Factor Analysis of Information Risk (FAIR)

SRA can help simplify the process of conducting quantitative risk assessments using the Factor Analysis of Information Risk (FAIR) methodology. We can help you enable your business leadership to make complex, risk-informed decisions.

Security Risk Advisors simplifies the process of conducting quantitative risk assessments using the Factor Analysis of Information Risk (FAIR) methodology. We bring together technical and governance expertise to identify and assess the risk within your organization.

Objectives

  • Leverage the FAIR Risk Methodology to consistently measure Inherent (current state) and Residual Risk (desired state)
  • Enable consistent data collection and measurement of both Loss Event Frequency and Loss Magnitude
  • Understand risk scenarios including specific threat agents and data assets to quantify risk

High Level Approach

Requirements Workshop

We conduct risk management workshops to document program requirements and known risks, and plan how to incorporate the FAIR methodology.

Framework & Program Development

We integrate the FAIR Risk Management framework with your Security Strategy and Roadmap. We design program material templates to support processes for future repeat-ability.

Workshop & Acceptance

We conduct workshops to demonstrate the framework and new program in action. We incorporate feedback into the final templates and program documentation.

Focus Areas

Identify Crown Jewels

  • What is important to you?
  • What is your competitive advantage?
  • What is valuable to others?
  • Where do these assets live?
  • Who has access to them?

Draft Risk Scenarios

  • Are assets at risk of breach of Confidentiality, Integrity or Availability?
  • Which type of events could impact your business?
  • Which threat actors are motivated to cause risk events?

Assess Controls

  • Which controls prevent your top risk scenarios from occurring?
  • How mature are those controls?
  • Are those controls operating effectively?

Enhancement

  • How should you prioritize control enhancements?
  • How will you utilize risk to drive new initiatives?
  • How can you justify the cost of controls against potential loss?
  • How will you identify new and emerging risks?

Want to align to another framework? Find out how we can help!

We can help you measure the effectiveness of your programs and align to several industry standard frameworks like ISO 27001, HIPAA, MITRE ATT&CK, and more.