®

The Open FAIR™

Body of Knowledge
Version 2

SECURITY SERIES
The Open Group Standard

Risk Analysis (O-RA), Version 2.0.1

Copyright © 2021, The Open Group. All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic,
mechanical, photocopying, recording, or otherwise, without the prior permission of the copyright owner.
It is fair use of this specification for implementors to use the names, labels, etc. contained within the specification. The intent of
publication of the specification is to encourage implementations of the specification.
This specification has not been verified for avoidance of possible third-party proprietary rights. In implementing this specification,
usual procedures to ensure the respect of possible third-party intellectual property rights should be followed.
Any use of this publication for commercial purposes is subject to the terms of the Annual Commercial License relating to it. For
further information, see www.opengroup.org/legal/licensing.

The Open Group Standard

Risk Analysis (O-RA), Version 2.0.1
ISBN: 1-947754-65-2
Document Number: C20A

Published by The Open Group, November 2021.

Comments relating to the material contained in this document may be submitted to:
The Open Group, Apex Plaza, Forbury Road, Reading, Berkshire, RG1 1AX, United Kingdom
or by electronic mail to:
[email protected]

ii The Open Group Standard (2021)

 Contents
1 Introduction ............................................................................................................... 1
1.1 Objective ......................................................................................................... 1
1.2 Overview......................................................................................................... 1
1.3 Conformance................................................................................................... 2
1.4 Normative References..................................................................................... 2
1.5 Terminology ................................................................................................... 2
1.6 Future Directions ............................................................................................ 2

2 Definitions................................................................................................................. 3

3 Introduction to Open FAIR Risk Analysis ................................................................ 4

3.1 Risk Analysis Approach ................................................................................. 4
3.2 Assessment versus Analysis ........................................................................... 4
3.3 Why is a Tightly-Defined Taxonomy Critical? .............................................. 5

4 Risk Measurement: Modeling and Estimation .......................................................... 6

4.1 Key Foundational Concepts: Accuracy, Precision, Subjectivity,
and Objectivity................................................................................................ 6
4.1.1 Accuracy versus Precision............................................................... 6
4.1.2 Subjectivity versus Objectivity ....................................................... 7
4.2 What is an Estimate?....................................................................................... 8
4.2.1 The Range of the Estimate Determines Its Accuracy ...................... 8
4.2.2 Standardizing on Most Likely Value as a Way of
Estimating Risk Factors................................................................... 8
4.2.3 Specifying an Estimate’s Distribution Improves Its
Precision .......................................................................................... 9
4.3 The Calibration Technique to Develop Accurate Estimates ........................... 9
4.3.1 Starting with the Absurd.................................................................. 9
4.3.2 Decomposing the Problem ............................................................ 10
4.3.3 Testing Confidence Using the Wheel, Establishing
90% Confidence Overall, and 95% Confidence at Each
End ................................................................................................ 11
4.3.4 Challenging Assumptions.............................................................. 11
4.3.5 Range Confidence ......................................................................... 11
4.4 Using Monte Carlo Analysis......................................................................... 12

5 Risk Analysis Methodology and Process ................................................................ 13

5.1 Stage 1: Identify the Loss Scenario (Scope the Analysis) ............................ 13
5.1.1 Identify the Primary Stakeholder................................................... 14
5.1.2 Identify the Asset........................................................................... 14
5.1.3 Identify the Threat Agent/Community .......................................... 14
5.1.4 Identify the Threat Event ............................................................... 15
5.1.5 Identify the Loss Event.................................................................. 15

Risk Analysis (O-RA), Version 2.0.1 iii

 5.1.6 Limiting the Scope of the Loss Scenario ....................................... 16
5.1.7 Decomposing the Loss Scenario ................................................... 17
5.2 Stage 2: Evaluate the Loss Event Frequency ................................................ 17
5.2.1 Estimate the Loss Event Frequency .............................................. 18
5.2.2 Decomposing Loss Event Frequency ............................................ 21
5.3 Stage 3: Evaluate the Loss Magnitude .......................................................... 22
5.3.1 Estimate the Primary Loss Magnitude .......................................... 22
5.3.2 Estimate the Secondary Loss ......................................................... 23
5.3.3 Decomposing Loss Magnitude ...................................................... 23
5.4 Stage 4: Derive and Articulate Risk.............................................................. 24
5.4.1 Single Number Summary Results ................................................. 25
5.4.2 Characterizing and Presenting Distribution Results ...................... 25
5.5 Stage 5: Model the Effect of Controls .......................................................... 25
5.5.1 Open FAIR Control Categories ..................................................... 26
5.5.2 Mapping Open FAIR Controls to the NIST
Cybersecurity Framework ............................................................. 29
5.6 Putting It All Together .................................................................................. 29

6 Risk Analysis Quality Considerations .................................................................... 31

6.1 Documenting Assumptions and Rationale .................................................... 31
6.2 Diminishing Returns ..................................................................................... 31
6.3 Capacity and Tolerance for Loss .................................................................. 32
6.4 Risk Qualifiers .............................................................................................. 32
6.5 Using Ordinal Scales for Analysis ................................................................ 32
6.6 Translating Quantitative Results into Qualitative Statements ...................... 33
6.7 Troubleshooting ............................................................................................ 34

A Business Case.......................................................................................................... 35
A.1 Risk Management Decision-Making ............................................................ 35

iv The Open Group Standard (2021)

 Preface
The Open Group

The Open Group is a global consortium that enables the achievement of business objectives
through technology standards. Our diverse membership of more than 800 organizations includes
customers, systems and solutions suppliers, tools vendors, integrators, academics, and
consultants across multiple industries.

The mission of The Open Group is to drive the creation of Boundaryless Information Flow™
achieved by:
 Working with customers to capture, understand, and address current and emerging
requirements, establish policies, and share best practices
 Working with suppliers, consortia, and standards bodies to develop consensus and
facilitate interoperability, to evolve and integrate specifications and open source
technologies
 Offering a comprehensive set of services to enhance the operational efficiency of
consortia
 Developing and operating the industry’s premier certification service and encouraging
procurement of certified products

Further information on The Open Group is available at www.opengroup.org.

The Open Group publishes a wide range of technical documentation, most of which is focused
on development of Standards and Guides, but which also includes white papers, technical
studies, certification and testing documentation, and business titles. Full details and a catalog are
available at www.opengroup.org/library.

This Document

This document is The Open Group Standard for Risk Analysis (O-RA), Version 2.0.1. It has
been developed and approved by The Open Group.

This document provides a set of standards for various aspects of information security risk
analysis. It is a companion document to the Risk Taxonomy (O-RT) Standard, Version 3.0.1.

The intended audience for this document includes anyone who needs to understand and/or
analyze a risk condition. This includes, but is not limited to:
 Information security and risk management professionals
 Auditors and regulators
 Technology professionals
 Management

Risk Analysis (O-RA), Version 2.0.1 v

 Note that this document is not limited to application in the information security space. It can, in
fact, be applied to any risk scenario. This agnostic characteristic enables the O-RA Standard, and
the companion O-RT Standard, to be used as a foundation for normalizing the results of risk
analyses across varied risk domains.

This document is one of several publications from The Open Group dealing with risk
management. Other publications include:
 Risk Taxonomy (O-RT) Standard, Version 3.0.1
The Open Group Standard (C20B, November 2021)
This document defines a taxonomy for the factors that drive information security risk. It
was first published in January 2009, and has been revised as a result of feedback from
practitioners using the standard and continued development of the Open FAIR™
taxonomy.
 Requirements for Risk Assessment Methodologies
The Open Group Guide (G081, January 2009)
This document identifies and describes the key characteristics that make up any effective
risk assessment methodology, thus providing a common set of criteria for evaluating any
given risk assessment methodology against a clearly defined common set of essential
requirements. In this way, it explains what features to look for when evaluating the
capabilities of any given methodology, and the value those features represent.
 Open FAIR™ – ISO/IEC 27005 Cookbook
The Open Group Guide (C103, November 2010)
This document describes in detail how to apply the Open FAIR methodology to ISO/IEC
27002:2005. The Cookbook part of this document enables risk technology practitioners to
follow by example how to apply FAIR to other frameworks of their choice.
 The Open FAIR™ – NIST Cybersecurity Framework Cookbook
The Open Group Guide (G167, October 2016)
This document describes in detail how to apply the Open FAIR factor analysis for
information risk methodology to the NIST Framework for Improving Critical
Infrastructure Cybersecurity (NIST Cybersecurity Framework).
 The Open FAIR™ Risk Analysis Process Guide
The Open Group Guide (G180, January 2018)
This document offers some best practices for performing an Open FAIR risk analysis: it
aims to help risk analysts understand how to apply the Open FAIR risk analysis
methodology.
 How to Put Open FAIR™ Risk Analysis Into Action: A Cost-Benefit Analysis of
Connecting Home Dialysis Machines Online to Hospitals in Norway
The Open Group White Paper (W176, May 2017)
This document offers an Open FAIR analysis of security and privacy risks and compares
those risks to the likely benefits of connecting home dialysis machines online to hospitals.

vi The Open Group Standard (2021)

  The Open FAIR™ Risk Analysis Tool Beta
(I181, January 2018)
This analysis tool can be used to perform a quantitative Open FAIR risk analysis as
defined in the O-RA and O-RT Standards. It is provided in the form of a Microsoft®
Excel® spreadsheet.
 The Open FAIR™ Tool with SIPmath™ Distributions: Guide to the Theory of
Operation
The Open Group Guide (G181, January 2018)
This document defines the algorithms that can be used to produce an acceptable
implementation of the O-RA Standard.

Differences from Version 1.0 of the Standard

This document includes changes to the O-RA Standard that have evolved since the original
document was published. These changes came about as a result of feedback from practitioners
using the standard:
 The “Confidence Level in the Most Likely Value” as a parameter to model estimates
conceptualized in the previous version of the O-RA Standard is discontinued and replaced
by the choice of distribution that would determine it
 The quantitative example that utilized a qualitative scale has been removed
 Open FAIR terms and definitions have been clarified
 The Loss Scenario is decomposed and explained utilizing accompanying figures,
including guidance on selecting the distribution to use and Risk Factor to model
 The NIST CSF five functions are incorporated

Risk Analysis (O-RA), Version 2.0.1 vii

 Trademarks
ArchiMate, DirecNet, Making Standards Work, Open O logo, Open O and Check Certification
logo, Platform 3.0, The Open Group, TOGAF, UNIX, UNIXWARE, and the Open Brand X logo
are registered trademarks and Boundaryless Information Flow, Build with Integrity Buy with
Confidence, Commercial Aviation Reference Architecture, Dependability Through Assuredness,
Digital Practitioner Body of Knowledge, DPBoK, EMMM, FACE, the FACE logo, FHIM
Profile Builder, the FHIM logo, FPB, Future Airborne Capability Environment, IT4IT, the IT4IT
logo, O-AA, O-DEF, O-HERA, O-PAS, Open Agile Architecture, Open FAIR, Open Footprint,
Open Process Automation, Open Subsurface Data Universe, Open Trusted Technology Provider,
OSDU, Sensor Integration Simplified, SOSA, and the SOSA logo are trademarks of The Open
Group.

Boeing is a trademark of The Boeing Company.

Microsoft and Excel are registered trademarks of Microsoft Corporation in the United States
and/or other countries.

SIPmath is a trademark of ProbabilityManagement.org.

All other brands, company, and product names are used for identification purposes only and may
be trademarks that are the sole property of their respective owners.

viii The Open Group Standard (2021)

 Acknowledgements
The Open Group gratefully acknowledges the contribution of the following people in the
development of this document:
 Chris Carlson, C T Carlson LLC
 Jack Freund, Cyber Assessments, Inc.
 Mike Jerbic, Trusted Systems Consulting Group
 Eva Kuiper, The Open Group Invited Expert
 John Linford, Security Forum & OTTF Forum Director, The Open Group
 David Musselwhite, RiskLens
 Tyanna Smith, Trusted Systems Consulting Group

Special thanks go to Douglas Hubbard, author of How to Measure Anything: Finding the Value
of Intangibles in Business (see Referenced Documents). Many of the ideas in the calibration
section of this standard were originally described by him in this important book.

The Open Group gratefully acknowledges the contribution of the following people in the
development of earlier versions of this document:
 Jack Jones
 Michael Legary
 James Middleton
 Steve Tabacek
 Chad Weinman

Risk Analysis (O-RA), Version 2.0.1 ix

 Referenced Documents
The following documents are referenced in this standard.

