What is FAIR?

Factor Analysis of Information Risk (FAIR) is the go-to standard for quantitative risk analysis. FAIR provides a framework for understanding, analyzing, and quantifying information risk in financial terms. 


Organizations can expect the following benefits by adopting a FAIR based approach:

  • Improved communication and understanding of risk through the use consistent terms and language
  • A structured way to model risk which leads to more thorough analysis 
  • Risk presented in financial terms which enables cost/benefit analysis

"Apps [HealthGuard Founder & CEO] is the person I think of when I think of healthcare InfoSec. You won't find anyone stronger in the field." 

Jack Jones

Creator of FAIR

Modular Approach 

Organizations can implement FAIR in a modular fashion by plugging it into an existing risk management process. It can be phased in slowly or implemented as a forklift upgrade. It is also complimentary to existing security frameworks such as NIST Cyber Security Framework, NIST 800-53, and ISO 27000. 

FAIR can quickly begin producing quantitative measures of risk that can be used to improve decision making.

An International Standard

FAIR was originally released to the public in 2006. It was later adopted by the Open Group in 2014, making it the only international standard for the quantification of cyber security and operational risk. 

The Open Group has released numerous FAIR related publications, including two standards, O-RT, Risk Taxonomy Standard, and O-RA, Risk Analysis Standard. There are available here.

Raise your Cyber Risk Management Game,
Get FAIR Certified!

Learn how to quantify and communicate risk in business terms.