Welcome to the SecAware blog

I spy with my beady eye ...

10 Sept 2005

FAIR risk analysis method

The FAIR (Factor Analysis of Information Risk) method is described by the author as a paradigm shift - quite a claim for yet another version of what looks like an entirely conventional risk analysis process, even one that contains a “computational engine”, no less. The author admits that FAIR is “just one way of skinning the risk analysis cat”. With pseudo-scientific language, he insists on presenting his own “definitions” (actually, curious descriptions that relate particularly to information security risk, not risk in general) for the components of risk without reference to the accepted academic theories in the field. His definition of vulnerability, for example (“The probability that an asset will be able to resist the actions of a threat agent”), is 180ยบ opposed to the normal definition, in other words high vulnerability means a high probability that an asset will NOT be able to resist a threat. The vulnerability definition goes on to confuse threat, vulnerability and control despite the author having stated that unclear terminology is one of the problems in this field. To cap it all, the method is labeled “patent pending”, a phrase with no legal standing (either it is patented or it is not - I suspect the latter).
More risk management resources

No comments:

Post a Comment