(Please note that the links below are good at the time of writing but cannot be guaranteed for the
future.)
 Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, April 2018,
published by the National Institute of Standards and Technology (NIST); refer to:
www.nist.gov/cyberframework/framework
 How to Measure Anything: Finding the Value of Intangibles in Business, 3rd Edition,
Douglas W. Hubbard, April 2014, published by John Wiley & Sons
 Risk Taxonomy (O-RT) Standard, Version 3.0.1, The Open Group Standard (C20B),
November 2021, published by The Open Group; refer to:
www.opengroup.org/library/c20b
 The Open FAIR™ Risk Analysis Process Guide, The Open Group Guide (G180), January
2018, published by The Open Group; refer to: www.opengroup.org/library/g180

x The Open Group Standard (2021)

1 Introduction

1.1 Objective
The objective of the Risk Analysis (O-RA) Standard is to enable risk analysts to perform
effective information security risk analysis using the Open FAIR™ framework. When coupled
with the Risk Taxonomy (O-RT) Standard, it provides risk analysts with the specific processes
necessary to perform effective risk analysis.

This document should be used with the companion O-RT Standard to:
 Educate information security, risk, and audit professionals
 Establish a common language for the information security and risk management
profession
 Introduce rigor and consistency into analysis, which sets the stage for more effective risk
modeling
 Explain the basis for risk analysis conclusions
 Strengthen existing risk assessment and analysis methods
 Create new risk assessment and analysis methods
 Evaluate the efficacy of risk assessment and analysis methods
 Establish metric standards and data sources

1.2 Overview
This document is intended to be used with the O-RT Standard, which defines the Open FAIR
taxonomy for the factors that drive information security risk. Together, these two standards
comprise a body of knowledge in the area of quantitative risk analysis.

Although the terms “risk” and “risk management” mean different things to different people, this
document is intended to be applied toward the problem of managing the frequency and
magnitude of loss that arise from a threat (whether human, animal, or natural event). In other
words, managing “how often bad things happen, and how bad they are when they occur”.

Although the concepts and standards within this document were not developed with the intention
of being applied towards other risk scenarios, experience has demonstrated that they can be
effectively applied to other risk scenarios. For example, they have been successfully applied in
managing the likelihood and consequence of adverse events associated with project management
or finance, in legal risk, and by statistical consultants in cases where probable impact is a
concern (e.g., introducing a non-native species into an ecosystem).

Risk Analysis (O-RA), Version 2.0.1 1

1.3 Conformance
Refer to The Open Group website for conformance requirements for this document.

1.4 Normative References

The following standards contain provisions which, through references in this document,
constitute provisions of the Risk Analysis (O-RA) Standard. At the time of publication, the
editions indicated were valid. All standards are subject to revision, and parties to agreements
based on this standard are encouraged to investigate the possibility of applying the most recent
editions of the standards listed below. Members of IEC and ISO maintain registers of currently
valid International Standards.
 Risk Taxonomy (O-RT) Standard, Version 3.0.1, The Open Group Standard (C20B),
November 2021, published by The Open Group; refer to:
www.opengroup.org/library/c20b

1.5 Terminology
For the purposes of this document, the following terminology definitions apply:

Can Describes a possible feature or behavior available to the user or application.

May Describes a feature or behavior that is optional. To avoid ambiguity, the opposite of
“may” is expressed as “need not”, instead of “may not”.

Shall Describes a feature or behavior that is a requirement. To avoid ambiguity, do not

use “must” as an alternative to “shall”.

Shall not Describes a feature or behavior that is an absolute prohibition.

Should Describes a feature or behavior that is recommended but not required.

Will Same meaning as “shall”; “shall” is the preferred term.

1.6 Future Directions

As a standards body, The Open Group aims to evangelize the use of the Open FAIR method
within the context of these risk assessment or management frameworks. Our aim is to continue
to work to describe how the Open FAIR method may be used with other risk assessment
frameworks. In doing so, The Open Group becomes not just a group offering yet another risk
assessment framework, but a standards body which solves the difficult problem of developing
consistent, defensible statements concerning risk.

2 The Open Group Standard (2021)

2 Definitions

For the Open FAIR Glossary, see the definitions in The Open Group Standard for Risk
Taxonomy (O-RT), Version 3.0.1; accessible at: www.opengroup.org/library/c20b. Merriam-
Webster’s Collegiate Dictionary1 should be referenced for terms not defined in this section.

Risk Analysis (O-RA), Version 2.0.1 3

3 Introduction to Open FAIR Risk Analysis

3.1 Risk Analysis Approach

All risk analysis approaches must include the following fundamental process elements:
 An effort to clearly identify and characterize the assets, threats, controls, and impact/loss
elements at play within the risk scenario being assessed
 An understanding of the organizational context for the analysis; i.e., what is at stake from
an organizational perspective, particularly with regard to the organization’s leadership
perspective
 Measurement and/or estimation of the various risk factors
 Calculation of risk

The first two elements above can be summarized as “scoping” the analysis – scoping is the
process of identifying a countable, easily understandable Loss Event and risk scenario statement.
Practitioners must recognize that time spent in scoping is crucial to performing effective
analyses. In fact, carefully scoping an analysis reduces time spent on the analysis due to better
clarification of data requirements and less time spent troubleshooting and revising the analysis.
More information on scoping the analysis appears in the Open FAIR Risk Analysis Process
Guide (see Referenced Documents).

Risk-related data is never perfect. In other words, there will always be some amount of
uncertainty in the values being used. As a result, measurements and estimates of risk factors
should faithfully reflect the quality of data being used. The most common approach to achieving
this is to use ranges and/or distributions rather than discrete values as inputs; by using ranges
and/or distributions for measurements and estimates of risk factors, an Open FAIR risk analysis
reflects that there is uncertainty about the future and that the data is always
imperfect/incomplete. Therefore, Open FAIR analysts use Monte Carlo or other stochastic
methods to calculate results.

3.2 Assessment versus Analysis

Many information security standards and frameworks specify that information risk assessments
should be done but leave it to organizations to determine how to do them based on industry
guidance. Moreover, the information security profession (and the broader enterprise risk
management discipline to some degree) often does not clearly and consistently differentiate
between “risk assessment” and “risk analysis”. There is a difference, however: risk assessments
tend to encompass a broader context that includes processes and technologies that identify,
evaluate, and report on risk-related concerns, while risk analyses use measurements and
estimates of risk factors to provide an overall statement on the probable frequency and probable
magnitude of future loss.

4 The Open Group Standard (2021)

 This distinction in the Open FAIR method between risk assessment and risk analysis is
consistent with other standards, and the O-RT and O-RA Standards along with guidance
documentation from The Open Group provide a way to quantify risk in those information
security standards and frameworks. Practitioners who must perform information technology risk
assessments to comply with other industry and regulatory standards, frameworks, and
methodologies can therefore use the Open FAIR taxonomy and framework to build consistent
and defensible risk statements that are measured in the same economic terms as other risks they
have to manage.

Risk Governance/Organizational Oversight

Risk Management

Risk Assessment

Risk Risk
Risk Evaluation Risk Treatment Risk Monitoring
Identification Analysis

Figure 1: Risk Analysis in Context

3.3 Why is a Tightly-Defined Taxonomy Critical?

Without a logical, tightly-defined taxonomy, risk analysis approaches will be significantly
impaired by an inability to measure and/or estimate risk factors. This, in turn, means that
management will not have the necessary information for making well-informed comparisons and
choices, which will lead to inconsistent and often cost-ineffective risk management decisions.
The O-RT Standard provides the clear definition of Open FAIR risk factors and risk factor
relationships necessary to guide professionals in their analysis of risks.

Risk Analysis (O-RA), Version 2.0.1 5

4 Risk Measurement: Modeling and Estimation

To measure risk, analysts incorporate into models what they believe they know about the future
(certainty) and what they do not or cannot know (uncertainty) to estimate what will actually
happen, and to estimate the range of outcomes of that future. The O-RT Standard describes the
risk factors and structure of a model that estimates the likelihood of foreseeable losses due to
information system-related events. Model providers build models using those risk factors as
defined in the taxonomy to make accurate estimates of future outcomes.

All models at some level are “wrong”. Models, whether based upon human judgment and
experience alone, scientific theory, mathematical equations, artificial intelligence, or a
combination of all these, are limited in their ability to specifically and exactly predict the future;
an outcome that cannot be determined with complete precision before it actually occurs and is
observed.

The best an analyst can do is estimate risk factors and apply them through an accurate model,
and even then, the model’s estimate of probable future loss may not include the actual future
outcome when it occurs; the model or the estimates may have been inaccurate. However,
modeling an uncertain future is the best humanity can do. The analyst must use the best
available, current information to make informed probabilistic statements about what they believe
may occur. (Indeed, human brains do this every moment.)

Analysts must identify and apply the knowledge they have and, at the same time, incorporate the
uncertainty of what is not known – or not knowable. Some of that unknown may be discoverable
through additional research. Other uncertainty, the uncertainty of a strictly unpredictable future
outcome, cannot be discovered. Analysts – using all the information they have available – apply
what measurements of risk factors are known, estimate risk factors that are unknown, and use
risk models to estimate the frequency and magnitude of foreseeable future outcomes.

4.1 Key Foundational Concepts: Accuracy, Precision, Subjectivity,

and Objectivity
Accurate forecasting of probable future loss from a given scenario requires an accurate
estimation of risk factors. When modeling under conditions of uncertainty, it is best to value
accuracy over precision and to report a range of values within which the actual value falls rather
than to report an overly precise estimate that has little chance of being accurate.

Estimates informed by objective information (actual data, even if it is an estimate or industry-

standard data when data individualized to a particular company is not available to the analyst)
are more likely to be accurate than those informed solely or predominantly by subjective gut
feelings and plagued with unstated biases or assumptions.

4.1.1 Accuracy versus Precision

An estimate of an uncertain future outcome is accurate when the observed future event is found
to lie within the original estimate’s range. The accuracy of an estimate is binary: accurate or

6 The Open Group Standard (2021)

 inaccurate. When observed in the future, the event either lies within the estimated range, or it
does not.

The precision of an estimate is its range. Estimates that are too precise – that is, with a range that
is too narrow, ignoring or minimizing the expression of uncertainty – can mislead decision-
makers into thinking that there is more rigor in the risk analysis than there is. Using distributions
and ranges increases the probability that an estimate is accurate. To increase the probability that
an estimate is accurate, reduce its precision.

An example of an estimate that is precise but inaccurate would be an estimate that the wingspan
of a Boeing™ 787 is exactly 107 feet. An example of an estimate that is accurate but not
usefully precise would be an estimate that the wingspan of a Boeing 787 is between 1 foot and
1,000 feet.

An estimate is usefully precise when more precision would not improve or change the decision
made by stakeholders. To extend the airplane wingspan example, if its wingspan is estimated to
between 10 feet to 300 feet, and if the objective of the estimation exercise is to inform the
builder of a hangar how large it should be to cost-effectively house the plane, then the estimate is
likely accurate, but it is not usefully precise to support an economically efficient hangar
construction project.

To provide high-quality estimates that stakeholders can use to make effective decisions, analysts
must first ensure they are accurate. To improve the usefulness of the estimate, analysts shall
provide as much precision as the research, data, and reasoning of that estimate can support,
while keeping the estimate accurate.

Risk analysis results cannot be more precise than the input values. The number of significant
digits resulting from multiplication is the same as the number of significant digits in the least
precise input (i.e., have no more non-zero significant digits). In other words, analysts should not
represent more precision in an analysis than the data going into it can support.

4.1.2 Subjectivity versus Objectivity

All measurements lie on a spectrum ranging from the purely subjective to purely objective but,
in reality, no measurement is perfectly objective because humans are inherently subjective.
Analysts must decide what data to capture, how to collect it, and what filters to apply when
using and presenting it, all of which can (and frequently do) introduce bias.

Highly subjective measurements of risk factors are those which are strongly influenced by
personal feelings, interpretations, prejudice, or a simple lack of subject matter knowledge.

Highly objective risk measurements of risk factors are those which are not influenced by
personal feelings, interpretations, or prejudice, but which are supported by facts, observations,
and evidence upon which impartial observers would agree. The analyst should make
measurements as objective as is practical and useful to the analysis at hand.

