What is FAIR?
The Factor Analysis of Information Risk (FAIR) is a framework for understanding, analyzing, and quantifying information risk in financial terms.
Organizations can expect the following benefits by adopting a FAIR based approach:
- Improved communication and understanding of risk through the use consistent terms and language
- A structured way to model risk which leads to more thorough analysis
- Risk presented in financial terms which enables cost/benefit analysis
"Apps [HealthGuard Founder & CEO] is the person I think of when I think of healthcare InfoSec. You won't find anyone stronger in the field."
Creator of FAIR
Organizations can implement FAIR in a modular fashion by plugging it into an existing risk management process. It can be phased in slowly or implemented as a forklift upgrade. It is also complimentary to existing security frameworks such as NIST Cyber Security Framework, NIST 800-53, and ISO 27000.
FAIR can quickly begin producing quantitative measures of risk that can be used to improve decision making.
An International Standard
FAIR was originally released to the public in 2006. It was later adopted by the Open Group in 2014, making it the only international standard for the quantification of cyber security and operational risk.
The Open Group has released numerous FAIR related publications, including two standards, O-RT, Risk Taxonomy Standard, and O-RA, Risk Analysis Standard. There are available here.