Open FAIR Complements Risk Management Programs
Open Factor Analysis of Information Risk (Open FAIR) from the Open Group is the industry standard for quantitative risk assessment, and the first successful methodology of this kind. Open FAIR consists of a Risk Taxonomy Technical Standard (O-RT), and a Risk Analysis Technical Standard (O-RA).
Where Open FAIR Fits
Open FAIR fits neatly into a comprehensive risk management (RM) program, such as ISO 27005-2011’s:
According to frameworks like ISO’s, RM programs consist of 5 major components:
- Organizational lines of communication
- Process and policy context
- Risk assessments
- Risk treatment
- RM Program monitoring and review
ISO 27005 does not specify a Methodology on how to perform Risk Assessment
Why this gap? Probably because there was no consensus on any of the (rather unsatisfactory) qualitative RM methodologies existing at the time ISO 27005 was developed, and a good quantitative standard (i.e., Open FAIR) was not yet available.
To illustrate the issue with qualitative risk analysis, let’s take quick trip down memory lane to a simplified definition of the qualitative framework for 3 risk levels our former Burton Group researchers recommended customers use:
- High: A risk to human life, the survival of the organization, or of losses exceeding management’s maximum acceptable thresholds.
- Medium: A risk in between Low and High.
- Low: A “day to day risk” that cannot be mitigated for less than the cost of the control.
One can see the problems with this – first, we called medium risk “the big gray area.” Second, to determine if a risk is low or high, one has to make quantitative estimates anyway. Not only is there a problem with risk assessment using the qualitative method, there are also problems with management communication because it can be difficult to justify why risks are assigned to these levels and to compare any two “medium” risks in terms of their impact to the organization.
Therefore, by directly supporting risk assessment processes (specifically risk identification and risk analysis) through a quantitative method, FAIR complements ISO quite well.
How Does Open FAIR Work?
Open FAIR provides a way to quantify potential losses arising from attacks on IT assets. Threats, vulnerabilities, and consequences – all the components of risk – are modeled, quantified, and rolled up into loss frequency, loss magnitude, and quantified risk using state of the art estimation techniques and multi-variate Monte Carlo simulation. These techniques are also well-suited for managing uncertainty. The point of a FAIR analysis is not to generate exact numbers – that usually isn’t possible in cybersecurity – but to quantify loss estimates for specific loss scenarios to a useful degree of precision.
Until Open FAIR came about, we couldn’t get good quantified risk estimates Nor did the industry have a consistent model and terminology for communicating risk in meaningful terms to the business. In my next post on RM, I’ll go deeper into the FAIR model and dispel some of the issues and misconceptions about quantifiable risk analysis. In the meantime, feel free to contact us with any questions and/or to explore opportunities. Risk assessments and risk management program development are some of Security Architects Partners’ core subject matter areas, and we’ve helped many customers with them.