1

This course material by Osama Salah is released under the

following license:
Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)

Conditions for use are published here:

https://creativecommons.org/licenses/by-sa/4.0/

2
 FAIR Open Course

Module 2 - The FAIR Model

Ver. 0.2

3
The FAIR Model $
Risk

# $
Loss Event Loss
Frequency Magnitude

# % $ $
Threat Event Secondary
Vulnerability Primary Loss
Frequency Risk

# % % % % $
Secondary Secondary
Contact Probability of Threat Resistance
Loss Event Loss
Frequency Action Capability Strength
Frequency Magnitude

4
The FAIR Model
• Note: In a risk analysis we only go as deep into the model as is
needed or supported by good data.
• If we go deeper into the model and start using even more uncertain
estimates or data we risk reducing the accuracy of the analysis.
• Even if some building blocks are not used in a risk analysis it is good to
keep them in mind and review how they might relate to the scenario.
This review might reveal other aspects of the scenario (scope,
assumptions etc.) that were previously not specifically mentioned.

5
 Risk

Loss Event Loss

Frequency Magnitude

Threat Event Secondary

Vulnerability Primary Loss
Frequency Risk

Secondary Secondary
Contact Probability of Threat Resistance
Loss Event Loss
Frequency Action Capability Strength
Frequency Magnitude

6
Risk Risk

Loss Event Frequency Loss Magnitude

“The probable frequency and probable magnitude of future loss.”

• Probability based (due to imperfect data, models and future
uncertainty)
• Informs decision makers on the future potential for loss.

7
Typical Risks…
Risks?
Cloud Computing Technology
Insider Threat Threat agent
Network share containing sensitive information Assets
Mobile malware Attack vector
Social engineering/phishing Form of attack, technique
Organized crime Threat agent
State sponsored attacks Form of attack
Hacktivists Threat agent
Ransomware Attack vector
Internet of Things Technology
Insecure Passwords Deficient Control

8
Are these Risks?
Risks?
Cloud Computing None of these are risks. Remember, risk
Insider Threat is defined as:
Network share containing sensitive information
Mobile malware The probable frequency and probable
Social engineering/phishing magnitude of future loss.
Organized crime
State sponsored attacks There is no expression (direct, indirect or
Hacktivists implied) of the frequency of something
Ransomware happening nor the probable magnitude
Internet of Things of future loss.
Insecure Passwords

9
How does your risk register compare?
• We defined risk as “The probable frequency and probable magnitude
of future loss.”
• Instead of just “risk” think of a “risk event”
• Such an event typically has three components:
• Asset
• Threat
• Impact (CIA)

10
How does your risk register compare?
• A typical mistake is to list a control deficiency or variance as a risk.
• For Example: “Irregular movement of backup tapes to off-site location
could lead to data loss.”
• Moving tapes off-site is a control you have implemented (through a
policy or procedure) to address the risk of data loss to destruction of
tapes in case of a disaster in the primary location.
• Your control is not working as expected. You address that through a
security action, issue, assigning a task to someone etc. but not
through recording a task.

11
Examples of Risks
• Privileged insider shares confidential customer data with competitors resulting in
losses in competitive advantage.
• Cyber criminals infect endpoints with ransomware encrypting files and locking
workstations resulting in disruption of operations.
• Cyber criminals copy confidential customer data and threaten to make public unless
ransom is paid. Release of data could result in reputation damage and litigation.
• Critical customer data based is not backed up resulting in operational losses in case
of data unavailability.
• Losses due to phishing attack by external malicious actor targeting smartphone
users.
• Losses due to credentials phishing after moving to Office 365.

12
Guidance for Constructing a Risk
Statement
Here is some guidance on how to construct a better risk statement.
Use whatever works best for you. There is no fixed rule.

• [Event] caused by [cause] may result in [losses]

• [Threat] might take [action] against [asset] resulting in [losses]
• [Consequences] due to [threat] [action] against [asset]

13
How does your risk register compare?

? So, how does your risk register compare?

Are your records reflecting actual risks?

14
A note on positive and negative risk
According to ISO 31000, risk is “the effect of uncertainty on objectives”
ISO 31000 considers effect as a positive or negative deviation from what is
expected. Thus risk can be positive or negative.

According to FAIR, risk is “The probable frequency and probable magnitude of

future loss.”
FAIR focuses on “loss” or the negative side only.

!
There is an ongoing debate on this subject that we will
not get into. Research it on your own if you find it of
interest.
15
Loss Event Frequency (LEF)
“The probable frequency, within a given time-frame, that loss will materialize from a threat-
agent’s action.”

