210:
asset with highly sensitive data can have a low productivity effect if not available, but embarrassment and legal effect if that data is disclosed: for example the availability of former patient health data does not affect a healthcare organization's productivity but its disclosure can cost the organization millions of dollars. A single event can involve different assets: a affects the availability of the laptop itself but can lead to the potential disclosure of the information stored on it.
116:’s loss potential stems from the value it represents and/or the liability it introduces to an organization. For example, customer information provides value through its role in generating revenue for a commercial organization. That same information also can introduce liability to the organization if a legal duty exists to protect it, or if customers have an expectation that the information about them will be appropriately protected.
79:
analysis and probabilities. This provides a common foundation for understanding and applying FAIR. The Risk
Landscape Components section briefly describes the four primary components that make up any risk scenario. These components have characteristics (factors) that, in combination with one another, drive risk. Risk Factoring begins to decompose information risk into its fundamental parts. The resulting taxonomy describes how the
104:.” FAIR further decomposes risk by breaking down different factors that make up probable frequency and probable loss that can be measured in a quantifiable number. These factors include: Threat Event Frequency, Contact Frequency, Probability of Action, Vulnerability, Threat Capability, Difficult, Loss Event Frequency, Primary Loss Magnitude, Secondary Loss Event Frequency, Secondary Loss Magnitude, and Secondary Risk.
209:
These actions can affect different assets in different ways: the effect varies in relationship with the characteristics of the asset and its usage. Some assets have high criticality but low sensitivity: denial of access has a much higher effect than disclosure on such assets. On the other hand, an
66:
Although the basic taxonomy and methods have been made available for non-commercial use under a creative commons license, FAIR itself is proprietary. Using FAIR to analyze someone else's risk for commercial gain (e.g. through consulting or as part of a software application) requires a license from
78:
The contents of this white paper and the FAIR framework itself are released under the
Creative Commons Attribution-Noncommercial-Share Alike 2.5 license. The document first defines what risk is. The Risk and Risk Analysis section discusses risk concepts and some of the realities surrounding risk
95:
FAIR underlines that risk is an uncertain event and one should not focus on what is possible, but on how probable a given event is. This probabilistic approach is applied to every factor that is analyzed. The risk is the probability of a loss tied to an
178:
agents can be grouped by Threat
Communities, subsets of the overall threat agent population that share key characteristics. Threat communities must be precisely defined in order to effectively evaluate effect (loss magnitude).
86:
The
Controls section briefly introduces the three dimensions of a controls landscape. Measuring Risk briefly discusses measurement concepts and challenges, and then provides a high-level discussion of risk factor measurements.
37:
FAIR is also a risk management framework developed by Jack A. Jones, and it can help organizations understand, analyze, and measure information risk according to
30:
that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of
321:
213:
The combination of an asset's characteristics and the type of action against that asset that determines the fundamental nature and degree of loss.
53:
398:
449:
419:
75:
FAIR's main document is "An
Introduction to Factor Analysis of Information Risk (FAIR)", Risk Management Insight LLC, November 2006;
342:
282:
265:
222:
63:
FAIR complements the other methodologies by providing a way to produce consistent, defensible belief statements about risk.
123:
Productivity – a reduction of the organization to effectively produce goods or services in order to generate value
242:
80:
27:
322:"An Introduction to Factor Analysis of Information Risk (FAIR)", Risk Management Insight LLC, November 2006
138:
Reputation – missed opportunities or sales due to the diminishing corporate image following the event
57:
295:
132:
Fines and judgments (F/J) – the cost of the overall legal procedure deriving from the adverse event
359:
155:
Embarrassment – the disclosure states the inappropriate behavior of the management of the company
394:
338:
278:
261:
186:
182:
175:
152:
Sensitivity – the cost associated to the disclosure of the information, further divided into:
113:
97:
34:
events. It is not a methodology for performing an enterprise (or individual) risk assessment.
424:
205:
Deny access – the threat agent do not let the legitimate intended users to access the asset
237:
45:
83:
combine to drive risk, and establishes a foundation for the rest of the FAIR framework.
196:
Misuse – use the asset without authorization and or differently from the intended usage
429:
443:
232:
434:
388:
158:
Competitive advantage – the loss of competitive advantage tied to the disclosure
135:
Competitive advantage (CA)- missed opportunities due to the security incident
149:
Cost – the bare cost of the asset, the cost of replacing a compromised asset
31:
414:
161:
Legal/regulatory – the cost associated with the possible law violations
49:
360:"VA will pay $ 20 million to settle lawsuit over stolen laptop's data"
126:
Response – the resources spent while acting following an adverse event
227:
285:
Document Number: C081 Published by The Open Group, January 2009.
