A pocket guide to FAIR


FAIR, short for Factor Analysis of Information Risk, is a risk quantification methodology founded to help companies assess information risk. FAIR is the only international standard quantitative model framework that offers operational risk and information security. This methodology greatly benefits mature organizations that use IRM (Integrated Risk Management) solutions.

The main objective of FAIR is to support the organization’s existing risk management frameworks and strategies.

FAIR and traditional risk quantification methods

To see how FAIR differs from other frameworks, one must understand that FAIR is not a cybersecurity framework like the NIST CSF. It cannot be used as a framework, but it is a complementary methodology that works with frameworks such as NIST, ISO 2700x and other industry standard frameworks.

Over time, organizations develop gaps in compliance, and standard frameworks cannot predict the risks associated with those gaps. The FAIR methodology identifies an organization’s risks, helps companies use their resources effectively to create decision risk gaps, and scales threat levels, a feature most executives lack.

As companies move from a compliance-based approach to a risk-based approach, they need a risk quantification methodology to support this change. Not only does FAIR support this change in practices, but it also helps foster cyberinterest among board members and non-technical leaders. The FAIR methodology is unique in that it translates an organization’s loss exposure into financial terms allowing for better communication between technical teams and non-technical members and management.

Unlike FAIR, older risk quantification models operate on penetration testing without any internal knowledge of the target system. Testers are unaware of code and designs that are not publicly available.

Through this form of testing, testers can determine system risks and vulnerabilities, but black box testing cannot provide the financial impact of the risk. Moreover, with limited knowledge, the test cannot identify all threats and vulnerabilities in organizational models.

Compared to legacy methods or black box testing, FAIR is a “glass box” method that provides executives with insight into how metrics were achieved, allowing CISOs to deepen their insights when presenting to board leaders and management stakeholders.

Despite the vast benefits, extensive security coverage, and excellent threat level identification, the FAIR framework is flawed. Some common disadvantages are:

  • FAIR is relatively difficult to use because it has no specific or defined documentation of its methods.
  • FAIR cannot independently assess the risks. It is a complementary methodology that enhances risk assessment by coordinating with other frameworks.
  • FAIR is primarily based on probability; while these probabilities are not groundless, they are not entirely accurate due to the different nature of cyberattacks and their damage.

How can a company prepare for a FAIR risk assessment?

To prepare for a FAIR risk assessment, organizations must begin by identifying their cyber network security framework and understanding its complexity and measures. In addition, it is crucial to identify the 3rd the parties’ access to any assets or data.

Before a FAIR risk assessment, you should be aware of the different types of risk. Different risks have different associated outcomes and consequences. You should be aware of the following risks when using this framework.

  • Compliance risks
  • Operational risks
  • Reputational risks
  • Strategic risks
  • Transactional risks

Once you understand the potential risks that can make your organization vulnerable, you can begin the FAIR Model Risk Assessment to develop strategies to reduce and resolve challenges.

Steps for a FAIR assessment

Use the approach shown below to successfully integrate the FAIR assessment to reduce the risk of violations and penalties.

  1. Organize your system (system identification, data, vendors, suppliers, access, data flow, 3rd access to parties, or other factors depending on the company)
  2. Identify potential threats (data backup, exposed or breached data, unauthorized access, exposed data and others)
  3. Organize risks and consequences (high, medium and low)
  4. Assess your controls (authentications, security, operations, administrative and others)
  5. Calculate the impact of risks, threats and opportunities.

Nevertheless, mature and IRM-based organizations generally use the FAIR framework. IRM enables organizations to address broader risk categories and conduct in-depth analysis of external and internal risks.

What do companies need to have in place to perform a FAIR risk quantification?

For a company to carry out a FAIR risk assessment, it must go through four stages of risk quantification:

Identification of scenario components

There are two elements at risk: an asset and the community. It is essential to identify the associated risk.

Loss Event Frequency (LEF) Assessment

LEF has sub-elements that need to be estimated. The following item estimate is required.

  • TCAP (threat capability)
  • CS (control strength)
  • TEF (Threat Event Frequency)
  • Derive vulnerability
  • Derive LEF
  • Probable Loss Magnitude (PLM)

  • The PLM needs two estimates of embedded elements; one is the most adverse loss and the other is the probable loss.
  • Articulate and infer risk

  • Once you are done with all the estimations, you can articulate and pilot the risk.
  • How to use data from the FAIR assessment?

    When the assessment is complete and you have calculated the LEF, loss magnitude and other parameters, you get a RIGHT loss magnitude. It is a combination of secondary and primary losses, as secondary losses consist of penalties, lost customers, and brand damage. In contrast, primary losses include recovery costs, asset losses, and other direct losses.

    The FAIR evaluation method uses a confidence score for the security framework. Using the data obtained, organizations can improve their operational security framework by identifying gaps and reducing risk. The company’s CISO can improve decision-making processes based on these KPIs, metrics, and FAIR assessment results.

    CyberStrong is shaping the future of cyber risk management

    A FAIR risk assessment will provide information for risk scenario reporting and risk portfolio analysis and reporting. This risk assessment report will summarize the possible risks, the assets at risk and the potential financial losses due to the risks. This information is crucial for C-level executives, board members, and non-technical business leaders.

    Not all leaders in an organization are familiar with cybersecurity and risk terminologies. Non-FAIR frameworks provide complex information that is difficult for non-technical members to understand, complex organizational decision-making and communication.

    However, FAIR’s data gives the results in simple financial terms that decision makers and team members can easily understand. The financial loss in monetary value can make anyone aware of the seriousness of the risks and the prioritization of defensive cybersecurity measures.

    Additionally, the organization can allocate its budget to cybersecurity and estimate the return on investment.

    CyberSaint Security’s CyberStrong platform enables easy automation of your data with cyber risk management and security frameworks. It reduces the complexity of framework testing with the FAIR methodology.


    Your organizational data is at stake because it is of great value to cybercriminals. Use the FAIR Model Risk Assessment to perform systematic risk quantification analyzes to understand risks in financial terms to gain clear insights into your security posture and effectively decide on actions to improve your cyber strategy.

    contact us to learn more about how you can quantify risk with FAIR via CyberStrong.


Comments are closed.