A measure of how often loss is likely to happen.

There must be a time-frame reference. Given no-time framing, almost any event is possible.
Typically expressed as a distribution using annualized values.
For example: Between 5 to 25 times per year, with the most likely frequency of 10 times per
year.
Min Most Likely Max
5 10 25

Expressed as probability if it happens only once.

16
Loss Event Frequency (LEF)
FAIR uses frequencies instead of probabilities or “likelihood” (unless we are
talking about a single event like the moon exploding etc.)
Frequencies are easier to understand and force us to define a time-frame.
For example you might have heard in a risk analysis workshop someone
saying ”This has a probability of 0.2”. But what does that mean?
In contrast “This could happen twice in 10 years” (or once in five years) is
significantly clearer to everyone. There is a clear reference class mentioned.
Gerd Gigerenzer also recommends using frequencies.
Book recommendation:
Gerd Gigerenzer, Risk Savvy: How to Make Good Decisions.
17
Threat Event Frequency
(TEF) Risk

Loss Event Loss

Frequency Magnitude

Threat
Primary Secondary
Event Vulnerability
Loss Risk
Frequency

Secondary Secondary
Contact Probability Threat Resistance
Loss Event Loss
Frequency of Action Capability Strength
Frequency Magnitude

18
Threat Event Frequency (TEF)
“The probable frequency, within a given time-frame, that threat
agents will act in a manner that may result in loss.”
In Contrast: Loss Event Frequency (LEF): “The probable frequency,
within a given time-frame, that loss will materialize from a threat-
agent’s action.”
TEF considers all actions taken by the threat agent, regardless if
successful or not.
LEF considers only action taken by the threat agent that were successful
i.e. resulted in a loss.

19
Threat Event Frequency (TEF)
Threat Event
Hacker attacking website.
Pushing new software release to
production.
Someone thrusting a knife at you
? Can you thinks of other examples for Threat and Loss
Events?
Loss Event
Hacker damages site or steals
information
Release causes problem leading to
downtime, data integrity issues etc.
Getting cut in an attack with a knife
20
Vulnerability
Risk

Loss Event Loss

Frequency Magnitude

Threat
Primary Secondary
Event Vulnerability
Loss Risk
Frequency

Secondary Secondary
Contact Probability Threat Resistance
Loss Event Loss
Frequency of Action Capability Strength
Frequency Magnitude

21
Vulnerability
“The probability that a threat agent’s actions
will result in loss.”
Expressed as a percentage.
The house is 100% vulnerable to damage from a tornado.
The lock is 100% vulnerable to compromise through lock-picking.
That password is 1% vulnerable to brute force attempts.
Usually expressed as a distribution:
That lock is between 5% to 20% vulnerable to lock-picking with a most likely
value of 10%. (i.e. between 5% to 20% of lock picking attempts (most likely
10%) are estimated to be successful.

22
Vulnerability
• Vulnerability exists when there is a difference
between the Threat Capability and the
difficulty to resist.
• Vulnerability is evaluated in the context of the
specific threat types and control types. For
example the difficulty of overcoming anti-virus
controls is irrelevant if the risk analysis is about
insider fraud.

23
Threat Capability
(TCap) Risk

Loss Event Loss

Frequency Magnitude

Threat
Primary Secondary
Event Vulnerability
Loss Risk
Frequency

Secondary Secondary
Contact Probability Threat
Difficulty Loss Event Loss
Frequency of Action Capability
Frequency Magnitude

24
 Vulnerability

Threat Capability (TCap)

Threat
Difficulty
Capability
“The capability of a threat agent.”
TCap is a matter of:
Skills i.e. knowledge and experience.
Resources i.e. time & material.
With natural threat agents it’s a matter of force.

! Discuss the capabilities of Nation States, Hacktivists and

Cyber Criminals in terms of skills and resources.
25
 Vulnerability

Threat Capability (TCap)

Threat
Difficulty
Capability
TCap is measured against the “TCap continuum”
i.e. a percentiles scale from 1 to 100.
It represent the comprehensive range of capabilities for a population of
threat agents.
Example: Least capable cyber criminal is at the 60th percentile, the most
capable at the 100th and most are at approx. the 90th percentile.
We tend to focus on worst case, but that is thinking in terms of
possibility not probability.

