Risk Management Insight
FAIR
(FACTOR ANALYSIS OF INFORMATION RISK)
Basic Risk Assessment Guide
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
NOTE: Before using this assessment guide…
Using this guide effectively requires a solid understanding of FAIR concepts
‣ As with any high-level analysis method, results can depend upon variables that may not be accounted for at
this level of abstraction
‣ The loss magnitude scale described in this section is adjusted for a specific organizational size and risk
capacity. Labels used in the scale (e.g., “Severe”, “Low”, etc.) may need to be adjusted when analyzing
organizations of different sizes
‣ This process is a simplified, introductory version that may not be appropriate for some analyses
Basic FAIR analysis is comprised of ten steps in four stages:
Stage 1 – Identify scenario components
1. Identify the asset at risk
2. Identify the threat community under consideration
Stage 2 – Evaluate Loss Event Frequency (LEF)
3. Estimate the probable Threat Event Frequency (TEF)
4. Estimate the Threat Capability (TCap)
5. Estimate Control strength (CS)
6. Derive Vulnerability (Vuln)
7. Derive Loss Event Frequency (LEF)
Stage 3 – Evaluate Probable Loss Magnitude (PLM)
8. Estimate worst-case loss
9. Estimate probable loss
Stage 4 – Derive and articulate Risk
10. Derive and articulate Risk
Risk
Loss Event
Frequency
Probable Loss
Magnitude
Threat Event
Frequency
Vulnerability
Contact Action
Control
Strength
Threat
Capability
Primary Loss
Factors
Secondary
Loss Factors
Asset Loss
Factors
Threat Loss
Factors
Organizational
Loss Factors
External Loss
Factors
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
Stage 1 – Identify Scenario Components
Step 1 – Identify the Asset(s) at risk
In order to estimate the control and value characteristics within a risk analysis, the analyst must first identify the asset
(object) under evaluation. If a multilevel analysis is being performed, the analyst will need to identify and evaluate the
primary asset (object) at risk and all meta-objects that exist between the primary asset and the threat community. This
guide is intended for use in simple, single level risk analysis, and does not describe the additional steps required for a
multilevel analysis.
Asset(s) at risk: ______________________________________________________
Step 2 – Identify the Threat Community
In order to estimate Threat Event Frequency (TEF) and Threat Capability (TCap), a specific threat community must first be
identified. At minimum, when evaluating the risk associated with malicious acts, the analyst has to decide whether the
threat community is human or malware, and internal or external. In most circumstances, it’s appropriate to define the
threat community more specifically – e.g., network engineers, cleaning crew, etc., and characterize the ex.
1. Risk Management Insight
FAIR
(FACTOR ANALYSIS OF INFORMATION RISK)
Basic Risk Assessment Guide
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
NOTE: Before using this assessment guide…
Using this guide effectively requires a solid understanding of
FAIR concepts
‣ As with any high-level analysis method, results can depend
upon variables that may not be accounted for at
this level of abstraction
‣ The loss magnitude scale described in this section is adjusted
for a specific organizational size and risk
capacity. Labels used in the scale (e.g., “Severe”, “Low”, etc.)
may need to be adjusted when analyzing
organizations of different sizes
‣ This process is a simplified, introductory version that may not
be appropriate for some analyses
2. Basic FAIR analysis is comprised of ten steps in four stages:
Stage 1 – Identify scenario components
1. Identify the asset at risk
2. Identify the threat community under consideration
Stage 2 – Evaluate Loss Event Frequency (LEF)
3. Estimate the probable Threat Event Frequency (TEF)
4. Estimate the Threat Capability (TCap)
5. Estimate Control strength (CS)
6. Derive Vulnerability (Vuln)
7. Derive Loss Event Frequency (LEF)
Stage 3 – Evaluate Probable Loss Magnitude (PLM)
8. Estimate worst-case loss
9. Estimate probable loss
Stage 4 – Derive and articulate Risk
10. Derive and articulate Risk
Risk
Loss Event
Frequency
Probable Loss
4. Stage 1 – Identify Scenario Components
Step 1 – Identify the Asset(s) at risk
In order to estimate the control and value characteristics within
a risk analysis, the analyst must first identify the asset
(object) under evaluation. If a multilevel analysis is being
performed, the analyst will need to identify and evaluate the
primary asset (object) at risk and all meta-objects that exist
between the primary asset and the threat community. This
guide is intended for use in simple, single level risk analysis,
and does not describe the additional steps required for a
multilevel analysis.
Asset(s) at risk:
_____________________________________________________
_
Step 2 – Identify the Threat Community
In order to estimate Threat Event Frequency (TEF) and Threat
Capability (TCap), a specific threat community must first be
identified. At minimum, when evaluating the risk associated
with malicious acts, the analyst has to decide whether the
threat community is human or malware, and internal or external.
