Using FAIR and NIST CSF for Security Risk Management

May 18, 2021
| |
4 min read

Risk management and risk assessments go hand in hand, and most organizations have completed a security assessment based on maturity models at some point in their existence. However, more companies are realizing the need to complement maturity models with a risk-based approach for assessing their cybersecurity positions.

One such risk-based approach is based on the Factor Analysis of Information Risk (FAIR) model, which enables organizations to quantify security risk in financial terms. By using models such as FAIR, organizations can focus security investments on their top risks and prioritize these risks and their budgets while building their security strategy. Organizations can combine risk analysis frameworks; for example, Cimpress combined the FAIR model with the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) to establish a comprehensive, actionable security program.

NIST CSF and FAIR – Defining the Frameworks

The NIST frameworks and guidance are heavily relied upon by many chief information security officers (CISOs) and information security professionals to build comprehensive security programs. A couple of the most widely used NIST frameworks are NIST CSF and NIST 800-53.

NIST CSF provides security measures that have been widely adopted across multiple industries. NIST CSF groups security controls into five phases: identify, protect, detect, respond and recover. The NIST CSF is a subset of NIST 800-53, which provides a catalog of security and privacy controls for information systems and organizations to protect operations and assets, individuals and other organizations. The NIST SP 800-53 has 18 security control families, including those relating to risk management: risk assessment, security assessment and authorization and program management.

What Is the FAIR Model?

The FAIR model decomposes risk into quantifiable components. The two primary components of risk defined by the FAIR model are event frequency and loss magnitude. How often will a security event occur and how much of a financial loss will be accrued? Performing statistical analysis on these components results in a probability of the security event occurring and the expected financial exposure of that event being realized. The power of this model is that it equips CISOs and security professionals to communicate security risk in financial terms, which is the universal business language for executives and the board room.

The FAIR model standardizes the language of risk management within the organization. By using FAIR-based definitions of risk and threats (which are often used interchangeably), business functions, lines of business and executive leadership teams can now speak the same language. The FAIR model defines asset, threat, effect and risk as:

  • Asset: Thing of value that the organization seeks to protect, both tangible and non-tangible
  • Threat: Agent that acts against the asset in a way that can result in loss to the organization
  • Effect: Type of loss that would result from a successful action of the threat against the asset (commonly referred to CIA: confidentiality, integrity and availability)
  • Risk: Probable frequency and probable magnitude of future loss

The FAIR model does not replace an enterprise-wide risk assessment, but a risk quantification analysis that leverages the FAIR model should be an integral part of your organization’s security journey. The FAIR model is a risk management framework that changes the approach of risk assessments and overall security strategy.

Register for the security risk quantification paper

How Does FAIR Map to NIST CSF?

NIST provides informative references for a risk management framework, providing detailed risk domain controls for organizations to use as a starting point for implementation of each category within the NIST CSF. The FAIR model is published as an informative reference to NIST CSF. In the NIST Informative Reference Catalog, you can see the FAIR model mapped to the “risk analysis mapping” and “risk taxonomy mapping” subcategories of NIST CSF.

The NIST CSF has two main risk management categories, risk assessment and risk management strategy, which are given identification labels:

NIST CSF Category ID
Risk Assessment ID.RA
Risk Management Strategy ID.RM

Within the risk assessment category, there are six control objectives or subcategories:

  • ID.RA-1: Asset vulnerabilities are identified and documented.
  • ID.RA-2: Threat and vulnerability information is received from information-sharing forums and sources.
  • ID.RA-3: Threats, both internal and external, are identified and documented.
  • ID.RA-4: Potential business impacts and likelihoods are identified.
  • ID.RA-5: Threats, vulnerabilities, likelihoods and impacts are used to determine risk.
  • ID.RA-6: Risk responses are identified and prioritized.

The FAIR model solves for control ID.RA-4 by quantifying business impact in financial terms and calculating likelihoods or probabilities of security events occurring. There is a direct mapping between the FAIR model and NIST CSF. Furthermore, the FAIR model can be used to inform the risk management strategy category, which consist of the following controls:

  • ID.RM-1 Establish your risk management processes.
  • ID.RM-2 Determine your organization’s risk tolerances.
  • ID.RM-3 Use your infrastructure’s role to guide decisions.

Using the FAIR model provides a common language to inform your risk management processes, and its quantitative method can help inform your risk tolerances.

Leveraging Open Source/Standards for Risk Management

IBM is a leader in innovating in the open, and the FAIR model meets this approach as an open standard that is managed by The Open Group. The Open Group is a global consortium that enables the achievement of business objectives through technology standards and has created standards in the areas of risk and security for over 20 years. The beauty of using open standards, such as the FAIR model, is that they are available for all to implement, and there’s knowledge sharing between those who have implemented the standard. Organizations who have implemented the FAIR model can learn from each other’s experiences and inform risk management best practices within and across industries. As a proponent of information exchange and shaping the future of technology, IBM is a founding member of The Open Group.

Bringing the CISO to the Board Room

CISOs leverage many standards and frameworks to build security programs and protect their businesses from security threats. Now CISOs can combine the FAIR model with NIST CSF to quantify cybersecurity risk in terms that the board and C-suite want to hear — dollars and cents. By quantifying security risk in financial terms, we help security executives effectively communicate to the board and also advise the board on risk management programs.

Learn more about security risk quantification

Shelley Bland
Senior Product Marketing Manager, IBM

Shelley Bland is a Senior Product Marketing Manager for IBM Security Services, focusing on our Align portfolio of Security Strategy Risk and Compliance. Shel...
read more