What it does: FAIR provides a model for understanding, analyzing, and quantifying cyber risk and operational risk in financial terms, according to the Fair Institute. It’s not like risk assessment frameworks that focus their results on qualitative color charts or numerically weighted scales. Rather it forms the basis for developing a robust approach to risk information management.
How does this work: Developed by Jack Jones, former CISO of Nationwide Mutual Insurance, FAIR is primarily concerned with establishing accurate probabilities of the frequency and severity of data loss events. It is not a way to do business or assess individual risks, but it provides a way for organizations to understand, analyze, and measure information risk.
Components include a taxonomy of information risk, a standardized nomenclature of information risk terms, a method for establishing criteria for data collection, rating scales for risk factors, a risk calculation engine, and a model for analyzing complex risk situations.
Source link