In most circumstances, it’s appropriate to define the
5. threat community more specifically – e.g., network engineers,
cleaning crew, etc., and characterize the expected nature
of the community. This document does not include guidance in
how to perform broad-spectrum (i.e., multi-threat
community) analyses.
Threat community:
_____________________________________________________
_
Characterization
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
Stage 2 – Evaluate Loss Event Frequency
Step 3 – Threat Event Frequency (TEF)
The probable frequency, within a given timeframe, that a threat
agent will act against an asset
Contributing factors: Contact Frequency, Probability of Action
Very High (VH) > 100 times per year
High (H) Between 10 and 100 times per year
Moderate (M) Between 1 and 10 times per year
6. Low (L) Between .1 and 1 times per year
Very Low (VL) < .1 times per year (less than once every ten
years)
Rationale
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
Step 4 – Threat Capability (Tcap)
The probable level of force that a threat agent is capable of
applying against an asset
Contributing factors: Skill, Resources
Very High (VH) Top 2% when compared against the overall
threat population
High (H) Top 16% when compared against the overall threat
population
Moderate (M) Average skill and resources (between bottom 16%
and top 16%)
Low (L) Bottom 16% when compared against the overall threat
population
Very Low (VL) Bottom 2% when compared against the overall
7. threat population
Rationale
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
Step 5 – Control strength (CS)
The expected effectiveness of controls, over a given timeframe,
as measured against a baseline
level of force
Contributing factors: Strength, Assurance
Very High (VH) Protects against all but the top 2% of an avg.
threat population
High (H) Protects against all but the top 16% of an avg. threat
population
Moderate (M) Protects against the average threat agent
Low (L) Only protects against bottom 16% of an avg. threat
population
Very Low (VL) Only protects against bottom 2% of an avg.
threat population
Rationale
8. FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
Step 6 – Vulnerability (Vuln)
The probability that an asset will be unable to resist the actions
of a threat agent
Tcap (from step 4):
CS (from step 5):
Vulnerability
VH VH VH VH H M
H VH VH H M L
Tcap M VH H M L VL
L H M L VL VL
VL M L VL VL VL
VL L M H VH
Control Strength
Vuln (from matrix above):
FAIR™ Basic Risk Assessment Guide
9. All Content Copyright Risk Management Insight, LLC
Step 7 – Loss Event Frequency (LEF)
The probable frequency, within a given timeframe, that a threat
agent will inflict harm upon an
asset
TEF (from step 3):
Vuln (from step 6):
Loss Event Frequency
VH M H VH VH VH
H L M H H H
TEF M VL L M M M
L VL VL L L L
VL VL VL VL VL VL
VL L M H VH
Vulnerability
LEF (from matrix above):
FAIR™ Basic Risk Assessment Guide
10. All Content Copyright Risk Management Insight, LLC
Stage 3 – Evaluate Probable Loss Magnitude
Step 8 – Estimate worst-case loss
Estimate worst-case magnitude using the following three steps:
‣ Determine the threat action that would most likely result in a
worst-case outcome
‣ Estimate the magnitude for each loss form associated with that
threat action
‣ “Sum” the loss form magnitudes
Loss Forms
Threat Actions Productivity Response Replacement
Fine/Judgments Comp. Adv. Reputation
Access
Misuse
Disclosure
Modification
Deny Access
Magnitude Range Low End Range High End
Severe (SV) $10,000,000 --
High (H) $1,000,000 $9,999,999
11. Significant (Sg) $100,000 $999,999
Moderate (M) $10,000 $99,999
Low (L) $1,000 $9,999
Very Low (VL) $0 $999
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
Step 9 – Estimate probable loss
Estimate probable loss magnitude using the following three
steps:
‣ Identify the most likely threat community action(s)
‣ Evaluate the probable loss magnitude for each loss form
‣ “Sum” the magnitudes
Loss Forms
Threat Actions Productivity Response Replacement
Fine/Judgments Comp. Adv. Reputation
Access
Misuse
Disclosure
Modification
12. Deny Access
Magnitude Range Low End Range High End
Severe (SV) $10,000,000 --
High (H) $1,000,000 $9,999,999
Significant (Sg) $100,000 $999,999
Moderate (M) $10,000 $99,999
Low (L) $1,000 $9,999
Very Low (VL) $0 $999
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
Stage 4 – Derive and Articulate Risk
Step 10 – Derive and Articulate Risk
The probable frequency and probable magnitude of future loss
Well-articulated risk analyses provide decision-makers with at
least two key pieces of information:
‣ The estimated loss event frequency (LEF), and
‣ The estimated probable loss magnitude (PLM)
This information can be conveyed through text, charts, or both.
