221:
asset with highly sensitive data can have a low productivity effect if not available, but embarrassment and legal effect if that data is disclosed: for example the availability of former patient health data does not affect a healthcare organization's productivity but its disclosure can cost the organization millions of dollars. A single event can involve different assets: a affects the availability of the laptop itself but can lead to the potential disclosure of the information stored on it.
127:’s loss potential stems from the value it represents and/or the liability it introduces to an organization. For example, customer information provides value through its role in generating revenue for a commercial organization. That same information also can introduce liability to the organization if a legal duty exists to protect it, or if customers have an expectation that the information about them will be appropriately protected.
90:
analysis and probabilities. This provides a common foundation for understanding and applying FAIR. The Risk
Landscape Components section briefly describes the four primary components that make up any risk scenario. These components have characteristics (factors) that, in combination with one another, drive risk. Risk Factoring begins to decompose information risk into its fundamental parts. The resulting taxonomy describes how the
115:.” FAIR further decomposes risk by breaking down different factors that make up probable frequency and probable loss that can be measured in a quantifiable number. These factors include: Threat Event Frequency, Contact Frequency, Probability of Action, Vulnerability, Threat Capability, Difficult, Loss Event Frequency, Primary Loss Magnitude, Secondary Loss Event Frequency, Secondary Loss Magnitude, and Secondary Risk.
220:
These actions can affect different assets in different ways: the effect varies in relationship with the characteristics of the asset and its usage. Some assets have high criticality but low sensitivity: denial of access has a much higher effect than disclosure on such assets. On the other hand, an
77:
Although the basic taxonomy and methods have been made available for non-commercial use under a creative commons license, FAIR itself is proprietary. Using FAIR to analyze someone else's risk for commercial gain (e.g. through consulting or as part of a software application) requires a license from
89:
The contents of this white paper and the FAIR framework itself are released under the
Creative Commons Attribution-Noncommercial-Share Alike 2.5 license. The document first defines what risk is. The Risk and Risk Analysis section discusses risk concepts and some of the realities surrounding risk
106:
FAIR underlines that risk is an uncertain event and one should not focus on what is possible, but on how probable a given event is. This probabilistic approach is applied to every factor that is analyzed. The risk is the probability of a loss tied to an
189:
agents can be grouped by Threat
Communities, subsets of the overall threat agent population that share key characteristics. Threat communities must be precisely defined in order to effectively evaluate effect (loss magnitude).
97:
The
Controls section briefly introduces the three dimensions of a controls landscape. Measuring Risk briefly discusses measurement concepts and challenges, and then provides a high-level discussion of risk factor measurements.
48:
FAIR is also a risk management framework developed by Jack A. Jones, and it can help organizations understand, analyze, and measure information risk according to
41:
that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of
17:
332:
224:
The combination of an asset's characteristics and the type of action against that asset that determines the fundamental nature and degree of loss.
430:
86:
FAIR's main document is "An
Introduction to Factor Analysis of Information Risk (FAIR)", Risk Management Insight LLC, November 2006;
64:
409:
74:
FAIR complements the other methodologies by providing a way to produce consistent, defensible belief statements about risk.
460:
353:
293:
276:
134:
Productivity – a reduction of the organization to effectively produce goods or services in order to generate value
233:
333:"An Introduction to Factor Analysis of Information Risk (FAIR)", Risk Management Insight LLC, November 2006
253:
149:
Reputation – missed opportunities or sales due to the diminishing corporate image following the event
306:
143:
Fines and judgments (F/J) – the cost of the overall legal procedure deriving from the adverse event
370:
166:
Embarrassment – the disclosure states the inappropriate behavior of the management of the company
91:
38:
163:
Sensitivity – the cost associated to the disclosure of the information, further divided into:
45:
events. It is not a methodology for performing an enterprise (or individual) risk assessment.
435:
216:
Deny access – the threat agent do not let the legitimate intended users to access the asset
68:
8:
94:
combine to drive risk, and establishes a foundation for the rest of the FAIR framework.
207:
Misuse – use the asset without authorization and or differently from the intended usage
440:
405:
349:
289:
272:
197:
193:
186:
124:
108:
445:
399:
248:
56:
169:
Competitive advantage – the loss of competitive advantage tied to the disclosure
454:
243:
146:
Competitive advantage (CA)- missed opportunities due to the security incident
160:
Cost – the bare cost of the asset, the cost of replacing a compromised asset
425:
172:
Legal/regulatory – the cost associated with the possible law violations
371:"VA will pay $ 20 million to settle lawsuit over stolen laptop's data"
137:
Response – the resources spent while acting following an adverse event
42:
60:
296:
Document Number: C081 Published by The Open Group, January 2009.
279:
Document Number: C081 Published by The Open Group, January 2009.
