| Description: |
This white paper focuses primarily on general risk concepts and analysis methods. without a solid understanding of what risk is, what the factors are that drive risk, and without a standard nomenclature, we can’t be consistent or truly effective in using any method. FAIR (Factor Analysis for Information Risk) seeks to provide this foundation of understanding, as well as a framework for performing risk analyses. Much of the FAIR framework can be used to strengthen, rather than replace, existing risk analysis processes.
Risk and risk analysis are large and complex subjects. Consequently, this document aims to balance the need to provide enough information so that risk concepts and the FAIR framework are clear and useful, and yet keep the length manageable. The result is a White Paper that provides an introduction and primer. For example, the scope in this White paper is limited to only include the human malicious threat landscape, leaving out threat events associated with error, failure, or
acts of God. Some of the deeper, more complex elements of the framework also have been left out, and other elements have been brushed over lightly. Further development will cover these aspects.
This White Paper explains the fundamental challenges on risk which face the information security profession. It also briefly introduces some of the concepts that are fundamental to overcoming these challenges. Before we can reasonably discuss the factors that drive risk, we first have to come to a common understanding of what risk is - its underlying nature and concepts, and some of the realities surrounding risk analysis and probabilities. This provides a common foundation for understanding and applying FAIR.
|
