This website is an online version of the whitepaper:

An Introduction to Factor Analysis of Information Risk (FAIR)

A framework for understanding, analyzing, and measuring information risk

by Jack A. Jones, CISSP, CISM, CISA

You can always find a formal .pdf version of this content >> here <<<.

To get started, select “Introduction” from the menu on your right.

What is FAIR?

Information security practices, to-date, have generally been inadequate in helping organizational leadership effectively manage information risk. The shortcomings are primarily the result of information security being practiced as an art rather than science – i.e., a heavy reliance on practitioner intuition and experience, industry lore, and “best practices.” And although intuition, experience, and best practices all provide value, they don’t consistently enable management to make effective, well-informed decisions. The absence of a working, logical foundation that determines risk means risk management efforts are highly subject to individual bias, myth, dogma, and misinterpretation of the relatively sparse empirical data that exists.

The result? Organizations spend too little or too much time and money, or spend resources in all the wrong places as they attempt to reduce their risk.

The FAIR Risk Management Framework

Factor Analysis of Information Risk (FAIR) provides a framework for understanding, analyzing, and measuring information risk. The outcomes are more cost-effective information risk management, greater credibility for the information security profession, and a foundation from which to develop a scientific approach to information risk management.

FAIR allows organizations to:

Speak in one language concerning their risk
Be able to consistently study and apply risk to any object or asset
View organizational risk in total
Defend or challenge risk determination using an advanced analysis framework
Understand how time and money will impact their security profile

Specific components of the framework include:

A taxonomy for information risk
Standard nomenclature for information risk terms
A framework for establishing data collection criteria
Measurement scales for risk factors
A computational engine for calculating risk
A modeling construct for analyzing complex risk scenarios

The comments section of this website is regularly monitored. We welcome questions about FAIR and how the framework works, if you have any questions about any concepts discussed, please feel free to leave a comment, and a FAIR certified analyst will answer as soon as possible. Please note that we’d like the comments section to be only for questions – any other feedback can be left, but may or may not be answered and may or may not be made available to the public.

Thank you and enjoy the website!

Technorati Profile

Posted by Filed in Site Business
6 Comments »

6 Responses to “”

  1. roodee Says:
    July 13th, 2007 at 8:43 pm

    Not sure if this comment will ever see the light of day or if this is the relevant location to provide feedback, but I’ll “risk” it anyways. Wow, that was a terrible joke wasn’t it?

    In the bald tire scenario conspicuously absent is the concept of threat agent and attack. Perhaps these concepts are too specific and subsumed into a more abstract concept. In any case, I would argue that there is some other action or causal agent responsible for bringing about “harm” (threat as you call it). We endanger the system by including causes and effects into the term threat. In my opinion your definition of threat is far too broad as it includes agents and their effects. An attacker for example, is not an affect. Where have we described the effect of his actions or the actions themselves? It is not a vulnerability because that is the condition or property of the asset that enables him to do harm. A threat, in my view, describes the way in which harm is done to an asset. There is another concept, an agent, that brings about this threat or causes it. The agent and the event are not one and the same. Your definitions may work for natural events, but they do not have the precision required in order to address harm done to assets using purely logical/technical means.

  2. Jack Says:
    August 4th, 2007 at 5:03 pm

    Roodee,

    Great point. Please keep in mind that the bald tire scenario is only meant to serve as an analogy that highlights some of the challenges our profession faces. The rest of the white paper gets into the details surrounding threat agents, actions, etc. that you mention.

    Thanks,
    Jack

  3. podarki Says:
    August 23rd, 2009 at 10:15 am

    ??????, ?? ??? ??????, ????? ?????? ? ?????? ?????, ??? ??? ????????????.

  4. Fun Ways To Lose Weight Says:
    March 8th, 2010 at 6:26 am

    One can imagine I read it twice. While I am not as skilled on this topic, I tally with your conclusions because they create sense. Thanks and goodluck to you.

  5. Delmy Terrence Says:
    March 18th, 2010 at 5:25 pm

    This is exactly what I was searching for on google, I guess I got my answer! lol

  6. best beauty products Says:
    June 11th, 2010 at 2:56 pm

    thing I do is engage with the readers. Answer questions in responses and make clarifications

Leave a Reply