To increase the objectivity of this risk measurement, the analyst has two primary approaches.
The first is to gather more data to help inform the risk estimate. The second is to better
understand how the estimates are derived – in other words, to better define and apply the factors
that make up or influence the estimates. The precise definitions and relationships provided in the
O-RT Standard help to inform this understanding.

Risk Analysis (O-RA), Version 2.0.1 7

 For example, if an analyst asked a random employee at a company how many laptops the
company loses in a given year, that employee’s opinion would be a comparatively subjective
answer, perhaps informed only by their own experience or knowledge of co-workers who have
lost laptops. To improve the objectivity of the lost laptop measurement, that analyst could go to
the IT group in charge of managing IT assets and ask for the records of lost laptops for the past
several years. Impartial stakeholders would commonly accept the accuracy and precision of
these records and would interpret them in the same way, making these measurements more
objective and agreed upon as true compared to one random employee’s opinion or personal
history of laptop loss.

4.2 What is an Estimate?

Estimating involves calculating roughly and usually requires using imperfect data. Analysts use
statistical concepts to quantify or specify estimates of an uncertain, unknowable-in-advance
future outcome. The essential elements of every estimate are its range, most likely value and
distribution.

4.2.1 The Range of the Estimate Determines Its Accuracy

Estimates have a minimum and maximum value that specifies their range. An estimate is
accurate when the outcome measured in the future is found to be located within that range.

Because the future is uncertain and estimation models are imperfect representations of the
complex natural world, a modeled estimate will be inaccurate some of the time: estimates have a
probability of being accurate. That probability can be increased at the expense of the estimate’s
precision. In other words, increasing an estimate’s range increases the probability of it being
accurate but comes at the expense of reduced precision of that estimate.

At some point, although accurate, an imprecise estimate is no longer useful. The practical
tradeoff made in this document is that estimates should be accurate 90% of the time. This
probability of accuracy makes a tradeoff between the probability of the estimate being accurate
and improved precision.

To accomplish this accuracy-precision tradeoff, the analyst should have a degree of belief that
the materialized, observed future outcome will not be below the estimate’s minimum more than
one time out of 20, or 5% of the time. Similarly, the analyst should have a degree of belief that
the materialized, observed future outcome will not be above the estimate’s maximum value more
than one time out of 20, or again 5% of the time.

4.2.2 Standardizing on Most Likely Value as a Way of Estimating Risk Factors

The Open FAIR model characterizes statistical distributions though common, intuitive
constructions of the minimum, maximum, and most likely values of the distribution. Analytic
tools can then convert these standard parameters into specific ones required by the distribution
chosen by the analyst.

The most likely value is the peak of the distribution, sometimes called the mode in a discrete
distribution, other times simply the peak of a continuous one. In the context of inputs into the
Open FAIR model, when making an estimate for a factor of a risk model, the most likely value
represents the value within the range believed to have the highest probability of being the true
value when observed in the future.

8 The Open Group Standard (2021)

 For instance, an analyst estimates a given Loss Event to occur with a probable frequency of
between 1 and 20 times over the next year and has historical evidence over many years
suggesting that 11 or 12 of these Loss Events is more probable than 1, 2, 19, or 20. As a result,
the analyst would select 11 or 12 as the “most likely value”, increasing its probability relative to
the other values in the range. The degree to which 12 Loss Events is believed more probable
than other values in the range is reflected in how much the probability of the most likely value is
increased relative to the other values within the range.

4.2.3 Specifying an Estimate’s Distribution Improves Its Precision

Analysts can improve the usefulness and precision of the estimate by selecting a statistical
distribution bounded by the accurate range described above that best reflects what they know
about the risk factor being modeled. In other words, by deliberately choosing a distribution, an
analyst is using knowledge about the risk factor being estimated to model their degree of belief
that some outcomes are more likely than others within the specified range of the estimate. For
instance, distributions for which analysts have a very high degree of belief in the most likely
value will be very peaked and narrow; flatter distributions indicate that analysts have a low
degree of belief that the most likely value is all that likely compared to others within the range.

If the risk analyst knows nothing about an estimate aside from its accurate minimum and
maximum values, they would choose the uniform distribution – such a choice indicates complete
uncertainty about the likelihood of the modeled, estimated future outcome aside from its
minimum and maximum range values. If the risk analyst knows that a modeled potential loss has
the potential of a “fat tail”, they would choose a log-normal statistical distribution. Similarly, the
analyst may know that the Threat Event Frequency is best modeled through Poisson
distribution.2

Note: The Open FAIR model is agnostic on what distribution is “right”. Instead, analysts
shall use their best knowledge of that risk factor and what additional information they
know about it to select the most appropriate distribution. The Open FAIR model is also
agnostic on any required distribution choices that a risk model or calculating tool
provides to the risk analyst. From an Open FAIR standard conformance or compliance
standpoint, there are no minimum requirements placed upon tool or model suppliers to
include or exclude any statistical distribution available for the analysts to use in
modeling any risk factor.

4.3 The Calibration Technique to Develop Accurate Estimates

Calibration allows an individual to make better estimates. Because measuring risk involves
making good estimates, calibration is critical for risk analysts to understand. Performing
calibration to make better estimates is a skill that can be learned.

4.3.1 Starting with the Absurd

Calibration starts with making absurd estimates. Beginning by making absurd estimates enables
the risk analyst to recognize starting values for the estimation that are clearly not possible. It also
assists in breaking any bias that an analyst may have.

2
Poisson distribution: https://en.wikipedia.org/wiki/Poisson_distribution.

Risk Analysis (O-RA), Version 2.0.1 9

 To extend the Boeing 787 wingspan estimate example from earlier, an analyst might initially
estimate the wingspan with an absurdly wide range of 10 feet on the low side and 300 feet on the
high side. Someone with experience seeing the airplanes at airports will recognize that these
values are absurd estimates, perhaps using as frames of reference the height of a basketball hoop
on the low end and the length of a football field on the high end. Once the analyst understands
how absurd these values for minimum and maximum (min/max) in the range are, they can start
to narrow in on more appropriate min/max values in a range to support the decision at hand.

Starting with these clearly absurd values leads to more accurate estimates, reduces the likelihood
of an inaccurate estimate, and makes it more possible to narrow in on a more realistic range of
min/max values.

4.3.2 Decomposing the Problem

Measurement and estimation in risk analysis requires the analyst to decompose broad, high-level
risk components into smaller pieces that are easier to deal with. An example of this might be
trying to estimate the height of the Willis Tower in Chicago. By decomposing the problem into
“How many floors tall is the building?” and “How much vertical space does each floor occupy?”
the analyst can start to make sense of the entire question.

In information security risk analysis, a similar broad question might be, “How much risk does
this firm have around lost laptops and Personally Identifiable Information (PII)?” To decompose
this into components that can be more easily dealt with (and for which there is data to support a
risk analysis), the analyst can ask themselves questions such as, “How many laptops have we
historically lost each year? How much PII is being stored on laptops by employees? What costs
do organizations similar to ours experience when they lose PII?”

4.3.2.1 Making Estimates with Incomplete or Very Little Information

Analysts almost always have to work with the information they have, not the information they
want. Analysts have several approaches they can take to make calibrated, accurate estimates
with missing or incomplete information. The main point is this: analysts have more information
than they think, but they must be creative in how to discover and use what they have. Enrico
Fermi developed techniques to do this, and the literature around “Fermi Problems” is referenced
in the example below.

Suppose an analyst had to estimate the number of plays attributed to William Shakespeare. An
analyst who had a copy of the complete works at home and had appeared in a handful of
Shakespeare plays may not need to decompose that value into its factors. Based upon that unique
knowledge and experience, the analyst could estimate Shakespeare’s lifetime production
between “20 to 40 plays” with relative ease.

Someone else, however, without access to that knowledge and experience and who has no idea
of Shakespeare’s lifetime achievement could treat “the number of plays attributed to
Shakespeare” as a Fermi Problem and derive it from the sub-factors “number of years of
productivity” and “number of plays per year”. Without direct knowledge of Shakespeare but
with some knowledge of Elizabethan times and the productivity of playwrights, a productive
lifetime of “10 to 30 years” and a playwright productivity of “one to three plays per year” could
be reasonably estimated and, when combined, would lead to an estimated lifetime achievement
of between 10 to 90 plays. For this analyst, who has not trodden the boards as Benvolio,
decomposing a difficult-to-estimate value into easier-to-estimate factors for which more
data/rationale was readily available, deriving an accurate estimate becomes possible. If that

10 The Open Group Standard (2021)

 estimate still were not usefully precise, the analyst could further research the sub-factors to
refine their precision. For example, the analyst could quickly research Shakespeare’s age at
death to narrow the estimate of productive lifetime.

The same is true when estimating risk factors in Open FAIR models. If one factor is difficult to
estimate given the available information, the analyst should research information that informs
accurate estimates of its sub-factors, ultimately producing an accurate estimate of the factor in
question.

4.3.3 Testing Confidence Using the Wheel, Establishing 90% Confidence

Overall, and 95% Confidence at Each End
The wheel is a mechanism to help an analyst strengthen their conviction or confidence in an
estimated range of values, to move them to a point where the analyst is 90% confident that the
actual value observed in the future will lie within the min/max range; in other words, the
estimate should have a 90% chance of being found accurate. The wheel mechanism helps risk
analysts improve their calibration abilities by forcing them to evaluate (and revise) their choice
for a min/max value in a range.

With an initial absurd range for the value, the next step is to narrow the range to more accurately
estimate the actual values so that the analyst is confident that the actual value will fall within the
range 90% of the time (a 90% confidence interval).

Douglas Hubbard (see Referenced Documents) uses the analogy of a wheel to help narrow the
range. The analyst is offered a choice between two scenarios:
1. They will receive $1,000 if the actual value falls within their prediction.
2. Spinning a wheel with 90% of its area painted black and 10% painted red. They will win
$1,000 if the wheel stops in the black.

The wheel implements a 90% confidence interval, and the desired goal is that the analyst has no
preference between the two methods. An analyst who prefers the wheel is not confident that their
estimate represents a 90% confidence interval for the value, which demands that estimate be
revised; in fact, this analyst must have a degree of confidence less than 90% if they prefer the
wheel, and they should make their estimated range wider. The confidence interval can be
tightened by asking the analyst to make the same choice regarding whether the estimate will be
less than (or greater than) the minimum (maximum) of the specified range 95% of the time.

4.3.4 Challenging Assumptions

To fill in missing information, analysts must make assumptions – those things analysts take to be
true even if they are not. These assumptions could be for values in the Open FAIR risk analysis
or about the relevant Threat Communities, to name a couple of examples. Assumptions may be
challenged by considering other analysts’ estimates and by researching data that is useful to the
estimation activity. Challenging assumptions helps prevent an inaccurate assumption from
leading to an inaccurate estimate.

4.3.5 Range Confidence

Analysts improve their confidence in the accuracy of the range through training in calibration in
removing personal estimating biases. The wheel exercise, described in Section 4.3.3, helps to
improve calibration and reduce personal bias.

Risk Analysis (O-RA), Version 2.0.1 11

4.4 Using Monte Carlo Analysis
Monte Carlo simulation3 is a method for modeling the future in the face of significant
uncertainty to show the relative probabilities and impacts of future outcomes. By performing
repeated sampling of random variables characterizing Open FAIR risk factors, Monte Carlo
simulation models thousands of outcomes consistent with those parameters and their
distributions to obtain a distribution of simulated annual losses. That output is used in risk
analysis to show the probability distribution of likely outcomes of an uncertain future. The
primary advantage of using a Monte Carlo simulation in risk analysis is that it portrays the full
risk exposure story: it shows not only averages and most likely outcomes but also the entire
range of estimated possible losses and their relative probability of occurrence.

3
Monte Carlo method: https://en.wikipedia.org/wiki/Monte_Carlo_method.

12 The Open Group Standard (2021)

5 Risk Analysis Methodology and Process

The methodology standardized here is a basic one covering a foundational series of stages to
define, scope, decompose, and quantitatively evaluate potential Loss Events in an information
system.
 Stage 1: Identify the Loss Scenario (Scope the Analysis)
 Stage 2: Evaluate the Loss Event Frequency
 Stage 3: Evaluate the Loss Magnitude (LM)
 Stage 4: Derive and Articulate Risk
 Stage 5: Model the Effect of Controls

Throughout the risk analysis process, the risk analyst shall document key assumptions and the
rationale for estimates used. Well-documented assumptions should include the reasoning for the
assumption as well as any sources that contributed to them. A well-documented rationale should
state the source of all estimates – the source may be systems (e.g., logs), groups (e.g., incident
response), or industry data.

