Tim Layton Photo

Open FAIR™ (Factor Analysis of Information Risk) provides a framework for understanding, analyzing, and quantifying information risk in financial terms and it is the only international standard for the quantification of cyber security and operational risk.

“I believe every organization operating in our digital world leveraging the latest cloud computing technologies must be able to quantify their cyber risk in financial terms in order to make high quality risk-business decisions. Subjective qualitative approaches are no longer acceptable.”

The Open FAIR™ Body of Knowledge is comprised of two international standards:

  • Open Risk Taxonomy Technical Standard (O-RT). This standard defines a standard taxonomy of terms, definitions, and relationships used in risk analysis.
  • Open Risk Analysis Technical Standard (O-RA). This standard describes the process aspects associated with performing effective risk analysis.

Being able to effectively analyze and communicate cyber risk is paramount for every organization today and is key to establish priorities, justifying budgets, and establish policy in a defensible and credible way.

While ubiquitous and simple to use, traditional qualitative analysis methods that rely on risk matrices and arbitrary risk rating scales have serious limitations and rarely involve any real rigor. There is a better way.

Open FAIR™ is the de-facto standard for cyber risk quantification.

Get My Free Cloud Security Risk Management Journal


The adoption of an Open FAIR™-based approach benefits include:

  • FAIR is an open and global standard risk taxonomy and risk quantification model by The Open Group, a global standards consortium, that can express cyber risk in financial terms.
  • Without a standard model for risk, security and risk teams struggle to communicate to each other and the business. FAIR solves this problem by facilitating improved communication and understanding of risk through the use consistent terms and language.
  • A structured way to model risk, which leads to more thorough analysis.
  • Risk presented in financial terms, enabling cost/benefit analysis in a credible and defensible manner.
  • FAIR analyses scale for any risk factors, applies to information and operational risk, and integrates with Enterprise Risk Management.


  • Organizations can implement Open FAIR™ in a modular fashion by plugging it into an existing risk management process. It can be phased in slowly or implemented as a forklift upgrade. It is also complimentary to existing security frameworks such as NIST Cyber Security Framework, NIST 800-53, and ISO 27000.
  • Open FAIR™ quickly begins producing quantitative measures of risk that can be used to improve decision making.


FAIR was originally released to the public in 2006. It was later adopted by the Open Group in 2014, making it the only international standard for the quantification of cyber security and operational risk.
The Open Group has released numerous Open FAIR™-related publications, including two standards: O-RT, Risk Taxonomy Standard, and O-RA, Risk Analysis Standard. The standards and supporting documents are available from The Open Group.

Translating Cyber Risk Into The Language of Business

  • Speak in one language concerning your cyber risk. 
  • Apply risk assessments to any object or asset.
  • View enterprise cyber risk in totality.
  • Challenge and defend cyber risk decisions using an advanced risk model.
  • Complete your current risk framework with a standard risk taxonomy and analysis model. 

Get My Free Cloud Security Risk Management Journal