13. In most circumstances, it’s advisable to also provide the
estimated high-end loss potential so that the decision-maker is
aware of what the worst-case scenario might look like.
Depending upon the scenario, additional specific information
may be warranted if, for example:
‣ Significant due diligence exposure exists
‣ Significant reputation, legal, or regulatory considerations exist
Risk
Severe H H C C C
High M H H C C
PLM Significant M M H H C
Moderate L M M H H
Low L L M M M
Very Low L L M M M
VL L M H VH
LEF
LEF (from step 7):
PLM (from step 9):
WCLM (from step 8):
Key Risk Level
14. C Critical
H High
M Medium
L Low
FAIR™ Basic Risk Assessment Guide
All Content Copyright Risk Management Insight, LLC
Requirements
In preparing and supporting your recommendation to either
make the investment or not, include the following items as part
of your analysis:
· Analysis of financial information.
· Identification of risks associated with the investment.
Consider:
. How risky the project appears.
. How far off your estimates of revenues and expenses can be
before your decision would change.
. The difference if the company were to use a straight line
versus a MACRS depreciation.
· Recommendation for a course of action.
· Explanation of criteria supporting your recommendation.
Financial Information
As part of your analysis you might find that additional
information from marketing, accounting, or finance would be
useful in making an informed and well-supported
recommendation. In a real workplace setting you would have the
ability to ask for that information. However, for the purposes of
this assessment, you can make assumptions about the values of
that data or ratios in support of your recommendation.
15. Accounting worked with the marketing group to create the ZXY
Company Financial Statements spreadsheet for the new products
business and the new facility.
Notes about the financial information:
· The expense line labeled SQF FDA Mandates refers to the
costs of complying with Food and Drug Administration
requirements.
· Depreciation expense is calculated using 7-year life modified
accelerated cost recovery system (MACRS).
Deliverable Format
Depending on the audience you choose to address, use one of
the following options:
· Presentation for top leadership. Prepare a presentation of at
least 12 slides detailing your recommendation and the
information you used to make your recommendation. You may
use your choice of presentation software. Include notes with
additional details.
Keep in mind that your recommendation may be shared with
others, so your materials should be designed for clarity and
readability.
Related company standards for either format:
· The recommendation report is a professional document and
should therefore follow the corresponding MBA Academic and
Professional Document Guidelines, including single-spaced
paragraphs.
· In addition to the report or presentation, include:
. Title (slide or page).
. References (slide or page).
. Appendix with supporting materials.
. At least two APA-formatted references.
Evaluation
By successfully completing this assessment, you will
demonstrate your proficiency in the following course
competencies through corresponding scoring guide criteria:
· Competency 2: Apply principles of accounting to assess
financial performance.
16. . Analyze financial statements for decision support.
. Explain risks associated with an investment decision.
· Competency 3: Analyze accounting information to support
business decisions.
. Recommend a course of action based on financial information.
. Explain how financial criteria support a decision.
· Competency 4: Communicate financial information with
multiple stakeholders.
. Communicate accounting information clearly.
Faculty will use the scoring guide to review your deliverable as
if they were your boss. Review the scoring guide prior to
developing and submitting your assessment.
ZXYZXY - Forecast Ten YearsPro-Forma Income
StatementYear 1Year 2Year 3Year 4Year 5Year 6Year 7Year
8Year 9Year 10TotalBrand new Acme System - full
systemIncomeRevenueProduct
A2,400,0002,800,0002,800,0003,240,0003,900,0003,900,0003,9
00,0003,900,0003,900,0003,900,00034,640,000Product
B900,0001,350,0002,500,0003,000,0004,000,0004,950,0005,500
,00022,200,000Total ·
Revenue2,400,0002,800,0002,800,0004,140,0005,250,0006,400,
0006,900,0007,900,0008,850,0009,400,00056,840,000Cost of
Goods SoldPest
Control50,00066,55073,20573,20573,20573,20573,20573,20573
,20573,205702,190SQF FDA
mandates90,00090,00090,00090,00090,00030,00030,00030,0003
0,00030,000600,000Rent -
Plant400,000408,000416,160424,483432,973441,632450,46545
9,474468,664478,0374,379,888Plant Equip. - Fklf -
Scrb/Lease40,00064,00064,00064,00064,00064,00064,00064,00
064,00064,000616,000Plant Equip. - Ongoing
maintenance50,00070,00075,00075,00075,00075,00075,00075,0
0075,00075,000720,000Plant Equip. -
Parts40,00050,00050,00050,00050,00050,00050,00050,00050,0