As market awareness of cyber risk quantification grows, we frequently receive questions from clients and curious risk managers about FAIR (Factor Analysis of Information Risk)—what it is, whether it truly provides accurate cyber risk quantification, the effort needed to set it up and maintain, and more. Clients often ask us to compare the FAIR methodology with the Resilience approach to cyber risk quantification (CRQ) and risk management.
Given that both Resilience and proponents of FAIR standards and FAIR inspired market solutions appear to be in the same orbit of concern, requesting contrasts/comparisons between us seems like a reasonable request. These are “fair” questions. However, we believe that FAIR differs from us not so much in degree of quality but in kind. While we are in the same ecosystem of cyber risk management, we each offer a different type of contribution to the marketplace.
Before we jump in, we want to be clear that we are friends of FAIR and deeply resonate with its stated mission. We enthusiastically support and advocate shifting from a compliance-based approach to cyber risk management to one that is risk-informed and driven. We believe that cyber risk management should be a multidisciplinary approach that bridges siloed barriers by providing a common economic and financial language that makes sense to everyone involved.
What is FAIR?
With those considerations in mind, let’s address FAIR directly. FAIR offers a versatile syntax and standardized framework for assessing and managing cyber risk in financial terms. The FAIR approach represents a sophisticated quantitative risk model that requires significant effort to implement and maintain. Organizations that use FAIR can implement the models in DIY or open source frameworks (e.g., Excel, R, Python) or proprietary solutions like Safe Security (which recently purchased RiskLens, one of the first commercial implementers of FAIR).
In the table below, we summarize the feedback we have received from users who have attempted to use the FAIR ontology in some form or another, successfully or otherwise.
Benefits | Difficulties |
---|---|
Quantifiable risk: FAIR enables organizations to express risk in monetary terms, facilitating better decision-making and resource allocation. Standardized approach: FAIR provides a consistent and repeatable methodology for risk assessment, reducing variability and improving comparability. Comprehensive risk analysis: FAIR considers multiple factors–including threat event frequency, vulnerability, and impact–providing a holistic view of risk. Flexibility: FAIR can be applied to various types of risk, including cybersecurity, operational, and strategic risks. | Complexity: FAIR requires a deep understanding of risk analysis, statistics, and financial modeling, which can be challenging for some organizations. Data quality: FAIR relies on high-quality data, which can be difficult to obtain, especially for rare or emerging threats. Subjectivity: Some FAIR factors–like threat event frequency–may involve subjective estimates, potentially introducing bias if these are not properly assessed by calibrated SMEs. Scalability: Applying FAIR to large, complex organizations or multiple risk scenarios can be resource-intensive and time-consuming. Training and expertise: Effective implementation of FAIR requires specialized training and expertise, which can be a barrier for some organizations. Integration with existing frameworks: FAIR may need to be integrated with existing risk management frameworks, which can be challenging. |
Balancing the benefits against the difficulties, our clientele of small-to medium-sized organizations might face relatively higher hurdles obtaining the resources required to attempt a full implementation of FAIR. For this reason, some describe FAIR as a CRQ solution better suited to larger enterprises, which tend to have more resources available for successful implementation.
How is Resilience different from FAIR?
Although the Resilience solution shares concepts with FAIR, we package and deliver our offering as a bundled, unified platform that contains a built-in incentive for us to get the CRQ as accurate as possible. First, our current market entry leads with a risk transfer product—cyber risk insurance—targeted to mid-tier businesses in the $250M–$5B range of annual revenues. Clients of our insurance product gain access to a CRQ platform tailored to the resource constraints of our target market. Our base product, Essential, includes an insurance policy and enables clients to use the self-directed platform after completing their initial onboarding.
The next step up, Edge, attaches a facilitated annual subscription to the platform. This includes regular cadence calls with the client’s CISO, CRO, and CFO and our Customer Success Team. The Customer Success Team exists to ensure that our clients understand the guidance from our system, namely the Quantified Cyber Action Plan (QCAP), to derive the most value from the system. Their expanded support also includes opportunities to participate in leadership Table Top Exercises and Breach and Attack Simulations.
Through the cadence calls and optional exercises, we promote cross-functional understanding of cyber risk management, assisting CISOs’ efforts to translate technical cyber issues into economic and financial terms for the other C-suite functions. As we like to say, Resilience “translates bits and bytes to dollars and sense.”
The main operative distinction between us and FAIR is that we have done all the risk modeling to run in the background of our CRQ platform for our customers. The models are based on
- claims data
- publicly available firmographic data
- the expertise of our own internal security professionals.
The answers our clients provide to a limited set of “signal” questions tunes our model to their specific context. This significantly increases the ease of use for our customers by removing the need to provide exhaustive statistical and financial assessments of potential vulnerabilities.
Our clients have good reason to appreciate the accuracy of our models because we put “skin in the game.” Our client platform model is based on the same model we use to support our insurance underwriting and portfolio risk management. If that model’s accuracy becomes distorted, it affects our ability to avoid financial ruin.
Not only would we not be able to price our insurance properly to avoid compromising our risk partners’ financial reserves, our clients would potentially expose themselves to greater material risks, exposing us to increased claims. We possess every incentive to get the model accuracy right. (For those who are a little more technically inclined and interested, our article “How Does Resilience Establish the Probabilities Presented in my QCAP?” provides more information about how our models are built.)
Finally, we don’t believe that the choice to use FAIR or Resilience should be mutually exclusive. Of course, given the benefits and difficulties associated with FAIR outlined above (and how our solution maps to a particular target market), organizations should commit themselves to gaining a thorough understanding of those qualities to determine whether it is suitable for their risk management needs and plan accordingly.
However, best practices in risk management emphasize integrating multiple perspectives to avoid “frame blindness.” Therefore, we advise against relying solely on a single model to understand cyber risk. Organizations should use diverse approaches to develop effective risk management strategies and align their risk landscape with their tolerance levels.