FAIR Model Flashcards

1
Q

Risk

A

Probable frequency and probable magnitude of future loss

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Risk components

A

Frequency and Magnitude

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Loss event frequency

A

How frequently a loss will materialize within a time frame

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Threat event frequency

A

Amount of times in a year a threat will act on an asset.

will attack or attempt to attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Vulnerability

A

Probability that threat events become loss events

Percent that will be successful.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Loss magnitude

A

Total money lost from each event.

Primary losses and secondary losses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Loss flow

A

Chain of events related to losses from threat action to realization of secondary losses.

Two sections: Primary LE and Secondary LE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

PSH

A

Primary stakeholder

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Primary Stakeholder

A

(Your org)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Secondary stakeholders

A

Anybody that has an interest in your org that can cause harm. (Business partners, customers, regulators, etc.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

SSH

A

Secondary stakeholder

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Primary loss magnitude

A

Primary stakeholder loss that occurs directly from an event.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Secondary loss

A

Fallout from an event.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Secondary loss frequency

A

Probability that secondary losses will materialize.

Usually 100% for large breaches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Secondary loss magnitude

A

Loss from secondary stakeholder reaction to primary event.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Contact frequency

A

How frequently an attacker comes into contact with an asset. (in a timeframe)

17
Q

Probability of action

A

Percentage of contact events that will become threat events based on a threat agents choice.

18
Q

Threat capability

A

Probable level of force that a threat is capable of applying against an asset.

Capability, skills, and resources of threat actor

19
Q

Resistance strength

A

Degree of difficulty faced by threat agent. (Percentage)

20
Q

What question does the FAIR model help answer?

A

How much risk do we have from this scenario?

21
Q

What are the components of a scenario?

A

Need a loss event

Asset
Threat
Effect the threat seeks to have on the asset.
(optional) Method/vector the threat will use.

22
Q

Contact frequency x Probability of Action=

A

Threat event frequency

23
Q

What is a conscience choice on the part of the threat to seek to harm an assets CIA?

A

Threat event

24
Q

Three types of contact in Contact Frequency

A

Random
Regular
Intentional

25
Q

Random contact

A

Tornados, bears, hurricanes,

26
Q

Random contact can be reduced by

A

Moving away from an area where a threat is possible.

27
Q

Regular contact

A

Contact events due to regular activity.

Can include regular contact by threat actors.

28
Q

Intentional contact

A

Threat intentionally seeks a particular asset.

Scanning your websites instead of random scanning

29
Q

Perceived value

A

Value of asset to the threat agent.

30
Q

Perceived level of effort

A

If a threat action requires too large an investment of time or other resources, they may choose not to attack an asset with which they have come into contact

31
Q

Perceived risk

A

Threat agent perception about risk of action.

32
Q

Secondary stakeholders examples

A
Clients
Regulators
Media
Shareholders
Etc.