Why FAIR is different to the others ?

FAIR is an analytical risk model, whereas most information security risk methodologies in use today are Capability Maturity Models (CMM) or checklists.

Lucie Larsen

An article from

Lucie Larsen
Chief of Staff
Published
October 17, 2023
Updated
October 17, 2023
Reading time
minutes
fair differences

FAIR differences

FAIR is an analytical risk model, whereas most information security risk methodologies in use today are Capability Maturity Models (CMM) or checklists. Analytic models attempt to describe how a problem-space works by identifying the key elements that make up the environment and the relationships between those elements — e.g., Newton’s laws of the physical world described how things like gravity work. If the models are relatively accurate (no models are perfect), then analyses performed using the models should consistently align with our experience and observations. With those elements identified, measurements can be made that enable risk quantification and performance of what-if analyses, neither of which can be performed with checklist or CMM analyses.

The other methodologies answer different questions:

  • Checklist methodologies (e.g., PCI, ISO, BITS, etc.) provide inventories of practices that an organization can use to evaluate and benchmark itself against. This can be useful for identifying gaps in controls and/or for comparison against other organizations. Checklists are not useful for determining how much risk exists or for understanding the effects of changes in the risk landscape (e.g., how much more or less risk will exist if…).
  • CMM methodologies (e.g., SSE-CMM) provide a ordinal scale for rating the maturity of processes. This can be useful for evaluating the quality of processes, for setting goals, and for evaluating progress against those goals. CMM is not useful for quantifying risk or measuring the practical effect of changes in maturity.

Transform how you model, measure, and manage cyber risk.

Our FAIR-certified experts will help you prioritize your IT security investments, improve governance and increase your organization's cyber resilience.

FAIR provides the means to answer questions like:

  • How much risk does X represent?
  • How much risk do we have?
  • How much more/less risk will we have if …?
  • What are my most cost-effective options for managing risk?

Note that all three methodology types can be useful for most organizations, and should be complementary.

In this article
Cyber Risk Quantification for better decision-making

We build scalable solutions to quantify cyber risk in financial terms so organizations can make informed decisions to improve governance and resilience.

Related articles

Read more on cyber risk, ransomware attacks, regulatory compliance and cybersecurity.