The Open FAIR™ Body of Knowledge
The Open FAIR™ Standards can be applied to any risk scenario. This agnostic characteristic enables the O-RA Standard, and the companion O-RT Standard, that together form the Open FAIR Body of Knowledge, to be used as a foundation for normalizing the results of risk analyses across varied risk domains.
- Risk Analysis (O-RA), Version 2.0.1 describes the process necessary for risk analysts to perform effective information security risk analysis using the Open FAIR™ framework
- Risk Taxonomy (O-RT), Version 3.0.1 provides a standard definition and taxonomy for (information security) risk, as well as information regarding how to use the taxonomy
Download the Open FAIR Body of Knowledge, Version 2
Image by JESHOOTS.COM
The Open FAIR Approach
The Open FAIR risk analysis method is directly applicable with other standards, and the O-RT and O-RA Standards along with guidance documentation from The Open Group provide a way to quantify risk in those information security standards and frameworks in order to inform risk assessments. Practitioners who must perform information technology risk assessments to comply with other industry and regulatory standards, frameworks, and methodologies can therefore use the Open FAIR taxonomy and framework to build consistent and defensible risk statements that are measured in the same economic terms as other risks they have to manage.
Without a logical, tightly-defined taxonomy, risk analysis approaches will be significantly impaired by an inability to measure and/or estimate risk factors. This, in turn, means that management will not have the necessary information for making well-informed comparisons and choices, which will lead to inconsistent and often cost-ineffective risk management decisions. The O-RT Standard provides the clear definition of Open FAIR risk factors and risk factor relationships necessary to guide professionals in their analysis of risks.
The Open FAIR Resources
One of the foundational areas of The Open Group Security Forum is risk analysis—specifically, quantitative risk analysis and the Open FAIR™ Body of Knowledge. Over the years, the Security Forum has updated The Open Group Risk Analysis (O-RA) Standard and The Open Group Risk Taxonomy (O-RT) Standard and published numerous supporting documents to aid both new and experienced risk analysts. Among these publications are the Open FAIR™ Risk Analysis Process Guide, the Open FAIR™ Risk Analysis Tool, and “cookbooks” demonstrating how Open FAIR fits within other risk assessment frameworks.
- The Open FAIR™ Risk Analysis Process Guide, The Open Group Guide (G180, September 2022) offers some best practices for performing an Open FAIR risk analysis: it aims to help risk analysts understand how to apply the Open FAIR risk analysis methodology.
- The Open FAIR™ Risk Analysis Example Guide, The Open Group Guide (G21A, July 2021) first compares a qualitative and quantitative version of the same risk scenario, both utilizing the Open FAIR risk analysis process. It then presents an example of using Open FAIR risk analysis to inform a business case, relying on the Open FAIR™ Risk Analysis Tool and calibrated estimates for inputs.
- The Mathematics for the Open FAIR™ Methodology Guide, The Open Group Guide (G224, September 2022), introduces the readers to the “language” of probability mathematics that will be most useful in evaluating specific risk problems that are faced. It provides an explanation of how the Open FAIR concepts are translated into probability models and a description of the options that allow different scenarios to be described.
- The Open FAIR™ – NIST Cybersecurity Framework Cookbook, The Open Group Guide (G167, October 2016), describes in detail how to apply the Open FAIR factor analysis for information risk methodology to the NIST Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework).
- Open FAIR™ – ISO/IEC 27005 Cookbook, The Open Group Guide (C103, November 2010), describes in detail how to apply the Open FAIR methodology to ISO/IEC 27005:2008. The Cookbook part of this document enables risk technology practitioners to follow by example how to apply Open FAIR to other frameworks of their choice.
Image by Gabriel Sollmann
The Open FAIR Tools
The Open FAIR Risk Analysis Tool can be used to perform a quantitative Open FAIR risk analysis as defined in The Open Group Risk Analysis (O-RA) and Risk Taxonomy (O-RT) standards. It is provided in the form of a Microsoft® Excel® spreadsheet.
- The Open FAIR™ Risk Analysis Tool Beta, The Open Group (I181, January 2018) is an analysis tool can be used to perform a quantitative Open FAIR risk analysis as defined in the O-RA and O-RT Standards. It is provided in the form of a Microsoft® Excel® spreadsheet.
- The Open FAIR™ Tool with SIPmath™ Distributions: Guide to the Theory of Operation, The Open Group Guide (G181, January 2018) defines the algorithms that can be used to produce an acceptable implementation of the O-RA Standard.
- Open FAIR™ Risk Analysis Tool
Image by Louis Hansel
- Applying Open FAIR to Analyze Risk in a Retail Environment
- Open FAIR Certification for Risk Analysts
- The Value of Certification for Risk Analysts
- Risk and IT Security: Developing and Communicating the Infosec Value Proposition to Senior Management
- Communicating Cybersecurity Risk to Business Leaders
- Quantifying Cybersecurity Risk in $$$
- IT Risk Management: Overview of The Open Group Risk Taxonomy Standard with Jack Jones
- Overview of the Information Risk Management Process
- Using Open FAIR™ with the TOGAF® Standard for Risk Analysis in EA
Image by Simon Abrams
The Open FAIR Certification for People program is aimed at meeting the needs of risk analysts and organizations employing risk analysts. The program is based on the Open FAIR (Factor Analysis of Information Risk), which provides a model and taxonomy for understanding, analyzing, and measuring information risk.