By documenting the key assumptions and rationale used, the analyst will be better able to defend
the analysis and explain the results to decision-makers. This also allows analysts to compare
approaches if results differ. Documenting the key assumptions and rationale used adds to the
integrity of the analysis because analysts can demonstrate where they found data and why certain
data was used for estimates in the analysis.

5.1 Stage 1: Identify the Loss Scenario (Scope the Analysis)

In this critical stage of the analysis, the “story of loss” is defined from a specific stakeholder’s
perspective – the Primary Stakeholder, typically the owner of the identified Asset, is the one
who bears and values the loss. The loss can be described as an event, and to analyze the probable
future loss related to any given event/scenario, the analyst must have a clear understanding of
what the scenario/event is from the perspective of the Primary Stakeholder.

The Loss Scenario is the story of that loss that forms a sentence:

A Threat Agent breaches or impairs an information Asset that causes an observable Loss
Event that has direct economic consequences (Primary Loss) and may have economic
consequences initiated by reactions from others (Secondary Loss).

Conceptually, a Loss Scenario looks like Figure 2.

Risk Analysis (O-RA), Version 2.0.1 13

 Loss Scenario: From the Primary Stakeholder’s Perspective
Breach, That That And may
impair cause has Direct have Reaction
Observable
Threats Assets Consequences from
Loss Event
($) Others ($)

Figure 2: Decomposing an Open FAIR Loss Scenario

To complete the Loss Scenario, the analyst must identify and define the Primary Stakeholder, the
Asset, the Threat Agent/Community, the Threat Event, and the Loss Event.

5.1.1 Identify the Primary Stakeholder

The Primary Stakeholder is the individual or organization who owns or is accountable for the
Asset that suffers lost measurable, economic value from a Loss Event.

5.1.2 Identify the Asset

The Asset is the information, information system, or information system component that is
breached or impaired by the Threat Agent in a manner whereby its value is diminished or the act
introduces liability to the Primary Stakeholder. Assets inherit value based on the business
processes/organizational objectives they, or the data/applications that reside on or run using
them, support.

5.1.3 Identify the Threat Agent/Community

The Threat Agent is the person, place, or thing capable of acting against the Asset in a way that
results in a loss described in the Loss Scenario.

By examining the nature of the organization (e.g., the industry it is in) and the conditions
surrounding the Asset (e.g., an HR executive’s office), the analyst can begin to classify the
overall Threat Agent population into one or more Threat Communities that might reasonably
apply. Including every conceivable Threat Community in the analysis is likely not a good use of
time; instead, the analyst should identify the most probable Threat Communities for the Loss
Scenario.

To further define a Threat Community, the analyst can build a “profile” or list of common
characteristics associated with a given Threat Community. The Open FAIR model does not
define a standard list of attributes to evaluate for each and every Threat Community. Rather,
each organization should create a list of Threat Community attributes that can be reused across
multiple risk analyses to ensure internal consistency. Common characteristics include:
 Motive
 Objective
 Access Method
 Personal Risk Tolerance
 Desired Visibility
 Sponsorship

14 The Open Group Standard (2021)

  Skill Rating
 Resources

5.1.4 Identify the Threat Event

A Threat Event occurs when the Threat Agent acts against information Assets by attempting to
breach or otherwise impair them to impact their confidentiality, integrity, or availability.

There are four types of Threat Events:

 Malicious (where harm is intended); e.g., an attempted theft
 Error (where an act occurred that was not intended); e.g., entering the wrong command at
a keyboard
 Failure (where an act resulted in unintended consequences); e.g., the right command was
given, but the system failed to perform as intended
 Natural (resulting from acts of nature); e.g., high winds

For each Threat Event type, the analyst can ask, “Who or what could potentially harm the Asset
in this way?”. However, distinguishing between probable and merely possible Threat Events is
crucial. By considering the nature of the Threat Communities relative to the industry,
organization, and Asset, the analyst selects the reasonable, probable Loss Scenarios and avoids
the speculative, highly improbable ones.

In many cases, a final consideration regarding the definition of a Threat Event under analysis is
to identify the “threat vector”. The threat vector represents the path and/or method used by the
Threat Agent to breach/impair the Asset, and each threat vector may have a different frequency
and different control levels. For example, an attacker seeking to gain access to sensitive
corporate information may try any of a number of vectors, such as technical attacks, leveraging
human targets, etc.

5.1.5 Identify the Loss Event

The observable Loss Event is a confidentiality, integrity, or availability event that the
stakeholder can observe and respond to. For a loss to occur, it first must be observed, for only an
observable loss can be responded to and valued; a loss that has not yet been observed can be
considered a Threat Event until the loss is observed.

Every Loss Scenario must have a direct consequence evaluated as the economic cost directly
associated by the observed confidentiality, integrity, or availability loss of the Asset – this is the
Primary Loss. The impact of that observable Primary Loss then must be evaluated in economic
terms, measured in dollars, pounds, euros, yen, yuan, etc. All losses in the Open FAIR model are
measured in these economic terms.

From that Primary Loss, there is a probability that Secondary Stakeholders will react, resulting
in additional losses to the Primary Stakeholder – an additional loss resulting from the actions of
Secondary Stakeholders is the Secondary Loss. For example, regulators, customers, or the media
may react to the initial information system loss and initiate their own actions against Primary
Stakeholder Assets, usually financial Assets.

Risk Analysis (O-RA), Version 2.0.1 15

 Examples of Secondary Losses include consumer breach notification, regulatory reporting of the
incident, lawsuits, or “bad press”, all intended to impact the Primary Stakeholder financially. At
a minimum, the Primary Stakeholder’s response to these Threat Events represents a response
cost in the Open FAIR model. Additional financial costs to the Primary Stakeholder may build
from there.

5.1.6 Limiting the Scope of the Loss Scenario

Whether an analysis succeeds or not first depends upon whether its scope is sufficiently limited
to be executed successfully. The scope of an analysis is too broad when it includes multiple
Threat Communities that do not share common characteristics, multiple observable Loss Events,
or multiple Asset types.

Performing a single analysis that encompasses more than one Threat Agent/Community or Asset
is generally acceptable, but careful consideration should be given if those multiple Threat
Agents/Communities have significantly different Threat Capabilities, attack the Asset through
different threat vectors, or act against the Asset at significantly different frequencies. When any
of these conditions occur, analysts should create multiple Loss Scenarios and analyze them
separately.

Combining multiple observable losses (confidentiality, integrity, availability) together should be

avoided. For example, the forms of losses associated with availability are likely to be very
different from those associated with confidentiality or integrity. The Loss Magnitude of the
forms of loss are likely to differ significantly, too. Trying to combine these into a single Loss
Scenario adds needless complexity to the analysis and often distracts the analysis team from
what matters most.

Finally, analysts should avoid combining different Asset types into a single analysis, for this
often makes modeling Loss Event Frequency and Loss Magnitude harder than it would be if the
Loss Scenarios were separated. For example, a Threat Agent who steals a laptop out of an
employee’s car has both the laptop and the data on it. Combining the Loss Magnitude of both the
laptop and data together may be much harder to do accurately than doing two analyses, one for
the laptop hardware that needs to be replaced, and one for the loss associated with the data on
the laptop.

Analyzing several, focused Loss Scenarios often takes less time and is more efficient than trying
to make estimates for more complex scenarios.

The analysis is scoped after defining the Loss Scenario and all key, relevant assumptions have
been made and documented.

Note: In any risk analysis, regardless of method, the analyst must make assumptions to fill in
for missing, incomplete information. Analysts must clearly document their key
assumptions to ensure all that those who review the analysis understand the basis for
the values used and to assess whether the assumptions used are reasonable for the
analysis.

In scoping the Loss Scenario, the Open FAIR risk factors are assumed to be independently
identically distributed.

16 The Open Group Standard (2021)

5.1.7 Decomposing the Loss Scenario
The analyst can now begin modeling the risk within the Open FAIR quantitative framework to
evaluate the Loss Event Frequency and Loss Magnitude associated with this Loss Scenario.

Figure 3 shows the decomposition of a Loss Scenario and can be understood, from left to right,
as showing the chain of events, beginning with a Threat Agent contacting an Asset and ending
with the Loss Event(s). It will be decomposed further to show the Loss Event Frequency and
Loss Magnitude components.

Loss Scenario: From the Primary Stakeholder’s Perspective

Breach, That That And may
impair cause has Direct have Reaction
Observable
Threats Assets Consequences from
Loss Event
($) Others ($)

Reputation

Secondary Loss Event

Contact Event

Productivity
Threat Event

Fines &
Judgment
Loss
Event Replacement
Response
Response
Competitive
Advantage

Figure 3: Decomposing an Open FAIR Loss Event

5.2 Stage 2: Evaluate the Loss Event Frequency

Having described the Loss Scenario, the analyst can begin collecting data and estimates for the
various Open FAIR risk factors.

At the highest level, to understand the probable future loss associated with a given Loss
Scenario, the analyst needs an estimate of how many times the Loss Scenario is likely to occur
over a given timeframe – this is the Loss Event Frequency (LEF).

When estimating Loss Event Frequency, the analyst must choose which risk factors in the Open
FAIR taxonomy to estimate. For example, is it better to estimate Loss Event Frequency than
deriving that risk factor from its lower-level sub-factors by estimating Threat Event Frequency
and Vulnerability? Should the analyst go even further down into in the Open FAIR taxonomy,
decomposing those two risk factors into their sub-factors Contact Frequency (CF), Probability of
Action (PoA), Threat Capability (TCap), and Resistance Strength (RS) to derive all the higher
factors?

Analyses should be performed using the risk factors that have the highest quality of data to
support accurate and usefully precise calibrated estimates. When possible, analysts should
estimate factors at the highest level possible in the Open FAIR taxonomy. However, when an
accurate estimate is not usefully precise and information is available that informs accurate and

Risk Analysis (O-RA), Version 2.0.1 17

 usefully precise estimates of lower-level risk factors, the analyst should decompose the higher-
level risk factor into its component sub-factors and estimate them.

Analysts should not assume that they must always derive Loss Event Frequency from estimates
of its lower-level factors, nor does it mean that it is always advantageous to do so. In fact,
estimating factors lower in the model can involve increasing levels of abstraction and difficulty
in many scenarios without improving the quality of the analysis.

Utilizing a top-down approach and working higher in the taxonomy offers increased efficiency
and, when there is historical data supporting an estimate at the Loss Event Frequency level, can
result in a more objective analysis. By leveraging a top-down approach, the analyst tries to
accurately and sufficiently precisely estimate Loss Event Frequency, only decomposing it into
its sub-factors if useful or necessary to serve the purpose of the analysis. The guiding principle is
this: select risk factors that represent the simplest model possible that is accurate and usefully
precise.

Risk

Top-Down
Approach
Loss Event
Frequency

Threat Event
Vulnerability
Frequency

Contact Probability of Resistance

Threat Capability
Frequency Action Strength

Figure 4: Top-Down Approach

5.2.1 Estimate the Loss Event Frequency

A Loss Event Frequency estimate reflects how many times the Loss Scenario is expected to
occur in a given timeframe. If the Loss Event being measured has occurred in the recent past,
the analyst may be able to estimate Loss Event Frequency directly.

The purpose of the analysis will also determine the level of abstraction. For instance, if the
analyst is evaluating several different Control options to determine which option is most
effective from a risk reduction perspective, then deriving Vulnerability by analyzing Resistance
Strength and Threat Capability may be most useful. In this way, the analyst can estimate the
change in Resistance Strength due to the evaluated Control option.

If the analyst is unable to estimate the Loss Event Frequency directly (e.g., if there is no data on
prior Loss Events), if factors (such as Controls) have changed, if there is better/more objective
data about Threat Events than Loss Events, or if the purpose of the analysis requires it, the
analyst should step down one layer and work to estimate Threat Event Frequency (TEF) and
Vulnerability (Vuln) to derive the Loss Event Frequency.

18 The Open Group Standard (2021)

5.2.1.1 Estimate the Threat Event Frequency

A Threat Event Frequency estimate reflects how many times the Threat Agent will attempt to
breach or impair the Asset’s confidentiality, integrity, and/or availability. A Threat Event
Frequency estimate would be based upon how frequently contact between the Threat Agent and
the Asset occurs (the Contact Frequency) and the probability that the Threat Agent would act
against the Asset (the Probability of Action).

