Tim Layton Photo

Definitions for quantitative risk analysis using Open FAIR are listed in the sections below. International standards documents for quantitative risk analysis available from the Open Group.

Open FAIR™ (Factor Analysis of Information Risk) is the international standard for quantitative risk analysis.

Open FAIR™ provides a framework for understanding, analyzing, and quantifying information risk in financial terms. 

The adoption of an Open FAIR™-based approach brings the organization benefits including:

  • Improved communication and understanding of risk through the use consistent terms and language.
  • A structured way to model risk, which leads to more thorough analysis. 
  • Risk presented in financial terms, enabling cost/benefit analysis.

2.1 Action
An act taken against an Asset by a Threat Agent. Requires first that contact occurs between the Asset and Threat Agent.

2.2 Asset
The information, information system, or information system component that is breached or impaired by the Threat Agent in a manner whereby its value is diminished or the act introduces liability to the Primary Stakeholder.

2.3 Contact Event
Occurs when a Threat Agent establishes a physical or virtual (e.g., network) connection to an Asset.

2.4 Contact Frequency (CF)
The probable frequency, within a given timeframe, that a Threat Agent will come into contact with an Asset.

2.5 Control
Any person, policy, process, or technology that has the potential to reduce the Loss Event Frequency (LEF) – Loss Prevention Controls – and/or Loss Magnitude (LM) – Loss Mitigation Controls.

2.6 FAIR
Factor Analysis of Information Risk.

2.7 Loss Event
Occurs when a Threat Agent’s action (Threat Event) is successful in breaching or impairing an Asset.

Get My Free Cloud Security Risk Management Journal

2.8 Loss Event Frequency (LEF)
The probable frequency, within a given timeframe, that a Threat Agent will inflict harm upon an Asset.

2.9 Loss Flow
The structured decomposition of how losses materialize when a Loss Event occurs.

2.10 Loss Magnitude (LM)
The probable magnitude of loss resulting from a Loss Event.

2.11 Loss Scenario
The story of loss that forms a sentence from the perspective of the Primary Stakeholder.

2.12 Primary Stakeholder
The person or organization that owns or is accountable for an Asset.

2.13 Probability of Action (PoA)
The probability that a Threat Agent will act against an Asset once contact occurs.

2.14 Resistance Strength (RS)
The strength of a Control as compared to the probable level of force (as embodied by the time, resources, and technological capability; measured as a percentile) that a Threat Agent is capable of applying against an Asset.

2.15 Risk
The probable frequency and probable magnitude of future loss.

2.16 Risk Analysis
The process to comprehend the nature of risk and determine the level of risk. [Source: ISO Guide 73:2009]

2.17 Risk Assessment
The overall process of risk identification, risk analysis, and risk evaluation. [Source: ISO Guide 73:2009]

2.18 Risk Factors
The individual components that determine risk, including Loss Event Frequency, Loss Magnitude, Threat Event Frequency, etc.

Get My Free Cloud Security Risk Management Journal

2.19 Risk Management
Coordinated activities to direct and control an organization with regard to risk. [Source: ISO Guide 73:2009]

2.20 Secondary Stakeholder
Individuals or organizations that may be affected by events that occur to Assets outside of their control. For example, consumers are Secondary Stakeholders in a scenario where their personal private information may be inappropriately disclosed or stolen.

2.21 Threat
Anything that is capable of acting in a manner resulting in harm to an Asset and/or organization; for example, acts of God (weather, geological events, etc.), malicious actors, errors, failures.

2.22 Threat Agent
Any agent (e.g., object, substance, human) that is capable of acting against an Asset in a manner that can result in harm.

2.23 Threat Capability (TCap)
The probable level of force (as embodied by the time, resources, and technological capability) that a Threat Agent is capable of applying against an Asset.

2.24 Threat Community
A subset of the overall Threat Agent population that shares key characteristics.

2.25 Threat Event
Occurs when a Threat Agent acts against an Asset.

2.26 Threat Event Frequency (TEF)
The probable frequency, within a given timeframe, that a Threat Agent will act against an Asset.

2.27 Vulnerability (Vuln)
The probability that a Threat Event will become a Loss Event; probability that Threat Capability is greater than Resistance Strength. (Synonym: Susceptibility)

Get My Free Cloud Security Risk Management Journal