FAIR is a framework for threat modeling and a standard methodology for applying Value at Risk (VaR) principles to cybersecurity and operational risk. It promotes a consistent and measurable approach to analysing and quantifying risk.
FAIR approaches risk from a quantitative rather than a qualitative perspective. Traditional risk management scales that use rank or order, for example Red-Amber-Green, High-Medium-Low, or Rated 1-5, as ordinal data are qualitative in nature. FAIR provides a more precise and objective way to assess risk by focusing on numerical data, enabling better-informed decision making, and a clearer understanding of the potential financial impact.
Introduction to FAIR
An introduction to FAIR by the creator, Jack Jones.
Further reading:
Video
- Introduction with Risk Quantification and FAIR with Jack Jones - Youtube, Fair Institute)
- What is FAIR (Factor Analysis of Information Risk)? - Youtube - Exploring Information Security