Introduction to FAIR http://fairwiki.riskmanagementinsight.com An Online Home for the Factor Analysis of Information Risk (FAIR) Framework Mon, 18 Jun 2007 15:24:12 +0000 http://wordpress.org/?v=2.9.2 en hourly 1 http://fairwiki.riskmanagementinsight.com/?p=1 http://fairwiki.riskmanagementinsight.com/?p=1#comments Thu, 01 Jan 1970 00:00:00 +0000 > here ]]> This website is an online version of the whitepaper:

An Introduction to Factor Analysis of Information Risk (FAIR)

A framework for understanding, analyzing, and measuring information risk

by Jack A. Jones, CISSP, CISM, CISA

You can always find a formal .pdf version of this content >> here <<<.

To get started, select “Introduction” from the menu on your right.

What is FAIR?

Information security practices, to-date, have generally been inadequate in helping organizational leadership effectively manage information risk. The shortcomings are primarily the result of information security being practiced as an art rather than science – i.e., a heavy reliance on practitioner intuition and experience, industry lore, and “best practices.” And although intuition, experience, and best practices all provide value, they don’t consistently enable management to make effective, well-informed decisions. The absence of a working, logical foundation that determines risk means risk management efforts are highly subject to individual bias, myth, dogma, and misinterpretation of the relatively sparse empirical data that exists.

The result? Organizations spend too little or too much time and money, or spend resources in all the wrong places as they attempt to reduce their risk.

The FAIR Risk Management Framework

Factor Analysis of Information Risk (FAIR) provides a framework for understanding, analyzing, and measuring information risk. The outcomes are more cost-effective information risk management, greater credibility for the information security profession, and a foundation from which to develop a scientific approach to information risk management.

FAIR allows organizations to:

Speak in one language concerning their risk
Be able to consistently study and apply risk to any object or asset
View organizational risk in total
Defend or challenge risk determination using an advanced analysis framework
Understand how time and money will impact their security profile

Specific components of the framework include:

A taxonomy for information risk
Standard nomenclature for information risk terms
A framework for establishing data collection criteria
Measurement scales for risk factors
A computational engine for calculating risk
A modeling construct for analyzing complex risk scenarios

The comments section of this website is regularly monitored. We welcome questions about FAIR and how the framework works, if you have any questions about any concepts discussed, please feel free to leave a comment, and a FAIR certified analyst will answer as soon as possible. Please note that we’d like the comments section to be only for questions – any other feedback can be left, but may or may not be answered and may or may not be made available to the public.

Thank you and enjoy the website!

Technorati Profile

]]> http://fairwiki.riskmanagementinsight.com/?feed=rss2&p=1 6