What is FAIR?
Factor Analysis of Information Risk (FAIR) is a framework of interconnected models that describe how key elements of the risk landscape work. Unlike other “models” used widely in the industry, such as ISO, NIST, CMM, and COBIT, FAIR models describe the underlying dynamics of the complex risk landscape – the “why” and the “how”.
This underlying description enables meaningful measurement and analysis of the risk landscape in ways no other model uses today.
Initially developed in 2001 (and continually evolving), FAIR was created by a CISO, Jack Jones, who was trying to find a practical means of answering the questions executive management was asking, such as:
• How much risk do we have?
• How much less/more risk will we have if we do ABC?
• What are our most significant issues?
• What are the most cost-effective ways for us to spend our risk management dollars?
Why use FAIR?
IT security executives and their business counterparts need to work closer than ever to manage the IT security role in a successful corporation. However, there has been no automated solution connecting IT security investment with business value providing transparency into the risk of business decisions or integrating and tracking complex and changing regulatory and PCI compliance rules. Therefore, automated SaaS models are popping up more and more. However, none of them meaningfully compares issues to prioritize vulnerabilities, or evaluate the cost-benefit of control options. They also cannot provide an aggregate measure of risk or rationally defend many of their measures, other than to say, "Well, COBIT says so".
FAIR helps organizations take advantage of a new approach to risk management based on models and methods of measurement. The FAIR method shows an organization what to measure, how to measure, and how to derive meaning from those measurements.