FAIR Methodology

FAIR Methodology

What is FAIR?

FAIR is the Factor Analysis of IT and Information Risk and is a major component of our Blue Team services and contributes to our Security Strategy Consulting. It is a comprehensive framework for creating and maintaining a threat-modelled information risk process based on past experiences, up‐to‐date intelligence feeds, recognition of trends, and a valuation of the organisational assets.

The unique methodology incorporates penetration tests & security exercises with a level of complexity that mirrors the approach and methods of today’s threats, and delivers a uniquely quantified risk analysis that informs all stakeholders in the organisation of the probabilities, vulnerabilities, and impacts.

Why do organisations need it now?

Organisations are faced with a rapidly growing exposure to security risk, and with specific regard to cyber security, there is a pressing need to prioritise investment where it is most needed. In fact, few organisations have a comprehensive map of assets and process, which quantify risk against converged threats.

Security management as a discipline often lacks the perspective that risk management is built upon, and a move towards integrating risk and security into a conjoint approach has many merits. With a limited view of the financial risk to the organisation, leaders are challenged in how to view investment in further security measures, controls, and technologies.

Risk assessment methodologies are still somewhat deficient in being able to cater for the full spectrum of external threats and internal vulnerabilities, particularly in relation to cyber risk. There are few methodologies that are appropriate to the task of accurately identifying vulnerabilities & exposure, and integrating current threat modelling and dataflow protection into a quantitative risk model.

The FAIR methodology enables decision making for security related issues for organisations, based on accurate threat modelling, a quantifiable asset valuation, and ‘what if’ scenarios that consider both the deterrence factors of a security measure or process, as well as their cost.

Once established, decision‐making and risk management can be more confidently business-oriented.

Senior management can define its risk tolerance for each of the assets or processes, by analysing the risk capacity, identifying the resources & capabilities that the organisation already possesses to mitigate the risk, and any applicable regulation that may contribute to defining the risk tolerance.

Any value propositions that would affect the risk model can be analysed, and the overall impact to the risk posture calculated, along with the required internal and capital resources of such a proposition.

Finally, the organisation can view the comprehensive risk model along with all the alternatives for impacting the risk posture and their cost & resource impacts in a way that allows informed decision-making processes.

What does it entail?

Intelligence Gathering

Performed on two levels – informational and human

Business Process Mapping

Identifying data flows in the organisation and critical processes to be used later in the threat modelling and risk management process.

Asset Mapping

Provides the organisation a clear view of all its assets, including ‘replacement’ value, additional intrinsic values from a compliance standpoint, and a marketing/competitive damages value. Values may differ with each threat scenario and as such they all need to be defined and available for the threat modelling and risk modelling.

Vulnerability and Exposure Analysis

Asset location and access are ubiquitous, both digital as well as physical ones. Analysis is not limited to technical vulnerabilities, but also includes risks to business processes, 3rd party providers involved in the process, and any other aspect of the asset lifecycle including human. Our Red Team testing for businesses encapsulates this kind of attitude, as it takes into account all the aspects of the business’ operating environment.

A register of vulnerabilities is constructed, incorporating countermeasures identified and classified accordingly, and key technical evaluations are focused on less standard devices such as mobile equipment, to simulate an approach of a motivated attacker.

Threat Modelling

Relevant threats for each asset are identified, correlated to the intelligence gathered, and evaluated on the basis of the threat’s exposure frequency to the asset, and its capability to successfully attack the asset.

Dataflow Protection Analysis

This analysis of any measures designed to detect incorrect data flows, includes DLP systems (Data Leak Protection/Prevention), as well as business processes that are in place to prevent information from getting to the wrong places within or outside of the organisation.

All the communication systems should be included in this phase – data, voice, image, and physical.

Risk Modelling

A risk model is constructed of the expected frequency for a security incident, and the severity of such an incident for all the identified assets. A quantitative value is then applied to it, based on the expected liability it yields and the probability/frequency.

What-If Modelling

What‐if scenarios are analyzed for both incident handling, and for placing, removing, and modifying controls over information assets. This modelling is critical in the decision making process for organisations which need to adapt to a changing landscape, or when an acquisition of new technology is evaluated. Both infrastructure, as well as security measures, are modelled to see how they reflect on the overall future risk posture of the business.

FAIR Methodology Brochure

  • Please complete your details below and we will email you a copy of our FAIR Methodology Brochure