FAIR, or Factor Analysis of Information Risk, is a concept that enables businesses to analyze, measure, and comprehend operational and cybersecurity risk in plain-English terms that can be directly applied to a commercial setting. It gives a company a greater overall picture of risk from several perspectives and goes beyond just ensuring compliance with laws and "best practices." The FAIR approach breaks down risk by identifying and defining the risk model, then evaluating the elements that affect IT risk and how they interact with one another.


How it works?


FAIR divides risk into two categories: Loss Event Frequency (which calculates the amount of time lost due to a potential danger) and Loss Magnitude (the likely outcome of a successful threat).


  • Loss Event Frequency
    • Contact — threat's temporal existence and potential contact with an asset
    • Action — likelihood that a threat may be carried out against an asset
    • Vulnerability — possibility that a resource won't be able to fend off a dangerous actor
  • Loss Magnitude
    • Primary Loss Factors 
    • Secondary Loss Factors


Pros


As models like FAIR make it possible for the Cybersecurity Department and the Executive Level to communicate in a common language, the previously existing gap between the two is gradually decreasing. In order to ensure that the company is making decisions that have a positive impact on all elements of the business and maximize safety, risk, and security experts can collaborate with their coworkers. An improved firm will benefit from this more efficient administration. 


The concept is flexible and adaptable to changing and expanding risk environments. The fact that it may be utilized with other risk management frameworks to strengthen overall analysis is also advantageous. FAIR has a reliable, well-defined, and transparent classification and technology standard.



Cons


The concept is flexible and adaptable to changing and expanding risk environments. The fact that it may be utilized with other risk management frameworks to strengthen overall analysis is also advantageous. FAIR has a reliable, well-defined, and transparent classification and technology standard.