26
The TCap Continuum
• We estimate the TCap of all threat agents/threat
communities on the same scale called the TCap continuum.
40 50 65
Hacktivist
60 75 95
Cyber Criminals
80 90 98
Nation State

0% 20% 40% 60% 80% 100%

27
Resistance Strength
Risk

Loss Event Loss

Frequency Magnitude

Threat
Primary Secondary
Event Vulnerability
Loss Risk
Frequency

Secondary Secondary
Contact Probability Threat Resistance
Loss Event Loss
Frequency of Action Capability Strength
Frequency Magnitude

28
Resistance Strength
The official Open FAIR definition is:
“Resistance Strength (RS) is the strength of a control as compared to a
baseline measure of force.”
However in “Measuring And Managing Information Risk” (the unofficial
FAIR Reference) is is now referred to as:
“The level of difficulty that a threat agent must overcome.”

29
Resistance Strength = Difficulty
For sake of the Open FAIR Foundation exam you need to use
“Resistance Strength”. For real life let’s stick with “Difficulty” because
it’s less difficult to understand!

…Resistance strength was originally called “Control

Strength”. CS and RS where found to be problematic
Did you definitions and that’s how we ended up with
Know? “Difficulty”.

Difficulty and TCap are used only in very rare risk

analysis scenarios.
30
Resistance Strength (Difficulty)
“The level of difficulty that a threat agent must overcome.”
RS/Difficulty is measured against the TCap continuum, not against the
specific threat community identified in the risk analysis scope.

31
 The TCap Continuum
40 50 65
Hacktivist
60 75 95
Cyber Criminals
80 90 98
Nation State

0% 20% 40% 60% 80% 100%

70 85 95
Resistance Strength
Example:
An authentication control is expected to stop anyone below the 70th percentile along the TCap continuum.
Anyone above the 90th percentile is certain to succeed. Most likely it’s effective only up to the 85th
percentile.
32
 Resistance Strength (Difficulty)
Controls make the threat agent’s job more difficult (malicious or act-of-
nature scenarios) or easier (in human error scenarios)
Examples:

Malicious Threat Agent Human error Acts of nature

Authentication Training Reinforced construction
material
Access privileges Documentation
Controls

Patching and Process simplification

Configuration
Encryption

33
Contact Frequency
Risk

Loss Event Loss

Frequency Magnitude

By just looking at the model, can you guess

?
Threat
Primary Secondary
Event what Contact Frequency
Vulnerability
Loss and Probability
Risk of
Frequency
Action are about and how they contribute
to Threat Event Frequency?
Secondary Secondary
Contact Probability Threat
Difficulty Loss Event Loss
Frequency of Action Capability
Frequency Magnitude

34
Contact Frequency (CF)
“The probable frequency, within a given time-frame, that threat agents will
come into contact with assets.”

Contact Modes: Physical or Logical

Contact Types:
• Random (tornado strike, flu…)
• Regular (cleaning crew comes regularly at 5:15 PM…)
• Intentional (burglar targets specific house)
Typically expressed as annualized distribution or as probability if it happens
only once.
35
Probability of Action
(PoA) Risk

Loss Event Loss

Frequency Magnitude

Threat
Primary Secondary
Event Vulnerability
Loss Risk
Frequency

Secondary Secondary
Contact Probability Threat
Difficulty Loss Event Loss
Frequency of Action Capability
Frequency Magnitude

36
Probability of Action (PoA)
“The probability that a threat agent will act upon an asset once
contact has occurred.”
PoA applies only to threat agents that can think, reason or otherwise
make a decision (humans, animals..) but not acts of nature etc.
(tornados).

People are deterred more by the likelihood of

Did you getting caught rather than the harshness of the
Know? punishment.

https://nij.gov/five-things/Pages/deterrence.aspx#note1
37
Probability of Action (PoA)
The choice to act is driven by:
• Perceived value of the act from the threat agent’s perspective.
• Perceived Level of effort and/or cost from the threat agent’s
perspective.
• Perceived Level of risk to the threat agent.

! Discuss how PoA might be reflected in different

Threat Communities.
38
Loss Magnitude (LM)
Risk

Loss Event Loss

Frequency Magnitude

Threat
Primary Secondary
Event Vulnerability
Loss Risk
Frequency

Secondary Secondary
Contact Probability Threat
Difficulty Loss Event Loss
Frequency of Action Capability
Frequency Magnitude

39
Loss Magnitude
“The probable magnitude of primary and secondary loss resulting
from an event.”
• Simply: how much tangible loss is expected to materialize from an
event.
• Distinguishing between primary and secondary loss is based on
stakeholders and and analysis perspective.

