Using the FAIR model to quantify cyber-risk

0
760

Cyber-risk is a major factor in business today, but finding a credible way to identify, analyze and communicate it poses a perennial challenge. One methodology gaining significant traction in the cybersecurity field is the Factor Analysis of Information Risk, or FAIR, model.

Former CISO Jack Jones, now chairman at the nonprofit FAIR Institute, developed the cyber-risk quantification framework in 2005. FAIR is a mathematics-based model that aims to measure cyber-risk quantitatively and monetarily.

The FAIR model lets security leaders package cyber-risk as a business issue, framing loss exposure in financial terms that resonate with senior executives.

How the FAIR model works

In the FAIR methodology, users identify key data points, or risk factors, associated with given cyber-risk scenarios. They then feed those figures into FAIR’s mathematical algorithms, which, in turn, calculate and quantify cyber-risk in terms of probable financial losses.

FAIR model chart showing the multiplication of loss event frequency with loss event magnitude to arrive at a risk value
At a basic level, the FAIR model multiplies loss event frequency with loss event magnitude to calculate cyber-risk.

At a basic level, the FAIR model calculates risk by multiplying a value called loss event frequency by a value…

Подробнее…

Актуальные книги на английском