Risk management and risk assessments go hand in hand, and most organizations have completed a security assessment based on maturity models at some point in their existence. However, more companies are realizing the need to complement maturity models with a risk-based approach for assessing their cybersecurity positions.

One such risk-based approach is based on the Factor Analysis of Information Risk (FAIR) model, which enables organizations to quantify security risk in financial terms. By using models such as FAIR, organizations can focus security investments on their top risks and prioritize these risks and their budgets while building their security strategy. Organizations can combine risk analysis frameworks; for example, Cimpress combined the FAIR model with the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) to establish a comprehensive, actionable security program.

NIST CSF and FAIR – Defining the Frameworks

The NIST frameworks and guidance are heavily relied upon by many chief information security officers (CISOs) and information security professionals to build comprehensive security programs. A couple of the most widely used NIST frameworks are NIST CSF and NIST 800-53.

NIST CSF provides security measures that have been widely adopted across multiple industries. NIST CSF groups security controls into five phases: identify, protect, detect, respond and recover. The NIST CSF is a subset of NIST 800-53, which provides a catalog of security and privacy controls for information systems and organizations to protect operations and assets, individuals and other organizations. The NIST SP 800-53 has 18 security control families, including those relating to risk management: risk assessment, security assessment and authorization and program management.

What Is the FAIR Model?

The FAIR model decomposes risk into quantifiable components. The two primary components of risk defined by the FAIR model are event frequency and loss magnitude. How often will a security event occur and how much of a financial loss will be accrued? Performing statistical analysis on these components results in a probability of the security event occurring and the expected financial exposure of that event being realized. The power of this model is that it equips CISOs and security professionals to communicate security risk in financial terms, which is the universal business language for executives and the board room.

The FAIR model standardizes the language of risk management within the organization. By using FAIR-based definitions of risk and threats (which are often used interchangeably), business functions, lines of business and executive leadership teams can now speak the same language. The FAIR model defines asset, threat, effect and risk as:

  • Asset: Thing of value that the organization seeks to protect, both tangible and non-tangible
  • Threat: Agent that acts against the asset in a way that can result in loss to the organization
  • Effect: Type of loss that would result from a successful action of the threat against the asset (commonly referred to CIA: confidentiality, integrity and availability)
  • Risk: Probable frequency and probable magnitude of future loss

The FAIR model does not replace an enterprise-wide risk assessment, but a risk quantification analysis that leverages the FAIR model should be an integral part of your organization’s security journey. The FAIR model is a risk management framework that changes the approach of risk assessments and overall security strategy.

Register for the security risk quantification paper

How Does FAIR Map to NIST CSF?

NIST provides informative references for a risk management framework, providing detailed risk domain controls for organizations to use as a starting point for implementation of each category within the NIST CSF. The FAIR model is published as an informative reference to NIST CSF. In the NIST Informative Reference Catalog, you can see the FAIR model mapped to the “risk analysis mapping” and “risk taxonomy mapping” subcategories of NIST CSF.

The NIST CSF has two main risk management categories, risk assessment and risk management strategy, which are given identification labels:

NIST CSF Category ID
Risk Assessment ID.RA
Risk Management Strategy ID.RM
Scroll to view full table

Within the risk assessment category, there are six control objectives or subcategories:

  • ID.RA-1: Asset vulnerabilities are identified and documented.
  • ID.RA-2: Threat and vulnerability information is received from information-sharing forums and sources.
  • ID.RA-3: Threats, both internal and external, are identified and documented.
  • ID.RA-4: Potential business impacts and likelihoods are identified.
  • ID.RA-5: Threats, vulnerabilities, likelihoods and impacts are used to determine risk.
  • ID.RA-6: Risk responses are identified and prioritized.

The FAIR model solves for control ID.RA-4 by quantifying business impact in financial terms and calculating likelihoods or probabilities of security events occurring. There is a direct mapping between the FAIR model and NIST CSF. Furthermore, the FAIR model can be used to inform the risk management strategy category, which consist of the following controls:

  • ID.RM-1 Establish your risk management processes.
  • ID.RM-2 Determine your organization’s risk tolerances.
  • ID.RM-3 Use your infrastructure’s role to guide decisions.

Using the FAIR model provides a common language to inform your risk management processes, and its quantitative method can help inform your risk tolerances.

Leveraging Open Source/Standards for Risk Management

IBM is a leader in innovating in the open, and the FAIR model meets this approach as an open standard that is managed by The Open Group. The Open Group is a global consortium that enables the achievement of business objectives through technology standards and has created standards in the areas of risk and security for over 20 years. The beauty of using open standards, such as the FAIR model, is that they are available for all to implement, and there’s knowledge sharing between those who have implemented the standard. Organizations who have implemented the FAIR model can learn from each other’s experiences and inform risk management best practices within and across industries. As a proponent of information exchange and shaping the future of technology, IBM is a founding member of The Open Group.

Bringing the CISO to the Board Room

CISOs leverage many standards and frameworks to build security programs and protect their businesses from security threats. Now CISOs can combine the FAIR model with NIST CSF to quantify cybersecurity risk in terms that the board and C-suite want to hear — dollars and cents. By quantifying security risk in financial terms, we help security executives effectively communicate to the board and also advise the board on risk management programs.

Learn more about security risk quantification

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today