40
Loss Magnitude
• Primary stakeholders are those individuals or organizations whose
perspective is the focus of the risk analysis. Usually the owner of the
primary asset in the risk scenario.
• Secondary stakeholder is anyone who is not a primary stakeholder
that may be affected by the loss event being analyzed, and then may
react in a manner that harms the primary stakeholder.

41
Loss Magnitude
Example
Company X (primary stakeholder) has an event that damages public
health. Direct losses incurred like cleanup are primary losses.
The public (secondary stakeholder) reacts negatively through legal
action, protests, taking business else where etc. these are secondary
losses.

42
Loss Magnitude
Losses incurred by the secondary stakeholder are not put into the
formula (not directly). We would, if these losses are transferred to the
primary stakeholder.
For example company X might have to compensate members of the
community. These would be included in the secondary loss component.
We can always do a separate risk analysis from the public’s perspective
if that were useful.

43
Primary Loss Magnitude
“Primary stakeholder loss that materializes directly as a result of the
event.”
Examples:
Lost revenue from operational outages
Wages paid to workers when no work is being performed due to an outage
Replacement of the organization’s tangible assets
Person-hours restoring functionality to assets or operations following an event
Controls Examples:
Disaster Recovery, Business Continuity processes and technologies
Incident response processes
Process or technology redundancies
44
Forms of Loss
FAIR decomposes loss into the following six categories
1. Productivity
2. Response
3. Replacement
4. Competitive Advantage
5. Fines and Judgments
6. Reputation

45
Forms of Loss

Productivity a. Losses resulting from org. ability to execute on its primary value proposition.
(revenue lost when retail website goes down)
b. Losses resulting from personnel being paid but unable to perform their duties.
(Failure in call center)
Consider if revenue is really lost or simply delayed. Can the revenue be recovered?
Are all activities of the personnel effected by they failure?
Response Costs associated with managing the loss event. For example incident response team
costs.
Secondary Response costs (expenses incurred dealing with secondary stakeholder)
like notification and credit monitoring costs (confidential records breach)
Replacement The intrinsic value of the asset. The cost to replace the physical asset.
Secondary replacement costs: Refund stolen funds. Replacing credit cards after a
credit card information breach.

46
Forms of Loss

Competitive Losses focused on some asset (physical or logical) that provide an advantage
Advantage over the competition. Something another company cannot acquire or
develop (legally) on their own (like intellectual property, secret business
plans, market information, patent, copyrights, trade secrets).

Fines and Regulatorily fines, class action law suits

Judgments
Reputation Effects of reputation loss: market share, cost of capital, stock price, increased
cost hiring/retaining employees.
Reputation losses occur because of a secondary stakeholder perception that
and organization’s value has decreased or liability has increase that affects
stakeholders.

47
Typical Loss Type Mapping
Loss Type Primary Secondary
Loss Loss
Productivity ✭
Replacement ✭
Response ✭ ✭
Competitive Advantage ✭
Reputation ✭
Fines and Judgements ✭

48
Secondary Risk
Risk

Loss Event Loss

Frequency Magnitude

Threat
Primary Secondary
Event Vulnerability
Loss Risk
Frequency

Secondary Secondary
Contact Probability Threat
Difficulty Loss Event Loss
Frequency of Action Capability
Frequency Magnitude

49
Secondary Risk
“Primary stakeholder loss-exposure that exists due to the potential for
secondary stakeholder reactions to primary event.”
Think of it as the fallout from the primary event.

50
Secondary Risk
Risk

Loss Event Loss

Frequency Magnitude

Threat
Primary Secondary
Event Vulnerability
Loss Risk
Frequency

Secondary Secondary
Contact Probability Threat
Difficulty Loss Event Loss
Frequency of Action Capability
Frequency Magnitude

51
Secondary Loss Event Frequency (SLEF)
“The percentage of primary events that have secondary effects.”
Company X has environmental loss event of 10 times per year. Secondary
losses materialize only 20% of the time i.e. SLEF is 2 times per year.

Secondary Loss Magnitude

“Loss associated with secondary stakeholder reactions.”
Examples: Civil, criminal or contractual fines and judgments, notification
costs, public relation costs, legal defense costs, effects of regulatory
sanctions, lost market share, diminished stock price, increased cost of
capital….

