DateStages of FAIR Risk Methodology
Fair Risk Methodology has four major stages comprising ten steps. Under the first stage, there is the first step, which involves the identification of the asset at risk. For the estimation of control and value characristics of the risk analysis to be possible, it is important to first identify the object under evaluation. If the analysis is at a multilevel, the analyst will need to evaluate the object at risk and all the meta-objects existing between the threat community and the primary asset (Lajoux, Alexandra, and Charles Elson, 32).The second step involves the identification of the threat community, which is important in the estimation of the Threat Event Frequency and Threat Capability. When evaluating risks associated with malicious actions, the analyst will be required to decide on whether the threat community is malware or human, and external or internal. The second stage in the analysis is the evaluation of loss event frequency. The third step coming under this stage is the threat event frequency, which is the probable frequency in a given time frame that will be acted upon by a threat agent. Contributing factors to this step include probability of action and contact frequency. The fourth step is the threat capability, which is the probable force level that enables the threat agent to apply against an asset. Contributing factors under this step include resources and skill (Lajoux, Alexandra, and Charles Elson, 23).
The next step is the control strength, which is the expected effectiveness of control over some timeframe as it is measured against a baseline force levels. Contributing factors under this step include assurance and strength. The next step under this stage is the vulnerability analysis, which involves analyzing the probability that an asset will not be able to resist actions of the threat agent. The analysis in this step is closely related to the results of analysis in step four and five. The next step, which is step seven, is the analysis of loss event frequency. It involves the analysis of the probable frequency within a certain time frequency, over which a threat agent will cause harm to an asset. The next stage in this methodology is the evaluation of probable loss magnitude. The next step under this stage, which is step eight, is the estimation of estimation of worst-case loss. This involves the estimation of worst-case magnitude using three steps. The first step is the determination of threat action most likely to result in worst case outcome (Lajoux, Alexandra, and Charles Elson, 23). The second step is the estimation of the magnitude for each loss form that is associated with the threat action. The last step in this aspect is “summing” the loss form magnitudes. The next step in this stage is step nine, which involves estimating probable loss. The estimation of probable loss magnitude is done using three steps. The first step involves the identification of the threat community action that is most likely. The next step is the evaluation of probable loss magnitude for every loss form and the last step is “summing” the magnitudes.
The last stage in this methodology is the derivation and articulation of risk and the next step, which is step eight, is also the derivation and articulation of risk. It involves the probable magnitude and frequency of future loss. Properly articulated analysis should give decision makers the opportunity to get at least two important pieces of information:”the estimated loss event frequency” and “the estimated probable loss magnitude”. The information can be displayed through charts, texts, or both. In most cases, it is better to also display the “estimated high-end loss potential” to make the decision maker become aware of the expected worst-case scenario. The strength of the FAIR methodology is that it is able to establish accurate probabilities for the magnitude and frequency of loss events. It also has a consistent framework useful in performing risk analyses (Lajoux, Alexandra R, and Charles Elson, 21). The weakness is that FAIR is not a methodology in dealing with risk management, but it is only used to complement the existing methodologies. Using FAIR to analyze somebody’s risk associated with commercial gain is only possible after getting a license from RMI.
Lajoux, Alexandra R, and Charles Elson. The Art of M & a Due Diligence: Navigating Critical Steps & Uncovering Crucial Data. New York: McGraw-Hill, 2000. Internet resource.