FAIR Risk Methodology

Name

Instructor

Course

Date

FAIR Risk Methodology

Summarizing the article on “FAIR (Factory Analysis of Information Risk): Basic Risk Assessment Guide”, it is presented in four major stages comprising ten steps.

Stage one

Step one

This step involves the identification of the asset at risk. It is explained that for the estimation of control and value characteristics of the risk analysis to be possible, it is important to first identify the object under evaluation. If the analysis is at a multilevel, the analyst will need to evaluate the object at risk and all the meta-objects existing between the threat community and the primary asset (Lajoux, Alexandra, and Elson, 32).

Step two

This step involves the identification of the threat community, which is important in the estimation of the Threat Event Frequency and Threat Capability. When evaluating risks associated with malicious actions, the analyst will be required to decide on whether the threat community is malware or human, and external or internal.

Stage two

This is the second stage in the analysis and evaluation of loss event frequency and involves the following steps.

Step three

This is the first step under this stage and the third step under the whole process. It is the threat event frequency, which is the probable frequency in a given time frame that will be acted upon by a threat agent. Contributing factors to this step include probability of action and contact frequency.

Step four

This step involves a threat capability, which is the probable force level that enables the threat agent to apply against an asset. Contributing factors under this step include resources and skill (Lajoux, Alexandra, and Charles Elson, 38-9).

Step five

This is the control strength step, which is the expected effectiveness of control over some timeframe as it is measured against a baseline force levels. Contributing factors under this step include assurance and strength.

Step six

This step involves the vulnerability analysis, which involves analyzing the probability that an asset will not be able to resist actions of the threat agent. The analysis in this step is closely related to the results of analysis in step four and five.

Step seven

This step involves the analysis of loss event frequency. It involves the analysis of the probable frequency within a certain time frequency, over which a threat agent will cause harm to an asset.

Stage three

This stage majorly concerns the methodology used in the evaluation of probable loss magnitude and the stage has certain steps that come under it as discussed below.

Step eight

This step involves estimation of worst-case loss by use of three major steps. The first step is the determination of threat action most likely to result in worst case outcome (Lajoux, Alexandra, and Elson 65). The second step is the estimation of the magnitude for each loss form that is associated with the threat action. The last step in this aspect is “summing” the loss form magnitudes.

Step nine

This step majorly involves estimating probable loss. The estimation of probable loss magnitude is done using three steps. The first step involves the identification of the threat community action that is most likely. The next step is the evaluation of probable loss magnitude for every loss form and the last step is “summing” the magnitudes.

Stage four

This is the last stage in the analysis of this methodology and it involves the derivation and articulation of risk.

Step ten

This step also involves the derivation and articulation of risk. It involves the probable magnitude and frequency of future loss. Properly articulated analysis should give decision makers the opportunity to get at least two important pieces of information:”the estimated loss event frequency” and “the estimated probable loss magnitude”. The information can be displayed through charts, texts, or both. In most cases, it is better to also display the “estimated high-end loss potential”, to make the decision maker become aware of the expected worst-case scenario. The strength of the FAIR methodology is that it is able to establish accurate probabilities for the magnitude and frequency of loss events. It also has a consistent framework useful in performing risk analyses (Lajoux, Alexandra and Elson 71). The weakness is that FAIR is not a methodology in dealing with risk management, but it is only used to complement the existing methodologies. Using FAIR to analyze somebody’s risk associated with commercial gain is only possible after getting a license from RMI.

Work Cited

Lajoux, Alexandra R, and Charles Elson. The Art of M & a Due Diligence: Navigating Critical Steps & Uncovering Crucial Data. New York: McGraw-Hill, 2000. Internet resource.