is that it is a quantitative model, framing results in monetary terms -- for example, the cost to the business if a specific cyber event occurs. Qualitative analyses, by contrast, are often based on softer, and arguably less useful, estimates.
Quantifying cyber-risk in terms of dollars and cents enables management to do the following:
- Examine and compare various risk scenarios.
- Prioritize their response actions accordingly.
- Make informed decisions about whether and how to address and mitigate specific cyber threats.
Challenges of the FAIR model
While FAIR offers important benefits, it can be time-consuming and expensive to use. And it is far from foolproof -- the model's output is only as good as the data practitioners feed it. To experience the full benefits of the framework, users must have the expertise necessary to do the following:
- Understand the nuances of the FAIR model and how it works.
- Identify and accurately describe potential cyber-risk scenarios in a given organization.
- Collect and accurately estimate risk factor data.
The use of proprietary cyber-risk quantification software from a third-party vendor, such as RiskLens, can make implementing the FAIR framework easier and more efficient but also more expensive.
Still, although FAIR's underlying elements are complex, its fundamentals are relatively straightforward. For organizations that want to understand their cyber-risk exposure in financial terms, the FAIR model offers a powerful quantitative approach.