52
Secondary Risk
• Secondary Risk has it’s own Secondary Loss Event Frequency (SLEF)
• Another way to distinguish between primary and secondary risks is
that primary losses in a risk scenario will always be incurred in each
loss event (in the estimated range of loss magnitude).
• Secondary losses will occur only in some of the loss events (in the
estimated range of loss magnitude) and not at all in others.
• For example a risk that has a frequency of 10, in each of the 10 events
there will be a productivity loss (in the estimated range), but with SLEF
2 in only 2 out of the 10 there will be secondary losses. For example
we expect to be sued or fined only twice out of the 10 events
53
FAIR and Control Categories
FAIR considers four main control categories
• Avoidance Controls
• Deterrent Controls
• Vulnerability Controls
• Responsive Controls

54
Vulnerability Controls Avoidance Controls
Responsive
Deterrent Controls
Controls
Affect the probability that a threat’s action will result Affect the frequency
Affect
Affect
and/or
the
theamount
likelihood
likelihood
of loss
ofofa that
threat
result
acting
from
in aa manner
threat’s
in loss encountering threats
action
that can result in harm
Risk

Loss Event Loss

Frequency Magnitude

Threat Event Secondary

Vulnerability Primary Loss
Frequency Risk

Secondary Secondary
Contact Probability of Threat
Difficulty Loss Event Loss
Frequency Action Capability
Frequency Magnitude

55
 Risk

Loss Event Loss Responsive

Frequency Magnitude

Vulnerability

Threat Event Secondary

Vulnerability Primary Loss
Frequency Risk

Secondary Secondary
Contact Probability of Threat
Difficulty Loss Event Loss
Frequency Action Capability
Frequency Magnitude

Avoidance Deterrent

56
Avoidance Controls
These controls try to reduce the frequency and/or likelihood that the
threat gets into contact with the asset. For example:
• Firewalls
• Network Segmentation
• 2FA
• Physical Barriers
• Application Isolation
• Data Loss Prevention
• Segregation of Duties
57
Deterrent Controls
These controls reduce the probability that a threat agent will act
against the asset in a manner that may result in loss.
The controls work at the Probability of Action level. We mentioned
earlier that PoA is a function of:
• Perceived value of the act from the threat agent’s perspective.
• Perceived Level of effort and/or cost from the threat agent’s
perspective.
• Perceived Level of risk to the threat agent.

58
Deterrent Controls
• Value of the act from the threat agent’s perspective.
• Perceived Level of effort and/or cost from the threat agent’s
perspective.
• Perceived Level of risk to the threat agent.
We probably can’t do much to reduce the perception of value from the
threat agent’s perspective, however we can:
Force the threat to having to invest more effort and thus increasing
cost.
We can increase the level of risk to the threat agent.

59
Deterrent Controls
• Logging and Monitoring
• Asset hardening
• Defense in depth
• Deception Technologies
• Physical obstacles

60
Vulnerability Controls
These controls reduce the probability that threat events will become
loss events. We become less vulnerable when resistance strengths
(difficulty) exceeds the threat’s capabilities.
When the threat action is malicious we focus on making it more
difficult to the threat agent to cause harm.
When the threat action is non-malicious like human error we focus on
making it easier for the threat agent to comply and adhere to expected
behavior.

61
Vulnerability Controls
Vulnerability Management
Source Code Review
Patch Management
Deception Technology
Isolation and Segmentation
Honeypot
SIEM
Anomaly Detection
CCTV
62
Response Controls
These are controls focusing on reducing the loss magnitude after a loss
event has taken place.
• Backup and Restore
• Disaster Recovery Plans
• Incident Retainer
• Data Segmentation
• Network Segmentation
• Log monitoring

63
Last words on controls
• Some controls can work on different levels. For example network
segmentation can make it difficult for the threat agent to move from a
low security segment into a high security segment where the crown
jewels are located (Avoidance Control). But it could also limit the loss
to a particular segment for example a worm outbreak could be limited
to a particular segment (Response Control).
• Detective Controls: FAIR does not consider it a distinct control
category. For example logs can be a “detective control” but can also
be a deterrent (for insiders) and can be a trigger to respond earlier to
an ongoing event.

64
Last words on controls
• When thinking about treatment plans just remember that there are
probably multiple options to treat the risks. One option might be
better than the other, or maybe you will even need a combination of
different controls.

65
? Can you fill in the blanks?

Risk

66
Conclusion
• You are now familiar with the FAIR model and the control
categorization.
• For the Open FAIR exam you must be able to draw the model from
memory and know and understand the terminology.
• In the next Module we will focus on scoping a risk analysis.

67