What is FAIR (Factor Analysis of Information Risk)?

Summary:

In this insightful episode, Timothy De Block sits down with Jack Jones, the creator of the Factor Analysis of Information Risk (FAIR) model. Jack shares his journey and the challenges he faced that led to the creation of FAIR, a groundbreaking framework for understanding and quantifying information risk.

Episode Highlights:

Introduction to FAIR:

  • FAIR stands for Factor Analysis of Information Risk.

  • It is a logical decomposition of the factors that drive how much loss exposure a scenario represents.

Jack's Catalyst for Creating FAIR:

  • The need for a quantifiable measurement of risk during his tenure as a CISO at Nationwide Insurance.

  • The pivotal moment when an executive asked him to quantify the organization's risk exposure.

Understanding Quantitative vs. Qualitative Risk:

  • Quantitative risk involves using units of measurement like percentages and dollar amounts.

  • Qualitative risk is ordinal and involves categories like high, medium, and low without precise measurement units.

Applying FAIR in Organizations:

  • The process of using FAIR starts with understanding the decision you need to support, scoping the scenario, identifying assets, threats, and controls, and using ranges to estimate frequency and impact.

  • FAIR helps in prioritizing risks and determining the ROI on security investments.

Challenges and Solutions in Using FAIR:

  • Common challenges include the perception that perfect data is needed, the skills gap, and the complexity of scaling quantitative analysis.

  • Leveraging community resources, training, and new automated solutions from vendors can help overcome these challenges.

Resources and Training:

  • The FAIR Institute offers free membership and extensive resources.

  • The Open Group provides professional certification and training materials.

  • The book "Measuring and Managing Information Risk: A FAIR Approach" is a recommended read.

Key Quotes:

  • "FAIR is about critically thinking about risk. The quantitative measurement is a bonus, but it's really a framework for thinking more clearly about the scenarios we need to manage against." - Jack Jones

  • "Protecting applications from session hijacking involves understanding the application's handling of temporary credentials and implementing robust security measures." - Jack Jones

Recommended Resources:

Contact Information:

Leave a comment below or reach out via the contact form on the site, email [timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn.

Check out our services page and reach out if you see any services that fit your needs.

Social Media Links:

[RSS Feed] [iTunes] [LinkedIn]