Risk management and risk assessments go hand in hand, and most organizations have completed a security assessment based on maturity models at some point in their existence. However, more companies are realizing the need to complement maturity models with a risk-based approach for assessing their cybersecurity positions.

One such risk-based approach is based on the Factor Analysis of Information Risk (FAIR) model, which enables organizations to quantify security risk in financial terms. By using models such as FAIR, organizations can focus security investments on their top risks and prioritize these risks and their budgets while building their security strategy. Organizations can combine risk analysis frameworks; for example, Cimpress combined the FAIR model with the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) to establish a comprehensive, actionable security program.

NIST CSF and FAIR – Defining the Frameworks

The NIST frameworks and guidance are heavily relied upon by many chief information security officers (CISOs) and information security professionals to build comprehensive security programs. A couple of the most widely used NIST frameworks are NIST CSF and NIST 800-53.

NIST CSF provides security measures that have been widely adopted across multiple industries. NIST CSF groups security controls into five phases: identify, protect, detect, respond and recover. The NIST CSF is a subset of NIST 800-53, which provides a catalog of security and privacy controls for information systems and organizations to protect operations and assets, individuals and other organizations. The NIST SP 800-53 has 18 security control families, including those relating to risk management: risk assessment, security assessment and authorization and program management.

What Is the FAIR Model?

The FAIR model decomposes risk into quantifiable components. The two primary components of risk defined by the FAIR model are event frequency and loss magnitude. How often will a security event occur and how much of a financial loss will be accrued? Performing statistical analysis on these components results in a probability of the security event occurring and the expected financial exposure of that event being realized. The power of this model is that it equips CISOs and security professionals to communicate security risk in financial terms, which is the universal business language for executives and the board room.

The FAIR model standardizes the language of risk management within the organization. By using FAIR-based definitions of risk and threats (which are often used interchangeably), business functions, lines of business and executive leadership teams can now speak the same language. The FAIR model defines asset, threat, effect and risk as:

  • Asset: Thing of value that the organization seeks to protect, both tangible and non-tangible
  • Threat: Agent that acts against the asset in a way that can result in loss to the organization
  • Effect: Type of loss that would result from a successful action of the threat against the asset (commonly referred to CIA: confidentiality, integrity and availability)
  • Risk: Probable frequency and probable magnitude of future loss

The FAIR model does not replace an enterprise-wide risk assessment, but a risk quantification analysis that leverages the FAIR model should be an integral part of your organization’s security journey. The FAIR model is a risk management framework that changes the approach of risk assessments and overall security strategy.

Register for the security risk quantification paper

How Does FAIR Map to NIST CSF?

NIST provides informative references for a risk management framework, providing detailed risk domain controls for organizations to use as a starting point for implementation of each category within the NIST CSF. The FAIR model is published as an informative reference to NIST CSF. In the NIST Informative Reference Catalog, you can see the FAIR model mapped to the “risk analysis mapping” and “risk taxonomy mapping” subcategories of NIST CSF.

The NIST CSF has two main risk management categories, risk assessment and risk management strategy, which are given identification labels:

NIST CSF Category ID
Risk Assessment ID.RA
Risk Management Strategy ID.RM
Scroll to view full table

Within the risk assessment category, there are six control objectives or subcategories:

  • ID.RA-1: Asset vulnerabilities are identified and documented.
  • ID.RA-2: Threat and vulnerability information is received from information-sharing forums and sources.
  • ID.RA-3: Threats, both internal and external, are identified and documented.
  • ID.RA-4: Potential business impacts and likelihoods are identified.
  • ID.RA-5: Threats, vulnerabilities, likelihoods and impacts are used to determine risk.
  • ID.RA-6: Risk responses are identified and prioritized.

The FAIR model solves for control ID.RA-4 by quantifying business impact in financial terms and calculating likelihoods or probabilities of security events occurring. There is a direct mapping between the FAIR model and NIST CSF. Furthermore, the FAIR model can be used to inform the risk management strategy category, which consist of the following controls:

  • ID.RM-1 Establish your risk management processes.
  • ID.RM-2 Determine your organization’s risk tolerances.
  • ID.RM-3 Use your infrastructure’s role to guide decisions.

Using the FAIR model provides a common language to inform your risk management processes, and its quantitative method can help inform your risk tolerances.

Leveraging Open Source/Standards for Risk Management

IBM is a leader in innovating in the open, and the FAIR model meets this approach as an open standard that is managed by The Open Group. The Open Group is a global consortium that enables the achievement of business objectives through technology standards and has created standards in the areas of risk and security for over 20 years. The beauty of using open standards, such as the FAIR model, is that they are available for all to implement, and there’s knowledge sharing between those who have implemented the standard. Organizations who have implemented the FAIR model can learn from each other’s experiences and inform risk management best practices within and across industries. As a proponent of information exchange and shaping the future of technology, IBM is a founding member of The Open Group.

Bringing the CISO to the Board Room

CISOs leverage many standards and frameworks to build security programs and protect their businesses from security threats. Now CISOs can combine the FAIR model with NIST CSF to quantify cybersecurity risk in terms that the board and C-suite want to hear — dollars and cents. By quantifying security risk in financial terms, we help security executives effectively communicate to the board and also advise the board on risk management programs.

Learn more about security risk quantification

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…