140:
Replacement – the expense to substitute/repair an affected asset
213:
Modify – change the asset (data or configuration modification)
238:
398:
Whitman, Michael E.; Mattord, Herbert J. (18 October 2013).
113:
probable frequency and probable magnitude of future loss
210:
Disclose – the agent lets other people access the data
175:
General – other losses tied to the sensitivity of data
157:
Critical – the effect on the organization productivity
204:
Access – read the data without proper authorization
452:
397:
288:Technical Standard Risk Taxonomy, Section 1.5
49:
343:
368:
346:Measuring and Managing Information Risk
259:
65:information security management systems
14:
453:
348:. Waltham, MA: Butterworth-Heinemann.
328:
326:
324:
322:
320:
265:
111:. In FAIR, risk is defined as the “
55:A number of methodologies deal with
369:Friedman, Terry (27 January 2009).
317:
31:Factor analysis of information risk
24:
18:Factor Analysis of Information Risk
401:Management of Information Security
344:Freund, Jack; Jones, Jack (2015).
307:"The Open Group - Risk Management"
153:FAIR defines value/liability as:
25:
472:
419:
271:Technical Standard Risk Taxonomy
196:agents can act differently on an
431:FAIR Basic Risk assessment guide
101:
81:
234:Information security management
130:FAIR defines six kind of loss:
391:
362:
337:
299:
282:
13:
1:
50:Whitman & Mattord (2013)
7:
461:Risk analysis methodologies
227:
10:
477:
254:Vulnerability (computing)
181:
27:Risk management framework
118:
59:in an IT environment or
446:Open FAIR Certification
426:Risk Management Insight
37:) is a taxonomy of the
404:. Cengage Learning.
260:Notes and references
69:ISO/IEC 27000-series
67:and standards like
441:Patent application
436:FAIR Risk Taxonomy
411:978-1-305-15603-6
16:(Redirected from
468:
415:
386:
385:
383:
381:
366:
360:
359:
341:
335:
330:
315:
314:
303:
297:
286:
280:
269:
21:
476:
475:
471:
470:
469:
467:
466:
465:
451:
450:
422:
412:
394:
389:
379:
377:
367:
363:
356:
342:
338:
331:
318:
305:
304:
300:
287:
283:
270:
266:
262:
249:Risk management
230:
184:
121:
104:
84:
57:risk management
28:
23:
22:
15:
12:
11:
5:
474:
464:
463:
449:
448:
443:
438:
433:
428:
421:
420:External links
418:
417:
416:
410:
393:
390:
388:
387:
361:
354:
336:
316:
311:The Open Group
298:
281:
263:
261:
258:
257:
256:
251:
246:
241:
236:
229:
226:
218:
217:
214:
211:
208:
205:
183:
180:
179:
178:
177:
176:
173:
170:
167:
161:
158:
151:
150:
147:
144:
141:
138:
135:
120:
117:
103:
100:
83:
80:
26:
9:
6:
4:
3:
2:
473:
462:
459:
458:
456:
447:
444:
442:
439:
437:
434:
432:
429:
427:
424:
423:
413:
407:
403:
402:
396:
395:
376:
372:
365:
357:
355:9780127999326
351:
347:
340:
334:
329:
327:
325:
323:
321:
312:
308:
302:
295:
294:1-931624-77-1
291:
285:
278:
277:1-931624-77-1
274:
268:
264:
255:
252:
250:
247:
245:
244:ISO/IEC 27001
242:
240:
237:
235:
232:
231:
225:
222:
215:
212:
209:
206:
203:
202:
201:
199:
195:
191:
188:
174:
171:
168:
165:
164:
162:
159:
156:
155:
154:
148:
145:
142:
139:
136:
133:
132:
131:
128:
126:
116:
114:
110:
102:Main concepts
99:
95:
93:
87:
82:Documentation
79:
75:
72:
70:
66:
63:, related to
62:
58:
53:
51:
46:
44:
40:
36:
32:
19:
400:
378:. Retrieved
374:
364:
345:
339:
310:
301:
284:
267:
223:
219:
192:
185:
152:
129:
122:
112:
105:
96:
88:
85:
76:
73:
54:
47:
34:
30:
29:
392:Works cited
380:1 February
43:data loss
455:Category
228:See also
313:. 2019.
92:factors
61:IT risk
39:factors
408:
352:
292:
275:
194:Threat
187:Threat
182:Threat
239:ISACA
198:asset
125:asset
119:Asset
109:asset
78:RMI.
406:ISBN
382:2022
350:ISBN
290:ISBN
273:ISBN
35:FAIR
375:CNN
123:An
457::
373:.
319:^
309:.
200::
71:.
52:.
414:.
384:.
358:.
33:(
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.