Threat Event
Frequency

Contact Probability of
Frequency Action

Figure 5: Threat Event Frequency

For a Loss Event to occur, a Threat Agent must first contact an Asset. After contacting the Asset,
there is then a Probability of Action for whether the Threat Agent will then try to cause a Threat
Event. However, if the Threat Agent does not act against the Asset despite making contact, no
Threat Event occurs, so not every Contact Event results in a Threat Event.

The probability that the Threat Agent would act is driven by three primary factors that affect
how the Threat Agent perceives the benefits of acting against the asset versus the costs of
conducting the act against the asset:
 Perceived value of the Asset to them (based upon their motives – financial gain, revenge,
etc.)
 Perceived level of effort required (i.e., how vulnerable the Asset appears to be)
 Perceived risk of being caught and suffering unacceptable consequences

Probability of Action is influenced by what the Threat Agent perceives or believes, and it is
modeled in the Open FAIR framework as an economic analysis of costs and benefits of a
successful attack to the Threat Agent. A Threat Agent would have a lower Probability of Action
if the perceived payoff of a successful attack fell, the level of effort rose, or the consequences to
the Threat Agent rose. Assuming all other things are equal, examples of reducing the Probability
of Action include:
 Changing PII policies – if Threat Agents regularly contact a database and discover that the
organization has changed its policies to reduce how much PII is stored in one location,
their perceived value of the Asset has been reduced because they will be unable to obtain
as much benefit from a successful attack
 Encrypting databases – if after contacting a database Threat Agents discover it is
encrypted, the perceived level of effort to capture useful information from the database
has risen compared to an unencrypted database, they will reduce their attempts to
penetrate it
 Installing new surveillance cameras – if Threat Agents passing by an ATM discover new
surveillance cameras installed around it and believe that their probability of being caught

Risk Analysis (O-RA), Version 2.0.1 19

 and prosecuted for robbery has increased, they will reduce how often they try to break into
it

5.2.1.2 Estimate Vulnerability

Vulnerability, or its synonym susceptibility, is the probability that a Threat Event results in a
Loss Event.

Vulnerability

Resistance
Threat Capability
Strength

Figure 6: Vulnerability

If the analyst has data on Threat Events and Loss Events in a given timeframe, it is possible to
estimate Vulnerability directly by comparing the number of successful Loss Events to the total
Threat Events.

If estimating Vulnerability (Vuln) directly, Vulnerability is the conditional probability that a

Threat Event results in a Loss Event.

Vuln = Pr(Loss Event | Threat Event)

If the analyst lacks this data, Vulnerability can be estimated at the lower level by considering
how the Threat Agent’s knowledge, skills, and resources (Threat Capability) compare to the
Control environment around the Asset and the Primary Stakeholder’s ability to resist the Threat
Agent’s actions (Resistance Strength).

At the lower level, Vulnerability (Vuln) is the conditional probability that the Threat Capability
(TCap) is greater than the Resistance Strength (RS).

Vuln = Pr(TCap > RS)

Threat Agents vary in their capability: some are relatively easy to resist while others can
penetrate the most heavily protected Asset. The Open FAIR model reflects the variability of a
Threat Agent’s resources, skill, organization, and persistence as its Threat Capability. Threat
Capability is measured as the percentile value representing the Threat Agent’s relative position
on the distribution of potential attackers.

Attackers exist on a continuum of skills and resources, including at one end of the continuum
attackers with little skill, little experience, and a low level of determination, and including on the
other end attackers who are highly skilled, experienced, and determined. In performing an Open
FAIR risk analysis, the analyst defines a minimum likely capability for the threat, a maximum
likely value, and a most likely value. These represent the minimum level of skills expected for
an attacker to have, the maximum level of skills an attacker might have, and the skill level of the
most likely attacker. This skill level is relative to the threat vector used; for example, an attacker
may be highly skilled at utilizing a particular threat vector but not at all skilled at utilizing a
different threat vector.

20 The Open Group Standard (2021)

 The Threat Capability continuum describes attackers as existing at various percentiles, where the
25th percentile of Threat Agents are less skilled and able than the 50th percentile of Threat Agents
who are less skilled and able than the 99th percentile of Threat Agents.

To resist the Threat Agent’s capability, the Asset has Controls and protection against a Threat
Agent’s capability, which contribute to the Asset’s Resistance Strength. Resistance Strength is
the strength of a Control as compared to the probable level of force that a Threat Agent is
capable of applying against an Asset, and it is measured as the percentile value representing the
highest Threat Capability against which it could be successfully defended.

Note: Both Threat Capability and Resistance Strength are expressed in a range to account for
increasing levels of abstraction and uncertainty involved with using the Threat
Capability continuum.

The probability that a Threat Event will result in a Loss Event – or the percentage of Threat
Events over a given timeframe that will result in Loss Events – is variable. Not all Assets of a
given type are equally protected. For example, some Assets, such as user bank accounts, have
stronger passwords than others, so an attack that fails against one user’s bank account with a
comparatively strong password will succeed against another user’s account with a comparatively
weaker password.

After estimating the ranges for Threat Capability and Resistance Strength, the analyst will use
Monte Carlo analysis to compare a random sample from Threat Capability with a random
sample from Resistance Strength and derive Vulnerability, the probability that the Threat
Capability exceeds the Resistance Strength in any given threat action of the type being analyzed.

5.2.2 Decomposing Loss Event Frequency

Figure 7 shows the decomposition of Loss Event Frequency.

Probability
of Action
Vulnerability
Pr(TC>RS)

Loss Event
Frequency
Contact Event

Threat Event

Loss
Threat Event
Event Frequency
Vulnerability

Contact Probability of Resistance

Threat Capability
Frequency Action Strength
Loss Event
Threat Frequency
Contact Event
Frequency Frequency

Figure 7: Decomposing Loss Event Frequency

By leveraging a top-down approach, the analyst will first try to estimate Loss Event Frequency
itself if it is possible to make a defensible estimate, only decomposing it into its factors if useful
or necessary for the purpose of the analysis or if the type and quality of data are better/more
objective at the lower levels.

Risk Analysis (O-RA), Version 2.0.1 21

 The decomposition reflects these key relationships among the risk factors:

Loss Event Frequency ≤ Threat Event Frequency ≤ Contact Frequency

Vuln = Pr(Loss Event | Threat Event) = Pr(TCap > RS)

5.3 Stage 3: Evaluate the Loss Magnitude

After evaluating Loss Event Frequency, the analyst can evaluate Loss Magnitude – the total
financial value lost when a Loss Event occurs – using the Open FAIR loss forms to help identify
the Primary Loss(es) and any Secondary Loss(es).

Loss Magnitude

Primary Loss
Secondary Loss
Magnitude

Secondary Loss Secondary Loss

Event Frequency Magnitude

Figure 8: Loss Magnitude

Any of the six Open FAIR loss forms (productivity, response, replacement, fines and judgments,
competitive advantage, and reputation) could appear as either a Primary Loss or a Secondary
Loss, and the loss forms are modeled as being statistically independent of each other. Experience
has shown that productivity and replacement costs are more commonly seen as Primary Losses,
whereas fines and judgments, competitive advantage, and reputation damage loss are more
commonly seen as Secondary Losses. Response costs are commonly seen as both/either Primary
and/or Secondary Losses.

5.3.1 Estimate the Primary Loss Magnitude

The Primary Loss Magnitude (PLM) is the direct consequence of a Loss Event, evaluated as the
economic cost directly associated by the observed confidentiality, integrity, or availability loss
of the Asset.

In estimating the Primary Loss Magnitude, the analyst estimates what is expected to happen
(most likely value) versus best and worst-case (maximum/minimum values). If the analyst
chooses to evaluate the worst-case proposition, they must also reflect the (generally) much lower
frequency of such an outcome.

In determining which forms of loss (e.g., productivity, replacement, response) may apply to the
Primary Loss Magnitude, the analyst should discuss with the organization’s subject matter
experts that typically respond to or manage adverse events. This is especially useful for
analyzing Loss Events that may have not occurred in the past. These discussions around the
types of organizational involvement and loss when a given Loss Event materializes help to

22 The Open Group Standard (2021)

 ensure that all forms of loss are evaluated and that estimates are accurate while remaining
usefully precise.

The Primary Loss Magnitude (PLM) is equal to the sum of those loss forms that are the direct
consequence of the Loss Event and cause losses to the Primary Stakeholder.

PLM = Σ(Primary Loss Forms)

5.3.2 Estimate the Secondary Loss

If the Primary Loss Event results in reactions from Secondary Stakeholders that cause one or
more additional losses for the Primary Stakeholder, there has been Secondary Loss, and the
analyst needs to estimate the Secondary Loss Event Frequency (SLEF) and Secondary Loss
Magnitude (SLM). To estimate the Secondary Loss, the analyst should first identify who, outside
of the organization, has a stake in the compromised information Asset and might react against
the Primary Stakeholder to generate additional loss.

After establishing which Secondary Stakeholders are relevant, the analyst should estimate the
Secondary Loss Event Frequency.

The Secondary Loss Event Frequency (SLEF) is the conditional probability that a Primary Loss
will result in a Secondary Loss; it is estimated/expressed as a probability, not as events/year.

SLEF = Pr(Secondary Loss | Primary Loss)

The next step is to estimate the Secondary Loss Magnitude for each loss form resulting from the
reactions of Secondary Stakeholders. These shall be estimated as losses to the Primary
Stakeholder, not the impact to Secondary Stakeholders who react from that impact and try to
cause a loss to the Primary Stakeholder.

The Secondary Loss Magnitude (SLM) is equal to the sum of those loss forms resulting from the
reactions of Secondary Stakeholder(s) that cause additional loss(es) to the Primary Stakeholder.

SLM = Σ(Secondary Loss Forms)

5.3.3 Decomposing Loss Magnitude

Figure 9 shows the decomposition of Loss Magnitude.

Risk Analysis (O-RA), Version 2.0.1 23

 Secondary Loss Secondary Loss
Primary Loss
Event Frequency Magnitude
Loss Magnitude

Reputation

Secondary Loss Event

Primary Loss
Secondary Loss
Magnitude Productivity Fines &
Judgment
Loss
Event Replacement
Response
Secondary Loss Secondary Loss
Event Frequency Magnitude Response
Competitive
Advantage

Figure 9: Decomposing Loss Magnitude

Any of the six loss forms can appear as either a Primary Loss or a Secondary Loss, and Loss
Magnitude is equal to the sum of the Primary Loss Magnitude and the Secondary Loss
Magnitude. Primary Loss Magnitude is the direct consequence of the Primary Loss Event.

For a Secondary Loss to occur, there must have been a Primary Loss that caused Secondary
Stakeholders to react and cause additional losses to the Primary Stakeholder. Therefore, the
Secondary Loss Event Frequency is the conditional probability that a Primary Loss will result in
a Secondary Loss. Secondary Loss Magnitude is the sum of additional losses to the Primary
Stakeholder resulting from Secondary Stakeholders’ reactions.

The decomposition above illustrates these relationships:

Loss Magnitude = (Primary Loss Magnitude) + (Secondary Loss Magnitude)

SLEF = Pr(Secondary Loss | Primary Loss)

5.4 Stage 4: Derive and Articulate Risk

The analyst now has modeled the two components of risk from the Loss Scenario: the Loss
Event Frequency and the Loss Magnitude. From the gathered and/or calibrated estimates of Loss
Event Frequency (or its decomposed factors) and Loss Magnitude, the analyst can then derive
and articulate risk associated with the described Loss Scenario. To quantitatively estimate the
risk, the analyst performs a Monte Carlo analysis of the risk. The direct results of that analysis
are the simulated trials of Monte Carlo analysis.

Analysts should provide data that is useful for the decision the stakeholder is trying to make. In
other words, analysts must select and present results that are fit for the purpose of the analysis.

Depending upon that purpose, analysts have to decide whether presenting one number that
summarizes the distribution of the Monte Carlo results or presenting the distribution itself best
serves the stakeholder’s needs.

