*** Welcome to piglix ***

Factor analysis of information risk


Factor analysis of information risk (FAIR) is a taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of data loss events. It is not a methodology for performing an enterprise (or individual) risk assessment.

FAIR is a risk management framework developed by Jack A. Jones, and it can help organizations understand, analyze, and measure information risk according to Whitman & Mattord (2013).

A number of methodologies deal with risk management in an IT environment or IT risk, related to information security management systems and standards like ISO/IEC 27000-series.

FAIR seeks to provide a foundation and framework for performing risk analyses. Much of the FAIR framework can be used to strengthen, rather than replace, existing risk analysis processes like those mentioned above.

FAIR is not another methodology to deal with risk management, but it complements existing methodologies.

FAIR is not in direct competition with the other risk assessment frameworks, but actually is complementary to many of them.

As a standards body, The Open Group adopted FAIR, and aims to evangelize the use of FAIR within the context of these risk assessment or management frameworks.

ISACA cites FAIR and its concepts in its Risk IT Framework that extends COBIT.

The "Build Security In" initiative of the United States Department of Homeland Security cites FAIR.

FAIR's main document is "'Measuring and Managing Information Risk: A FAIR Approach

The document first defines what risk is. The Risk and Risk Analysis section discusses risk concepts and some of the realities surrounding risk analysis and probabilities. This provides a common foundation for understanding and applying FAIR. The Risk Landscape Components section briefly describes the four primary components that make up any risk scenario. These components have characteristics (factors) that, in combination with one another, drive risk. Risk Factoring begins to decompose information risk into its fundamental parts. The resulting taxonomy describes how the factors combine to drive risk, and establishes a foundation for the rest of the FAIR framework.


...
Wikipedia

...