The Case for Open FAIR – The Open Group FAIR Risk Management

The quantitative risk management framework from the Factor Analysis of Information Risk (FAIR™) Institute has been adopted by The Open Group (O-RA ver 2.0.1), providing extra support, including,

  • A Risk Taxonomy (O-RT)
  • Generic requirements for risk assessment methodologies
  • A Cookbook to Open FAIR, describing how to apply it to other frameworks
  • A Cookbook to Open FAIR with the NIST Cybersecurity Framework
  • A Process Guide, providing best practices for using Open FAIR risk analysis
  • A Case Study white paper on home dialysis machines’ connections to hospitals
  • MS EXCEL Tooling to help implement the process
  • SIPmath Tooling

Together these resources provide the analyst with a rich collection of resources to make the best of the FAIR standard.


Risk Management is an integral part of today’s organisations. The qualitative frameworks have managed to surface organisational risk profiles, facilitating their management. We often view architecture as a triumph of human communication, allowing the architecture to be understood by all interested parties. Effective architecture lifts the competency of the entire organisation. Similarly with risk management, having an organisation’s risks efficiently and effectively communicated, along with their treatment, benefits the entire organisation. The more mature organisation is more aware of the risks it is managing and, therefore, more effectively progresses its business.

Quantitative risk management with FAIR takes the additional step of further quantifying the risks in financial terms. Business decisions often come down to dollars and cents, so having risks already adopt these measures both saves time and provides more detail. This added complexity, though, brings with it new analytical challenges. Providing the highly regarded FAIR framework with the added resources of The Open Group is just what we need to get started with quantitative risk management.

Factor Analysis of Information Risk (FAIR™) 

FAIR breaks down the classification of risks into

  1. Loss event frequency,
    • Threat event frequency, and
    • Vulnerability
  2. Loss magnitudes
    • Primary loss (in dollars), and
    • Secondary loss (in dollars)

This classification allows broad and detailed risk assessments to be calculated in dollar terms.

Risk assessments benefit from Open FAIR’s tightly defined taxonomy, providing more reliable and consistent risk measurement, which is critical in using FAIR.

Being quantitative, Open FAIR emphasises the importance of measures’ accuracy and objectivity and provides comprehensive guidance on achieving these. It comprehensively provides a treatise on the theory of measurements, including calibration and estimations. Even Monte Carlo methods are addressed.

Open FAIR Controls Framework

 The Open FAIR framework defines four categories of Controls:

  1. avoidance,
  2. deterrent,
  3. vulnerability, and
  4. responsive. 

Open FAIR also maps the five functions of the NIST Cybersecurity Framework.

Like any good framework, Open FAIR comprehensively guides the adopter to achieve insightful and reliable assessments. At ePatterns Consultants, we consider this the best-prepared risk management framework we have encountered, combining the innovation of FAIR with The Open Group’s excellent engineering approach. We recommend the adoption of the Open FAIR to achieve efficient and effective risk management.