24 The Open Group Standard (2021)

5.4.1 Single Number Summary Results
Summary results that have shown to be useful include:
 Average – this is the mean of the Monte Carlo simulated results indicating the average of
total losses within a given time period (likely a year)
 Most Likely Value – this is the “peak” of the distribution of the simulated results
 Loss Exceedance Result – this is the percentile threshold result
Many times, a stakeholder will want to know the likelihood of a loss exceeding a given
threshold; for example, a distribution may indicate that nine times out of ten losses are
below $1M, exceeding $1M one time out of ten, so the 90th percentile threshold is $1M.
 Maximum/Minimum simulated loss – this is the single maximum/minimum simulated
loss result
Similar to the loss exceedance result, some stakeholders may find the extremes of the
distribution important decision criteria.

There are many single number summaries available beyond those representing risk. Analysts, for
example, may choose any of the above to discuss Loss Event Frequency by itself, Single Loss
Magnitude, Single Primary Loss Magnitude, Single Secondary Loss Magnitude, etc., depending
upon the purpose of the analysis and the decisions stakeholders are making that require analysis
to support. Analysts have many choices over what summary information they can provide and
need to select the right results as appropriate to the decision that analysis supports.

5.4.2 Characterizing and Presenting Distribution Results

Fundamentally, the results of a risk analysis are the distribution of the Monte Carlo analyses of
total annual losses, the number of Loss Events per year, the single total loss, single Primary
Loss, and single Secondary Loss. A distribution can be expressed in many ways, and analysts
need to choose that expression as best serves the purpose of the analysis. Example presentations
include:
 Loss exceedance curve
 Distribution curve
 Tornado chart4 (if comparing various alternatives)

5.5 Stage 5: Model the Effect of Controls

The analyst can now estimate the effects of mitigating the risk described by the Loss Scenario
through changes in Controls. The Open FAIR framework defines four categories of Controls:
avoidance, deterrent, vulnerability, and responsive. These Controls affect specific Open FAIR
factors, but their overall effect is to reduce either the likelihood of a Loss Event, the effect of
Loss Prevention Controls, or to mitigate losses once a Loss Event has begun to occur, the effect
of Loss Mitigation Controls.

4
Tornado chart: https://en.wikipedia.org/wiki/Tornado_diagram.

Risk Analysis (O-RA), Version 2.0.1 25

5.5.1 Open FAIR Control Categories
All Controls are intended to affect either or both the frequency and magnitude of loss; thus, a
workable definition of Control is any person, policy, process, or technology that has the
potential to reduce the frequency and/or magnitude of future loss. Understanding where a
Control’s effect may be realized within the Open FAIR taxonomy is critical to accurately
account for a Control within an analysis.

At a basic level, the Open FAIR model categorizes Controls by how they affect risk:
1. Avoidance Controls affect the frequency and/or probability of Threat Agents establishing
contact with Assets.
2. Deterrent Controls affect the probability that a Contact Event becomes a Threat Event.
3. Vulnerability Controls affect the probability that a Threat Event will result in a Loss
Event (the probability that Threat Capability will overcome Resistance Strength), usually
by changing the Asset’s Resistance Strength.
4. Responsive Controls affect the Loss Magnitude, either by limiting Primary Losses,
limiting the frequency of Secondary Loss Events, or limiting the magnitude of Secondary
Loss Events.

Note: The Open FAIR model does not include a specific “detective control” category
because detective controls can play a role in each of the categories listed above and
thus is not a distinct Control category. For example, system logging and monitoring
can in some circumstances be a deterrent by increasing a potential Threat Agent’s
perception of the likelihood of being caught. At the same time, logging and monitoring
can inform an organization that an event is underway, allowing it to intervene before
loss materializes. Even if intervention is not timely enough to prevent loss from
occurring, early detection can allow an organization to respond quickly enough to
minimize the magnitude of loss.

Figure 10 identifies where these Control categories play a role within the taxonomy.

Risk

Responsive
Controls
Loss Event
Loss Magnitude
Frequency

Vulnerability
Controls
Threat Event Primary Loss
Vulnerability Secondary Loss
Frequency Magnitude

Avoidance Deterrent
Controls Controls

Contact Probability of Resistance Secondary Loss Secondary Loss

Threat Capability
Frequency Action Strength Event Frequency Magnitude

Figure 10: Control Categories

26 The Open Group Standard (2021)

5.5.1.1 Avoidance Controls

Avoidance Controls affect the frequency and/or likelihood that a Threat Agent will come into
contact with an Asset. An Avoidance Control successfully reducing Contact Frequency will
translate into a lower Threat Event Frequency, causing a reduced Loss Event Frequency, and
lessened exposure to risk. In other words, Avoidance Controls limit the Threat Agent’s ability to
contact the Asset in the first place. Therefore, Avoidance Controls are a Loss Prevention
Control.

Examples of information security-related Avoidance Controls include:

 Firewall filters
 Physical barriers
 The relocation of Assets
 The reduction of threat populations (e.g., reducing the number of personnel who are given
legitimate access to Assets)

As with any control, the effect may not be absolute. For example, firewalls usually are
configured to permit certain types of traffic, which means that Threat Events may still occur
against Assets behind the firewall. Nonetheless, firewalls also almost invariably reduce the
frequency of Threat Events by shielding against certain types of traffic.

When considering the effect of Avoidance Controls in an analysis, the analyst can measure or
estimate the reduction in Contact Frequency specific to the Threat Agent/Community under
consideration.

5.5.1.2 Deterrent Controls

Deterrent Controls reduce the probability that a Threat Agent will act against the Asset in a
manner that may result in loss – the Probability of Action. In other words, Deterrent Controls are
designed to make it less probable that, given a Contact Event, the Threat Agent will launch a
Threat Event. As with Avoidance Controls, this effect flows up the taxonomy to affect Threat
Event Frequency, Loss Event Frequency, and exposure to risk. Therefore, Deterrent Controls are
also a Loss Prevention Control.

Examples of common information security-related deterrent controls include:

 Policies
 Logging and monitoring
 Enforcement practices
 Asset “hardening” (i.e., many threat actors are opportunistic in nature and will gravitate
toward easier targets, rather than targets that are perceived to be difficult)
 Physical obstacles (e.g., external lights on a building, barb-wire fencing)

For a Deterrent Control to impact the Threat Agent’s Probability of Action, the Threat Agent
must be aware of the Control. Deterrent Controls are designed to impact the Threat Agent’s
perceived risk in carrying out the Threat Event, perceived level of effort required to impact the

Risk Analysis (O-RA), Version 2.0.1 27

 Asset in the desired way, and/or perceived risk of being caught/punished/harmed. Human Threat
Agents may be deterred in this way while non-human threat actors may not.

Measuring the effect of Deterrent Controls is often challenging. Nonetheless, reasonable,

calibrated estimates can be made to reflect their value.

5.5.1.3 Vulnerability Controls

Vulnerability Controls reduce the probability that a Threat Agent’s action will result in a Loss
Event. In a scenario where the context is a malicious action, Vulnerability Controls generally
focus on increasing the difficulty a Threat Agent faces in their attempts to breach or otherwise
impair an Asset. In a scenario where the context is non-malicious (e.g., human error),
Vulnerability Controls often focus on reducing complexity and/or difficulty faced by personnel
to reduce the probability that their actions will result in harm. In other words, Vulnerability
Controls improve the Resistance Strength of the Asset. Vulnerability Controls are also a Loss
Prevention Control.

Note: Vulnerability Controls are sometimes referred to as “resistive controls”, but this term
tends to exclusively connote controls against malicious acts.

Examples of Vulnerability Controls in an information security context would include:

 Authentication
 Access privileges
 Patching
 Some configuration settings

The effects of Vulnerability Controls are reflected in estimates of either Resistance Strength or
Vulnerability, depending on the level of abstraction of the analysis.

5.5.1.4 Responsive Controls

Responsive Controls are designed to reduce the magnitude of loss that results from a Loss Event.
Therefore, Responsive Controls are a Loss Mitigation Control.

Examples of response controls in an information security context include:

 Backup and restore media and processes
 Forensics capabilities
 Incident response processes
 Credit monitoring for persons whose private information has been compromised

Measurements and estimates regarding the effect of Responsive Controls are applied in the Loss
Magnitude branch of the taxonomy and are reflected as lower monetary Loss Magnitudes.

In closing, for a control to affect risk, it must affect one or more risk factors defined in the Open
FAIR taxonomy. Analysts must evaluate all applicable current-state controls and their overall
effectiveness. Data on these is often available by reviewing the following:

28 The Open Group Standard (2021)

  Audits (technical and regulatory) – audits that evaluate the effectiveness of controls can
provide useful information about the current state and possibly an indication of the
continued state of controls
 Penetration Tests/Security Scans – these exercises can provide useful knowledge of
where controls are present and how effective they may be in preventing a threat action
from materializing into a loss
Some penetration tests also provide good insight into the overall responsiveness of the
organization (with regard to identifying threat actions).

5.5.2 Mapping Open FAIR Controls to the NIST Cybersecurity Framework

The Open FAIR control categories map well to other industry standard methods of categorizing
and conceptualizing security functions. The NIST Cybersecurity Framework (CSF), for
example, defines five functions:5 Identify, Protect, Detect, Respond, and Recover. These five
functions are frequently implemented through physical, administrative, and technical security
controls.

Figure 11: NIST CSF Five Functions

The Open FAIR Avoidance, Deterrent, and Vulnerability Control categories all map to the
Protect function, the function that prevents losses from occurring in the first place.

The Open FAIR Responsive Control category spans across the Detect, Respond, and Recover
functions, those functions that take place once a loss begins to occur.

Security practitioners can categorize controls to the NIST CSF five functions to map how
Controls affect risk.

5.6 Putting It All Together

The previous sections demonstrate a method for analyzing risk. By defining a Loss Scenario,
modeling the risk associated with it using the Open FAIR taxonomy, and gathering estimates for
the factors of the model while considering the specific impacts controls have on those factors, an
analyst can generate probabilistic forecasts of future loss.

While the analyst is responsible for helping the organization understand “How much risk do we
have?”, risk managers and decision-makers must answer different questions: “How does current-

5
NIST CSF five functions: https://www.nist.gov/cyberframework/online-learning/five-functions.

Risk Analysis (O-RA), Version 2.0.1 29

 state risk compare to tolerance, and what, if anything, should be done to reduce probable future
loss from a given Loss Scenario?”.

Doing something about risk consists of implementing controls that either reduce the Loss Event
Frequency (prevent the Loss Scenario from occurring as often) or reduce the Loss Magnitude of
the Loss Event once it has occurred (mitigate the severity of the loss). Analysts model the effects
of these controls by how they affect one or more of the Open FAIR risk factors.

Figure 12 combines the decomposition of the Loss Scenario with the Open FAIR Controls and
Categories as well as the NIST CSF color scheme.

Loss Scenario: From the Primary Stakeholder’s Perspective

Identify
Breach, That That And may (ID)
impair cause Observable has Direct have Reaction F
Threats Assets Consequences from
Loss Event
($) Others ($) U
N
Protect
C
Loss Prevention Controls Loss Mitigation Controls T
(PR)
I
O
Reputation
N

Secondary Loss Event

Detect
Contact Event

Productivity (DE)
Threat Event

Fines &
Judgment C
Loss
Event Replacement A
Response T
Respond
E
Response (RS)
Competitive G
Advantage O
Vulnerability R
Controls Responsive Avoidance, Responsive Y
Avoidance Deterrent Controls Controls Recover
(Vuln, RS) Deterrent,
Controls Controls Vulnerability
(RC)
(CF) (PoA) Controls

Figure 12: Decomposing an Open FAIR Loss Scenario, including the Open FAIR Control
Categories and the NIST CSF Five Functions

30 The Open Group Standard (2021)

6 Risk Analysis Quality Considerations

6.1 Documenting Assumptions and Rationale

When performing an Open FAIR analysis, the estimates are often only as good as the
assumptions and rationale documented along with them. When performing a risk analysis, the
analyst should anticipate that aspects of it might be challenged, especially from stakeholders
who have other assumptions or biases. The assumptions and rationale need to clearly and
concisely define, and must support, any estimates used.

Recall that well-documented assumptions should include the reasoning for the assumption as
well as any sources that contributed to them. Well-documented rationale should state the source
of all estimates. The source may be systems (e.g., logs), groups (e.g., incident response), or
industry data.

Good sources of data are ones which are more objective in nature than subjective. Objective data
is often more defensible and credible than opinion-based data. While any analyst would prefer
objective-based estimates, sometimes good data is missing. When a situation like this arises, it is
not the time to try and “hide” it by poorly documenting the rationale; instead, a credible analyst
should document the missing data and the rationale for what was assumed instead/in addition.

