Risk management and risk assessments go hand in hand, and most organizations have completed a security assessment based on maturity models at some point in their existence. However, more companies are realizing the need to complement maturity models with a risk-based approach for assessing their cybersecurity positions.

One such risk-based approach is based on the Factor Analysis of Information Risk (FAIR) model, which enables organizations to quantify security risk in financial terms. By using models such as FAIR, organizations can focus security investments on their top risks and prioritize these risks and their budgets while building their security strategy. Organizations can combine risk analysis frameworks; for example, Cimpress combined the FAIR model with the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) to establish a comprehensive, actionable security program.

NIST CSF and FAIR – Defining the Frameworks

The NIST frameworks and guidance are heavily relied upon by many chief information security officers (CISOs) and information security professionals to build comprehensive security programs. A couple of the most widely used NIST frameworks are NIST CSF and NIST 800-53.

NIST CSF provides security measures that have been widely adopted across multiple industries. NIST CSF groups security controls into five phases: identify, protect, detect, respond and recover. The NIST CSF is a subset of NIST 800-53, which provides a catalog of security and privacy controls for information systems and organizations to protect operations and assets, individuals and other organizations. The NIST SP 800-53 has 18 security control families, including those relating to risk management: risk assessment, security assessment and authorization and program management.

What Is the FAIR Model?

The FAIR model decomposes risk into quantifiable components. The two primary components of risk defined by the FAIR model are event frequency and loss magnitude. How often will a security event occur and how much of a financial loss will be accrued? Performing statistical analysis on these components results in a probability of the security event occurring and the expected financial exposure of that event being realized. The power of this model is that it equips CISOs and security professionals to communicate security risk in financial terms, which is the universal business language for executives and the board room.

The FAIR model standardizes the language of risk management within the organization. By using FAIR-based definitions of risk and threats (which are often used interchangeably), business functions, lines of business and executive leadership teams can now speak the same language. The FAIR model defines asset, threat, effect and risk as:

  • Asset: Thing of value that the organization seeks to protect, both tangible and non-tangible
  • Threat: Agent that acts against the asset in a way that can result in loss to the organization
  • Effect: Type of loss that would result from a successful action of the threat against the asset (commonly referred to CIA: confidentiality, integrity and availability)
  • Risk: Probable frequency and probable magnitude of future loss

The FAIR model does not replace an enterprise-wide risk assessment, but a risk quantification analysis that leverages the FAIR model should be an integral part of your organization’s security journey. The FAIR model is a risk management framework that changes the approach of risk assessments and overall security strategy.

Register for the security risk quantification paper

How Does FAIR Map to NIST CSF?

NIST provides informative references for a risk management framework, providing detailed risk domain controls for organizations to use as a starting point for implementation of each category within the NIST CSF. The FAIR model is published as an informative reference to NIST CSF. In the NIST Informative Reference Catalog, you can see the FAIR model mapped to the “risk analysis mapping” and “risk taxonomy mapping” subcategories of NIST CSF.

The NIST CSF has two main risk management categories, risk assessment and risk management strategy, which are given identification labels:

NIST CSF Category ID
Risk Assessment ID.RA
Risk Management Strategy ID.RM
Scroll to view full table

Within the risk assessment category, there are six control objectives or subcategories:

  • ID.RA-1: Asset vulnerabilities are identified and documented.
  • ID.RA-2: Threat and vulnerability information is received from information-sharing forums and sources.
  • ID.RA-3: Threats, both internal and external, are identified and documented.
  • ID.RA-4: Potential business impacts and likelihoods are identified.
  • ID.RA-5: Threats, vulnerabilities, likelihoods and impacts are used to determine risk.
  • ID.RA-6: Risk responses are identified and prioritized.

The FAIR model solves for control ID.RA-4 by quantifying business impact in financial terms and calculating likelihoods or probabilities of security events occurring. There is a direct mapping between the FAIR model and NIST CSF. Furthermore, the FAIR model can be used to inform the risk management strategy category, which consist of the following controls:

  • ID.RM-1 Establish your risk management processes.
  • ID.RM-2 Determine your organization’s risk tolerances.
  • ID.RM-3 Use your infrastructure’s role to guide decisions.

Using the FAIR model provides a common language to inform your risk management processes, and its quantitative method can help inform your risk tolerances.

Leveraging Open Source/Standards for Risk Management

IBM is a leader in innovating in the open, and the FAIR model meets this approach as an open standard that is managed by The Open Group. The Open Group is a global consortium that enables the achievement of business objectives through technology standards and has created standards in the areas of risk and security for over 20 years. The beauty of using open standards, such as the FAIR model, is that they are available for all to implement, and there’s knowledge sharing between those who have implemented the standard. Organizations who have implemented the FAIR model can learn from each other’s experiences and inform risk management best practices within and across industries. As a proponent of information exchange and shaping the future of technology, IBM is a founding member of The Open Group.

Bringing the CISO to the Board Room

CISOs leverage many standards and frameworks to build security programs and protect their businesses from security threats. Now CISOs can combine the FAIR model with NIST CSF to quantify cybersecurity risk in terms that the board and C-suite want to hear — dollars and cents. By quantifying security risk in financial terms, we help security executives effectively communicate to the board and also advise the board on risk management programs.

Learn more about security risk quantification

More from CISO

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…