Open FAIR and Quantitative Risk Analysis

The Open Group Security Forum manages and updates the Open FAIR™ (Factor Analysis of Information Risk) Body of Knowledge (BoK), comprised of The Open Group Risk Taxonomy (O-RT) Standard and The Open Group Risk Analysis (O-RA) Standard. The Open Group initiated a standards effort regarding FAIR ~10 years ago, and these standards define the official, open, vendor-neutral and consensus-developed definition of FAIR. Both of these standards are made freely available (along with related whitepapers, guides, a spreadsheet tool, and other supplementary publications).

 

Click here for a full list of risk analysis publications from the Security Forum.

 

Within the Security Forum, there are several active projects focused around Open FAIR and quantitative risk analysis.

 

 

Open FAIR™ Risk Analysis Example Guide Project

 

The Open FAIR Risk Analysis Example Guide Project is focused on developing the Open FAIR™ Risk Analysis Example Guide. This guide will walk readers through the qualitative example that was originally in O-RA V1.0 and O-RT V2.0 and was removed during the update to the Open FAIR Body of Knowledge. The guide will provide a quantitative version of the same example to showcase the different conclusions possible when doing a qualitative vs. a quantitative risk analysis. The quantitative version will include the rationale for any and all calibrated estimates used and will present results from the Open FAIR™ Risk Analysis Tool.

 

The guide will also provide an example of using Open FAIR risk analysis results to aid in communicating business value as well as demonstrate different ways of communicating results from an Open FAIR risk analysis within other frameworks, such as the NIST Cybersecurity Framework or ISO 27005. Both of these sections aim to provide examples of how results might be communicated and/or presented to satisfy the requirements or preferences of management/decision-makers.

 

The Open FAIR ™ Risk Analysis Example Guide is being designed to include additional classes of example analyses and results communication—it will be a living document to be updated over time with new examples of analyses and reports.

 

Project Facilitator:

  • Chris Carlson, C T Carlson LLC

 

Project Charter

 

To inquire about joining the Open FAIR™ Risk Analysis Example Guide Project, contact Forum Director John Linford at j.linford@opengroup.org.

 

 

Calculating Reserves for Cyber Risk Project

 

The Calculating Reserves for Cyber Risk Project is devoted to refining and finalizing two (2) contributed White Papers that show how the risk associated with information and information technology can be measured in a commensurate way as financial asset risk, so much so that it is possible to apply capital requirements to it.

 

These White Papers will connect cyber risk as discussed in the Security Forum (as standardized in Open FAIR) in a way that risk managers and analysts in financial institutions can understand and accept within their frame of understanding risk and its management within a financial institution, such as a bank or trading desk.

 

This project is currently focused on refining the first contributed White Paper so that it can be published before finalizing the second contributed White Paper.

 

Project Facilitator:

  • Mike Jerbic, Security Forum Chair

 

Project Charter

 

To inquire about joining the Calculating Reserves for Cyber Risk Project, contact Forum Director John Linford at j.linford@opengroup.org.

 

Open FAIR™ Body of Knowledge Update Project

 

In Nov. 2020, The Open Group Security Forum published a new version of the Open FAIR Body of Knowledge (BoK). This new version of the BoK is comprised of O-RA V2.0 and O-RT V3.0. This project sought to align the two documents, refine definitions and concepts, remove guidance from the standards and relocate it into a separate document, and update materials based on industry experience and input.

 

This project is currently focused on updating the Open FAIR™ Conformance Requirements based on updates to O-RA and O-RT. Following these revisions, the Open FAIR BoK Update Project Working Group will work closely with The Open Group Certifications Team to update the Open FAIR™ Certification Program, including the Certification Exam.

 

Project Facilitators:

  • Mike Jerbic, Security Forum Chair
  • Chris Carlson, C T Carlson LLC

 

Project Charter

 

To inquire about joining the Open FAIR Body of Knowledge Update Project, contact Forum Director John Linford at j.linford@opengroup.org.

 
The Open Group Platinum Members
dxc
fujitsu
HCL_Technologies
huawei
ibm
intel
microfocus
philips