6.2 Diminishing Returns

There are diminishing returns to gathering more data, investigating more data, and drilling
deeper into the Open FAIR taxonomy.

Douglas Hubbard (see Referenced Documents) suggests that:

“The information value curve is usually steepest in the beginning. The first 100 samples reduce
uncertainty much more than the second 100.”

To the risk analyst, this means that there is a diminishing return associated with gathering more
data to support a single model or risk factor estimate. Deeper investigation of a risk factor can
come at an increased cost to the analyst, and the analyst should be aware of this cost/benefit
tradeoff.

There is also a diminishing return to estimating lower levels of the Open FAIR taxonomy. Risk
analysts should estimate the risk factors that have the highest quality of data to support accurate
and usefully precise analyses. When possible, analysts should estimate factors at the highest
levels of the Open FAIR taxonomy. However, when an accurate estimate is not usefully precise
and information is available that informs accurate and usefully precise estimates of lower-level
risk factors, the analyst should decompose the higher-level risk factor into its component sub-
factors and estimate them.

Risk Analysis (O-RA), Version 2.0.1 31

6.3 Capacity and Tolerance for Loss
An organization’s capacity for loss can be interpreted as an objective measure of how much
damage it can incur and still remain solvent. For many organizations, this is a function of its
capital reserves and other tangible resources, as well as its position in the market. For example,
an organization with a large inventory of raw materials has a greater capacity to absorb a
disruption in its supply chain than one that operates on just-in-time delivery of raw materials.

Although an organization may have a high capacity for loss, its management team may not allow
the organization to expose itself to a loss exceeding a substantially lower threshold than the
capacity for loss. That subjective preference and management mandate is the tolerance for loss.
Although there often is a strong correlation between the (objective) capacity for loss and the
(subjective) tolerance for loss, there can be significant differences if executive management is
personally loss averse. For example, a financial institution may have substantial reserves and a
resilient market presence, yet it may act highly averse to loss for management’s personal
business practice, customer demands, market norm, or regulatory reasons.

Ultimately, it is the combination of capacity for loss and tolerance for loss that determines how
an organization perceives and responds to risk.

6.4 Risk Qualifiers

Sometimes, quantitative results do not communicate everything that may be necessary for well-
informed decisions to be made. Within the Open FAIR framework, there are two qualifiers that
can help decision-makers understand subtle considerations not reflected in numeric data: the
Fragile qualifier, and the Unstable qualifier.

The Fragile qualifier is used to represent conditions where the Loss Event Frequency is low in
spite of a high Threat Event Frequency, but only because a single preventative Control exists. In
other words, while the level of risk is low, it is qualified as fragile because the low risk level is
based on a single point of failure. For example, if a single control were all that kept malware-
related losses low, then that could be said to be a fragile condition.

The Unstable qualifier is used to represent conditions where the Loss Event Frequency is low
solely because Threat Event Frequency is low. In other words, no preventative controls exist to
mitigate the frequency of Loss Events. An example might be the risk associated with rogue
database administrators. For most organizations, this is a low Loss Event Frequency condition
but only because it is an inherently low Threat Event Frequency scenario. Should the Threat
Community conditions change, Loss Event Frequency rises due to the absence of any effective
Vulnerability Control.

These qualifiers are intended to compensate for the fact that in some scenarios, if a decision-
maker only looked at the low Loss Event Frequency, they may be lulled into a sense of security
that is not warranted.

6.5 Using Ordinal Scales for Analysis

Ordinal data is a categorical, statistical data type where the variables have natural, ordered
categories and the distances between the categories is not known. Using ordinal scales (e.g., 0-5

32 The Open Group Standard (2021)

 or high, medium, and low) to measure components in a risk analysis, or to categorize overall risk
level, can bring numerous problems:
 Frequently, the meaning of each ordinal value does not carry a tangible, economic
meaning to it; for example, an ordinal scale of 5 meaning “severe” can mean different
things to different people
 Even if ordinal values represent well-defined ranges, they let analysts represent ranges
that span multiple ordinal values; for example, if an ordinal scale starts at 1, defined as a
range of probability from 1-20%, and the ordinal scale 2 is defined as 21-40%, how does
an analyst deal with a range of probability from 15-35%?
 Ordinal numbers cannot validly be used as inputs into mathematical formulas because
they are not ratio values; a “5” is most likely not five times more severe than a “1”
Math combining ordinal values representing Loss Event Frequency and others
representing Loss Magnitude are especially problematic to combine and get meaningful
results.

6.6 Translating Quantitative Results into Qualitative Statements

One of the advantages to quantitative risk analysis is that numbers are dispassionate and, by
themselves, neutral to bias. Of course, decision-makers may not want to take the time to
personally interpret the significance of quantitative results and would prefer a simple red,
yellow, or green label to look at. Fortunately, it can be relatively simple to translate numeric
values to qualitative statements.

These translations should be guided by scales that have been approved by management.

It is inappropriate for risk analysts to define and use qualitative scales that represent their
tolerance for loss or their personal interpretation of what they believe to be the organization’s
tolerance for loss. The challenge, of course, is that management may not be readily available to
formally define risk scales. In this circumstance, the analyst may define a scale they believe is
accurate for the organization and then have the scale reviewed by management for approval.
Table 1: An Example Scale Translating Quantitative Values to Qualitative Labels

Label Average Annualized Loss Exposure

Severe (SV) > $10,000,000

High (H) $1,000,000 to $9,999,999

Moderate (M) $100,000 to $999,999

Low (L) $10,000 to $99,999

Very Low (VL) < $10,000

Using the example scale shown in Table 1, if an analysis resulted in an average annualized loss
exposure of $4.5M, that could be interpreted as high risk.

Risk Analysis (O-RA), Version 2.0.1 33

 Note: Using a qualitative scale to present quantitative results can be misleading. Fragile or
unstable qualifiers do not translate into qualitative statements. Moreover, results
presented qualitatively do not include the ranges used to estimate the quantitative
results. Finally, as described in the previous section, using ordinal scales – even when
well-defined – neglects the nuances that quantitative results include.

6.7 Troubleshooting
When analysts or stakeholders disagree on the results of or a component of an analysis, there are
three recommended techniques to managing the disagreements.

The first technique is to revisit the scoping or rationale within an analysis and determine whether
an assumption has been made which varies from the other analysts or stakeholders. If a
difference is found, this is often easily resolved. If rationale/assumptions are not documented,
the risk analyst cannot troubleshoot or defend their analysis if there are disagreements.

The second technique is to leverage the Open FAIR taxonomy. The taxonomy breaks down the
factors that drive risk. For example, if a disagreement exists regarding estimates made at the
Loss Event Frequency level, stepping down to a lower level of abstraction may allow both sides
to find agreement, and the higher estimate will now be derived.

The third recommended technique is to perform two or more analyses to encompass the
disagreement. As an example, if one analyst believes the Threat Event Frequency is at least once
a year while a second analyst believes the Threat Event Frequency is less frequent, they can
perform analyses using both figures and observe whether there is a significant deviation in the
overall results.

Often, the majority of disagreements will be resolved after approaching the problem using the
first two techniques.

34 The Open Group Standard (2021)

A Business Case

A.1 Risk Management Decision-Making

Risk management is fundamentally about making decisions – decisions about which risk issues
are most critical (prioritization), which risk issues are not worth worrying about (risk
acceptance), and how much to spend on the risk issues that need to be dealt with (budgeting). In
order to be consistently effective in making these decisions, we need to be able to compare the
issues themselves, as well as the options and solutions that are available. In order to compare, we
need to measure, and measurement is predicated upon a solid definition of the things to be
measured. Figure 13 shows these chained dependencies.

More Effective
Management

Informed
Decision Enables

Comparison
Enables

Measurement
Enables

Definition
Enables

Figure 13: Chained Dependencies

To date, the information security profession has been hamstrung by several challenges, the least
of which is inconsistent nomenclature. For example, in some references, software flaws/faults
that could be exploited will be called a “threat”, while in other references these same software
faults will be referred to as a “risk”, and yet other references will refer to them as
“vulnerabilities”. Besides the confusion that can result, this inconsistency makes it difficult if not
impossible to normalize data and develop good metrics.

A related challenge stems from mathematical equations for risk that are either incomplete or
illogical. For example, one commonly cited equation for risk states that:

Risk = (Threat * Vulnerability) / Controls

Risk Analysis (O-RA), Version 2.0.1 35

 Amongst other problems, this equation does not tell us whether Threat means the level of force
being applied or the frequency with which threat events occur. Furthermore, impact (magnitude
of loss) is left out of the equation altogether. As we will touch on shortly, organization
management cares very deeply about the question of Loss Magnitude, and so any risk equation
that ignores impact is going to be meaningless to the very people who need to use risk analyses
to make risk decisions.

These issues have been a major contributor to why the information security profession has
consistently been challenged to find and maintain “a seat at the table” with the other
organizational functions (e.g., finance, marketing). Furthermore, while few people are likely to
become excited with the prospect of yet another set of definitions amongst the many that already
exist, the capabilities that result from a well-designed foundational taxonomy are significant.

Likewise, in order for our profession to evolve significantly, it is imperative that we operate with
a common, logical, and effective understanding of our fundamental problem space. The O-RT
Standard seeks to fill the current void and set the stage for the security profession’s maturation
and growth.

Note: Any attempt to describe the natural world is destined to be incomplete and imprecise to
some degree due to the simple fact that human understanding of the world is, and
always will be, limited. Furthermore, the act of breaking down and categorizing a
complex problem requires that black and white lines be drawn where, in reality, the
world tends to be shades of gray. Nonetheless, this is exactly what human-critical
analysis methods and science have done for millennia, resulting in a vastly improved
ability to understand the world around us, evolve, and accomplish objectives
previously believed to be unattainable.

This document is a current effort at providing the foundational understanding that is necessary
for similar evolution and accomplishment in managing information risk. Without this
foundation, our profession will continue to rely too heavily on practitioner intuition which,
although critically important, is often strongly affected by bias, myth, and commercial or
personal agenda.

36 The Open Group Standard (2021)

 Index
availability event ............................. 15 Resistance Strength ..........................21
average ............................................ 25 Resistance Strength (RS) ..................17
Avoidance Control .......................... 27 Responsive Controls.........................28
calibration .......................................... 9 risk acceptance .................................35
capacity for loss ............................... 32 risk analysis ....................................... 4
confidentiality event ........................ 15 risk assessment .................................. 4
Contact Frequency (CF) .................. 17 risk budgeting ...................................35
Controls ........................................... 26 risk factor variables ........................... 5
Deterrent Controls ........................... 27 risk management ..............................35
distributions ....................................... 4 risk measurement .............................35
estimate ............................................. 8 risk nomenclature .............................35
Fermi Problems ............................... 10 risk prioritization ..............................35
Fragile qualifier ............................... 32 risk qualifiers....................................32
integrity event .................................. 15 scoping .............................................. 4
Loss Event Frequency (LEF)........... 17 Secondary Loss ................................13
loss exceedance result ..................... 25 Secondary Loss Event Frequency
loss frequency .................................... 1 (SLEF) .........................................23
loss magnitude ................................... 1 Secondary Loss Magnitude (SLM) ..23
Loss Magnitude (LM) ..................... 13 Threat Agent ....................................14
Loss Mitigation Control .................. 28 Threat Capability (TCap) .................17
Loss Prevention Control .................. 27 Threat Capability continuum ............21
Loss Scenario .................................. 13 Threat Community ...........................14
maximum/minimum ........................ 25 Threat Event .....................................15
Monte Carlo................................. 4, 12 error ...............................................15
Monte Carlo analysis ....................... 21 failure .............................................15
most likely value ............................. 25 malicious ........................................15
NIST Cybersecurity Framework natural ............................................15
(CSF) .......................................... 29 threat vector......................................15
Personally Identifiable tolerance for loss ..............................32
Information (PII) ......................... 10 troubleshooting.................................34
Primary Loss ................................... 13 Unstable qualifier .............................32
Primary Loss Magnitude (PLM) ..... 22 Vulnerability ....................................20
Primary Stakeholder ........................ 13 Vulnerability Controls ......................28
Probability of Action (PoA) ............ 17 wheel mechanism .............................11
ranges ................................................ 4

Risk Analysis (O-RA), Version 2.0.1 37

The Open Group Standard

Risk Taxonomy (O-RT), Version 3.0.1

Copyright © 2021, The Open Group. All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic,
mechanical, photocopying, recording, or otherwise, without the prior permission of the copyright owner.
It is fair use of this specification for implementors to use the names, labels, etc. contained within the specification. The intent of
publication of the specification is to encourage implementations of the specification.
This specification has not been verified for avoidance of possible third-party proprietary rights. In implementing this specification,
usual procedures to ensure the respect of possible third-party intellectual property rights should be followed.
Any use of this publication for commercial purposes is subject to the terms of the Annual Commercial License relating to it. For
further information, see www.opengroup.org/legal/licensing.