268:
Document Number: C081 Published by The Open Group, January 2009.
129:
Replacement – the expense to substitute/repair an affected asset
202:
Modify – change the asset (data or configuration modification)
387:
Whitman, Michael E.; Mattord, Herbert J. (18 October 2013).
102:
probable frequency and probable magnitude of future loss
199:
Disclose – the agent lets other people access the data
164:
General – other losses tied to the sensitivity of data
146:
Critical – the effect on the organization productivity
193:
Access – read the data without proper authorization
277:Technical Standard Risk Taxonomy, Section 1.5
38:
8:
335:Measuring and Managing Information Risk
253:
54:information security management systems
337:. Waltham, MA: Butterworth-Heinemann.
317:
315:
313:
311:
309:
7:
100:. In FAIR, risk is defined as the “
44:A number of methodologies deal with
358:Friedman, Terry (27 January 2009).
20:Factor analysis of information risk
390:Management of Information Security
333:Freund, Jack; Jones, Jack (2015).
296:"The Open Group - Risk Management"
142:FAIR defines value/liability as:
14:
260:Technical Standard Risk Taxonomy
185:agents can act differently on an
420:FAIR Basic Risk assessment guide
223:Information security management
119:FAIR defines six kind of loss:
1:
39:Whitman & Mattord (2013)
450:Risk analysis methodologies
466:
243:Vulnerability (computing)
16:Risk management framework
48:in an IT environment or
435:Open FAIR Certification
415:Risk Management Insight
26:) is a taxonomy of the
393:. Cengage Learning.
249:Notes and references
58:ISO/IEC 27000-series
56:and standards like
430:Patent application
425:FAIR Risk Taxonomy
400:978-1-305-15603-6
457:
404:
375:
374:
372:
370:
355:
349:
348:
330:
324:
319:
304:
303:
292:
286:
275:
269:
258:
465:
464:
460:
459:
458:
456:
455:
454:
440:
439:
411:
401:
386:
383:
378:
368:
366:
357:
356:
352:
345:
332:
331:
327:
320:
307:
294:
293:
289:
276:
272:
259:
255:
251:
238:Risk management
219:
173:
110:
93:
73:
46:risk management
17:
12:
11:
5:
463:
461:
453:
452:
442:
441:
438:
437:
432:
427:
422:
417:
410:
409:External links
407:
406:
405:
399:
382:
379:
377:
376:
350:
343:
325:
305:
300:The Open Group
287:
270:
252:
250:
247:
246:
245:
240:
235:
230:
225:
218:
215:
207:
206:
203:
200:
197:
194:
172:
169:
168:
167:
166:
165:
162:
159:
156:
150:
147:
140:
139:
136:
133:
130:
127:
124:
109:
106:
92:
89:
72:
69:
15:
13:
10:
9:
6:
4:
3:
2:
462:
451:
448:
447:
445:
436:
433:
431:
428:
426:
423:
421:
418:
416:
413:
412:
408:
402:
396:
392:
391:
385:
384:
380:
365:
361:
354:
351:
346:
344:9780127999326
340:
336:
329:
326:
323:
318:
316:
314:
312:
310:
306:
301:
297:
291:
288:
284:
283:1-931624-77-1
280:
274:
271:
267:
266:1-931624-77-1
263:
257:
254:
248:
244:
241:
239:
236:
234:
233:ISO/IEC 27001
231:
229:
226:
224:
221:
220:
216:
214:
211:
204:
201:
198:
195:
192:
191:
190:
188:
184:
180:
177:
170:
163:
160:
157:
154:
153:
151:
148:
145:
144:
143:
137:
134:
131:
128:
125:
122:
121:
120:
117:
115:
107:
105:
103:
99:
91:Main concepts
90:
88:
84:
82:
76:
71:Documentation
70:
68:
64:
61:
59:
55:
52:, related to
51:
47:
42:
40:
35:
33:
29:
25:
21:
389:
367:. Retrieved
363:
353:
334:
328:
299:
290:
273:
256:
212:
208:
181:
174:
141:
118:
111:
101:
94:
85:
77:
74:
65:
62:
43:
36:
23:
19:
18:
381:Works cited
369:1 February
32:data loss
444:Category
217:See also
302:. 2019.
81:factors
50:IT risk
28:factors
397:
341:
281:
264:
183:Threat
176:Threat
171:Threat
228:ISACA
187:asset
114:asset
108:Asset
98:asset
67:RMI.
395:ISBN
371:2022
339:ISBN
279:ISBN
262:ISBN
24:FAIR
364:CNN
112:An
446::
362:.
308:^
298:.
189::
60:.
41:.
403:.
373:.
347:.
22:(
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.