Factor analysis of information risk

Factor analysis of information risk (FAIR) is a taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of data loss events. It is not a methodology for performing an enterprise (or individual) risk assessment.^[1]

FAIR is also a risk management framework developed by Jack A. Jones, and it can help organizations understand, analyze, and measure information risk according to Whitman & Mattord (2013).

A number of methodologies deal with risk management in an IT environment or IT risk, related to information security management systems and standards like ISO/IEC 27000-series.

FAIR complements the other methodologies by providing a way to produce consistent, defensible belief statements about risk.^[2]

Although the basic taxonomy and methods have been made available for non-commercial use under a creative commons license, FAIR itself is proprietary. Using FAIR to analyze someone else's risk for commercial gain (e.g. through consulting or as part of a software application) requires a license from RMI.^[3]

^ Technical Standard Risk Taxonomy ISBN 1-931624-77-1 Document Number: C081 Published by The Open Group, January 2009.
^ Technical Standard Risk Taxonomy, Section 1.5 ISBN 1-931624-77-1 Document Number: C081 Published by The Open Group, January 2009.
^ "The Open Group - Risk Management". The Open Group. 2019.

[OGC081-1] Technical Standard Risk Taxonomy ISBN 1-931624-77-1 Document Number: C081 Published by The Open Group, January 2009.

[2] Technical Standard Risk Taxonomy, Section 1.5 ISBN 1-931624-77-1 Document Number: C081 Published by The Open Group, January 2009.

[3] "The Open Group - Risk Management". The Open Group. 2019.

[1]

[2]

[3]

Factor analysis of information risk

From Wikipedia, the free encyclopedia · View on Wikipedia