Skip to main content

The Open FAIR™ Standards can be applied to any risk scenario. This agnostic characteristic enables the O-RA Standard, and the companion O-RT Standard, that together form the Open FAIR Body of Knowledge, to be used as a foundation for normalizing the results of risk analyses across varied risk domains.


The Open FAIR risk analysis method is directly applicable with other standards, and the O-RT and O-RA Standards along with guidance documentation from The Open Group provide a way to quantify risk in those information security standards and frameworks in order to inform risk assessments. Practitioners who must perform information technology risk assessments to comply with other industry and regulatory standards, frameworks, and methodologies can therefore use the Open FAIR taxonomy and framework to build consistent and defensible risk statements that are measured in the same economic terms as other risks they have to manage.

Without a logical, tightly-defined taxonomy, risk analysis approaches will be significantly impaired by an inability to measure and/or estimate risk factors. This, in turn, means that management will not have the necessary information for making well-informed comparisons and choices, which will lead to inconsistent and often cost-ineffective risk management decisions. The O-RT Standard provides the clear definition of Open FAIR risk factors and risk factor relationships necessary to guide professionals in their analysis of risks.

One of the foundational areas of The Open Group Security Forum is risk analysis—specifically, quantitative risk analysis and the Open FAIR™ Body of Knowledge. Over the years, the Security Forum has updated The Open Group Risk Analysis (O-RA) Standard and The Open Group Risk Taxonomy (O-RT) Standard and published numerous supporting documents to aid both new and experienced risk analysts. Among these publications are the Open FAIR™ Risk Analysis Process Guide, the Open FAIR™ Risk Analysis Tool, and “cookbooks” demonstrating how Open FAIR fits within other risk assessment frameworks.

  • The Open FAIR™ Risk Analysis Process GuideThe Open Group Guide (G180, September 2022) offers some best practices for performing an Open FAIR risk analysis: it aims to help risk analysts understand how to apply the Open FAIR risk analysis methodology.
  • The Open FAIR™ Risk Analysis Example Guide The Open Group Guide (G21A, July 2021) first compares a qualitative and quantitative version of the same risk scenario, both utilizing the Open FAIR risk analysis process. It then presents an example of using Open FAIR risk analysis to inform a business case, relying on the Open FAIR™ Risk Analysis Tool and calibrated estimates for inputs.
  • The Mathematics for the Open FAIR™ Methodology Guide The Open Group Guide (G224, September 2022), introduces the readers to the “language” of probability mathematics that will be most useful in evaluating specific risk problems that are faced. It provides an explanation of how the Open FAIR concepts are translated into probability models and a description of the options that allow different scenarios to be described.
  • The Open FAIR™ – NIST Cybersecurity Framework CookbookThe Open Group Guide (G167, October 2016), describes in detail how to apply the Open FAIR factor analysis for information risk methodology to the NIST Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework).
  • Open FAIR™ – ISO/IEC 27005 CookbookThe Open Group Guide (C103, November 2010), describes in detail how to apply the Open FAIR methodology to ISO/IEC 27005:2008. The Cookbook part of this document enables risk technology practitioners to follow by example how to apply Open FAIR to other frameworks of their choice.
Image by Gabriel Sollmann 

The Open FAIR Risk Analysis Tool can be used to perform a quantitative Open FAIR risk analysis as defined in The Open Group Risk Analysis (O-RA) and Risk Taxonomy (O-RT) standards. It is provided in the form of a Microsoft® Excel® spreadsheet.

Image by Louis Hansel


The Open FAIR Certification for People program is aimed at meeting the needs of risk analysts and organizations employing risk analysts. The program is based on the Open FAIR (Factor Analysis of Information Risk), which provides a model and taxonomy for understanding, analyzing, and measuring information risk.