FAIR Model

Question 1

Risk

Answer 1

Probable frequency and probable magnitude of future loss

Question 2

Risk components

Answer 2

Frequency and Magnitude

Question 3

Loss event frequency

Answer 3

How frequently a loss will materialize within a time frame

Question 4

Threat event frequency

Answer 4

Amount of times in a year a threat will act on an asset.

will attack or attempt to attack

Question 5

Vulnerability

Answer 5

Probability that threat events become loss events

Percent that will be successful.

Question 6

Loss magnitude

Answer 6

Total money lost from each event.

Primary losses and secondary losses.

Question 7

Loss flow

Answer 7

Chain of events related to losses from threat action to realization of secondary losses.

Two sections: Primary LE and Secondary LE

Question 8

PSH

Answer 8

Primary stakeholder

Question 9

Primary Stakeholder

Answer 9

(Your org)

Question 10

Secondary stakeholders

Answer 10

Anybody that has an interest in your org that can cause harm. (Business partners, customers, regulators, etc.)

Question 11

SSH

Answer 11

Secondary stakeholder

Question 12

Primary loss magnitude

Answer 12

Primary stakeholder loss that occurs directly from an event.

Question 13

Secondary loss

Answer 13

Fallout from an event.

Question 14

Secondary loss frequency

Answer 14

Probability that secondary losses will materialize.

Usually 100% for large breaches.

Question 15

Secondary loss magnitude

Answer 15

Loss from secondary stakeholder reaction to primary event.

Question 16

Contact frequency

Answer 16

How frequently an attacker comes into contact with an asset. (in a timeframe)

Question 17

Probability of action

Answer 17

Percentage of contact events that will become threat events based on a threat agents choice.

Question 18

Threat capability

Answer 18

Probable level of force that a threat is capable of applying against an asset.

Capability, skills, and resources of threat actor

Question 19

Resistance strength

Answer 19

Degree of difficulty faced by threat agent. (Percentage)

Question 20

What question does the FAIR model help answer?

Answer 20

How much risk do we have from this scenario?

Question 21

What are the components of a scenario?

Answer 21

Need a loss event

Asset
Threat
Effect the threat seeks to have on the asset.
(optional) Method/vector the threat will use.

Question 22

Contact frequency x Probability of Action=

Answer 22

Threat event frequency

Question 23

What is a conscience choice on the part of the threat to seek to harm an assets CIA?

Answer 23

Threat event

Question 24

Three types of contact in Contact Frequency

Answer 24

Random
Regular
Intentional

Question 25

Random contact

Answer 25

Tornados, bears, hurricanes,

Question 26

Random contact can be reduced by

Answer 26

Moving away from an area where a threat is possible.

Question 27

Regular contact

Answer 27

Contact events due to regular activity.

Can include regular contact by threat actors.

Question 28

Intentional contact

Answer 28

Threat intentionally seeks a particular asset.

Scanning your websites instead of random scanning

Question 29

Perceived value

Answer 29

Value of asset to the threat agent.

Question 30

Perceived level of effort

Answer 30

If a threat action requires too large an investment of time or other resources, they may choose not to attack an asset with which they have come into contact

Question 31

Perceived risk

Answer 31

Threat agent perception about risk of action.

Question 32

Secondary stakeholders examples

Answer 32

Clients
Regulators
Media
Shareholders
Etc.