Cyber-risk is a major factor in business today, but finding a credible way to identify, analyze and communicate it poses a perennial challenge. One methodology gaining significant traction in the cybersecurity field is the Factor Analysis of Information Risk, or FAIR, model.
Former CISO Jack Jones, now chairman at the nonprofit FAIR Institute, developed the cyber-risk quantification framework in 2005. FAIR is a mathematics-based model that aims to measure cyber-risk quantitatively and monetarily.
The FAIR model lets security leaders package cyber-risk as a business issue, framing loss exposure in financial terms that resonate with senior executives.
How the FAIR model works
In the FAIR methodology, users identify key data points, or risk factors, associated with given cyber-risk scenarios. They then feed those figures into FAIR’s mathematical algorithms, which, in turn, calculate and quantify cyber-risk in terms of probable financial losses.
At a basic level, the FAIR model calculates risk by multiplying a value called loss event frequency by a value…