The Open Group Standard

Risk Taxonomy (O-RT), Version 3.0.1
ISBN: 1-947754-66-9
Document Number: C20B

Published by The Open Group, November 2021.

Comments relating to the material contained in this document may be submitted to:
The Open Group, Apex Plaza, Forbury Road, Reading, Berkshire, RG1 1AX, United Kingdom
or by electronic mail to:
[email protected]

ii The Open Group Standard (2021)

 Contents
1 Introduction ............................................................................................................... 1
1.1 Objective ......................................................................................................... 1
1.2 Overview......................................................................................................... 1
1.3 Conformance................................................................................................... 2
1.4 Normative References..................................................................................... 2
1.5 Terminology ................................................................................................... 3
1.6 Future Directions ............................................................................................ 3

2 Definitions................................................................................................................. 4
2.1 Action ............................................................................................................. 4
2.2 Asset ............................................................................................................... 4
2.3 Contact Event.................................................................................................. 4
2.4 Contact Frequency (CF).................................................................................. 4
2.5 Control ............................................................................................................ 4
2.6 FAIR ............................................................................................................... 4
2.7 Loss Event ...................................................................................................... 5
2.8 Loss Event Frequency (LEF) .......................................................................... 5
2.9 Loss Flow........................................................................................................ 5
2.10 Loss Magnitude (LM) ..................................................................................... 5
2.11 Loss Scenario .................................................................................................. 5
2.12 Primary Stakeholder ....................................................................................... 5
2.13 Probability of Action (PoA) ............................................................................ 5
2.14 Resistance Strength (RS) ................................................................................ 5
2.15 Risk ................................................................................................................. 5
2.16 Risk Analysis .................................................................................................. 6
2.17 Risk Assessment ............................................................................................. 6
2.18 Risk Factors .................................................................................................... 6
2.19 Risk Management ........................................................................................... 6
2.20 Secondary Stakeholder ................................................................................... 6
2.21 Threat .............................................................................................................. 6
2.22 Threat Agent ................................................................................................... 6
2.23 Threat Capability (TCap) ................................................................................ 6
2.24 Threat Community .......................................................................................... 6
2.25 Threat Event.................................................................................................... 7
2.26 Threat Event Frequency (TEF) ....................................................................... 7
2.27 Vulnerability (Vuln) ....................................................................................... 7

3 Risk Management Model .......................................................................................... 8

3.1 Why is a Tightly-Defined Taxonomy Critical? .............................................. 8

4 Technical Requirements .......................................................................................... 10

4.1 Risk Taxonomy Overview ............................................................................ 10
4.2 Risk ............................................................................................................... 11
4.3 Loss Event Frequency (LEF) ........................................................................ 12

Risk Taxonomy (O-RT), Version 3.0.1 iii

 4.3.1 Threat Event Frequency (TEF) ...................................................... 12
4.3.2 Vulnerability (Vuln) ...................................................................... 14
4.3.3 Summary: Loss Event Frequency.................................................. 16
4.4 Loss Magnitude (LM) ................................................................................... 17
4.4.1 Forms of Loss ................................................................................ 18
4.4.2 Loss Flow ...................................................................................... 19
4.4.3 Loss Factors................................................................................... 21
4.4.4 Summary: Loss Magnitude ........................................................... 26

A Risk Taxonomy in the Context of Risk Analysis .................................................... 28

A.1 Complexity of the Model .............................................................................. 28
A.2 Availability of Data ...................................................................................... 29
A.3 Iterative Risk Analyses ................................................................................. 29
A.4 Perspective .................................................................................................... 29

B Practical Use of the Open FAIR Method ................................................................ 30

B.1 The Risk Language Gap ............................................................................... 30
B.2 Key Risk Concepts........................................................................................ 30
B.3 Using the Open FAIR Model with Other Risk Assessment
Frameworks .................................................................................................. 31

iv The Open Group Standard (2021)

 Preface
The Open Group

The Open Group is a global consortium that enables the achievement of business objectives
through technology standards. Our diverse membership of more than 800 organizations includes
customers, systems and solutions suppliers, tools vendors, integrators, academics, and
consultants across multiple industries.

The mission of The Open Group is to drive the creation of Boundaryless Information Flow™
achieved by:
 Working with customers to capture, understand, and address current and emerging
requirements, establish policies, and share best practices
 Working with suppliers, consortia, and standards bodies to develop consensus and
facilitate interoperability, to evolve and integrate specifications and open source
technologies
 Offering a comprehensive set of services to enhance the operational efficiency of
consortia
 Developing and operating the industry’s premier certification service and encouraging
procurement of certified products

Further information on The Open Group is available at www.opengroup.org.

The Open Group publishes a wide range of technical documentation, most of which is focused
on development of Standards and Guides, but which also includes white papers, technical
studies, certification and testing documentation, and business titles. Full details and a catalog are
available at www.opengroup.org/library.

This Document

This document is The Open Group Standard for Risk Taxonomy (O-RT), Version 3.0.1. It has
been developed and approved by The Open Group.

This document provides a standard definition and taxonomy for information security risk, as
well as information regarding how to use the taxonomy. It is a companion document to the Risk
Analysis (O-RA) Standard, Version 2.0.1.

The intended audience for this document includes anyone who needs to understand and/or
analyze a risk condition. This includes, but is not limited to:
 Information security and risk management professionals
 Auditors and regulators
 Technology professionals

Risk Taxonomy (O-RT), Version 3.0.1 v

  Management

Note that this document is not limited to application in the information security space. It can, in
fact, be applied to any risk scenario. This agnostic characteristic enables the O-RT Standard, and
the companion O-RA Standard, to be used as a foundation for normalizing the results of risk
analyses across varied risk domains.

This document is one of several publications from The Open Group dealing with risk
management. Other publications include:
 Risk Analysis (O-RA) Standard, Version 2.0.1
The Open Group Standard (C20A, November 2021)
This document provides a set of standards for various aspects of information security risk
analysis. It was first published in October 2013, and has been revised as a result of
feedback from practitioners using the standard and continued development of the Open
FAIR™ taxonomy.
 Requirements for Risk Assessment Methodologies
The Open Group Guide (G081, January 2009)
This document identifies and describes the key characteristics that make up any effective
risk assessment methodology, thus providing a common set of criteria for evaluating any
given risk assessment methodology against a clearly defined common set of essential
requirements. In this way, it explains what features to look for when evaluating the
capabilities of any given methodology, and the value those features represent.
 Open FAIR™ – ISO/IEC 27005 Cookbook
The Open Group Guide (C103, November 2010)
This document describes in detail how to apply the Open FAIR methodology to ISO/IEC
27002:2005. The Cookbook part of this document enables risk technology practitioners to
follow by example how to apply FAIR to other frameworks of their choice.
 The Open FAIR™ – NIST Cybersecurity Framework Cookbook
The Open Group Guide (G167, October 2016)
This document describes in detail how to apply the Open FAIR factor analysis for
information risk methodology to the NIST Framework for Improving Critical
Infrastructure Cybersecurity (NIST Cybersecurity Framework).
 The Open FAIR™ Risk Analysis Process Guide
The Open Group Guide (G180, January 2018)
This document offers some best practices for performing an Open FAIR risk analysis: it
aims to help risk analysts understand how to apply the Open FAIR risk analysis
methodology.
 How to Put Open FAIR™ Risk Analysis Into Action: A Cost-Benefit Analysis of
Connecting Home Dialysis Machines Online to Hospitals in Norway
The Open Group White Paper (W176, May 2017)
This document offers an Open FAIR analysis of security and privacy risks and compares
those risks to the likely benefits of connecting home dialysis machines online to hospitals.

vi The Open Group Standard (2021)

  The Open FAIR™ Risk Analysis Tool Beta
(I181, January 2018)
This analysis tool can be used to perform a quantitative Open FAIR risk analysis as
defined in the O-RA and O-RT Standards. It is provided in the form of a Microsoft®
Excel® spreadsheet.
 The Open FAIR™ Tool with SIPmath™ Distributions: Guide to the Theory of
Operation
The Open Group Guide (G181, January 2018)
This document defines the algorithms that can be used to produce an acceptable
implementation of the O-RA Standard.

Differences from Version 2.0 of the Standard

This document includes changes to the O-RT Standard that have evolved since the original
document was published. These changes came about as a result of feedback from practitioners
using the standard:
 “Accomplish Assigned Mission” as a possible action taken by a Threat Agent was
removed – it could apply to any of the other actions and be a component of any of them,
but it is not its own action
 The external loss factor “Detection” was changed to “External Party Detection” and the
organizational loss factor “Due Diligence” was changed to “Reasonable Care”
 The quantitative example that utilized a qualitative scale has been removed
 Open FAIR terms and definitions were clarified

Risk Taxonomy (O-RT), Version 3.0.1 vii

 Trademarks
ArchiMate, DirecNet, Making Standards Work, Open O logo, Open O and Check Certification
logo, Platform 3.0, The Open Group, TOGAF, UNIX, UNIXWARE, and the Open Brand X logo
are registered trademarks and Boundaryless Information Flow, Build with Integrity Buy with
Confidence, Commercial Aviation Reference Architecture, Dependability Through Assuredness,
Digital Practitioner Body of Knowledge, DPBoK, EMMM, FACE, the FACE logo, FHIM
Profile Builder, the FHIM logo, FPB, Future Airborne Capability Environment, IT4IT, the IT4IT
logo, O-AA, O-DEF, O-HERA, O-PAS, Open Agile Architecture, Open FAIR, Open Footprint,
Open Process Automation, Open Subsurface Data Universe, Open Trusted Technology Provider,
OSDU, Sensor Integration Simplified, SOSA, and the SOSA logo are trademarks of The Open
Group.

Microsoft and Excel are registered trademarks of Microsoft Corporation in the United States
and/or other countries.

SIPmath is a trademark of ProbabilityManagement.org.

All other brands, company, and product names are used for identification purposes only and may
be trademarks that are the sole property of their respective owners.

viii The Open Group Standard (2021)

 Acknowledgements
The Open Group gratefully acknowledges the contribution of the following people in the
development of this document:
 Chris Carlson, C T Carlson LLC
 Jack Freund, Cyber Assessments, Inc.
 Mike Jerbic, Trusted Systems Consulting Group
 Eva Kuiper, The Open Group Invited Expert
 John Linford, Security Forum & OTTF Forum Director, The Open Group
 David Musselwhite, RiskLens
 Tyanna Smith, Trusted Systems Consulting Group

The Open Group gratefully acknowledges the contribution of members of The Open Group
Security Forum, and the following people in the development of earlier versions of this
document:
 Alex Hutton
 Jack Jones

Risk Taxonomy (O-RT), Version 3.0.1 ix

 Referenced Documents
The following documents are referenced in this standard.

(Please note that the links below are good at the time of writing but cannot be guaranteed for the
future.)
 ISO Guide 73:2009, Risk Management – Vocabulary, November 2009; refer to
https://www.iso.org/standard/44651.html
 ISO 31000:2018, Risk Management – Guidelines, February 2018; refer to
https://www.iso.org/standard/65694.html
 Risk Analysis (O-RA) Standard, Version 2.0.1, The Open Group Standard (C20A),
November 2021, published by The Open Group; refer to:
www.opengroup.org/library/c20a

x The Open Group Standard (2021)

1 Introduction

1.1 Objective
The objective of the Risk Taxonomy (O-RT) Standard is to provide a single logical and rational
taxonomical framework for anyone who needs to understand and/or analyze information security
risk.

This document can and should be used to:

 Educate information security, risk, and audit professionals
 Establish a common language for the information security and risk management
profession
 Introduce rigor and consistency into analysis, which sets the stage for more effective risk
modeling
 Explain the basis for risk analysis conclusions
 Strengthen existing risk assessment and analysis methods
 Create new risk assessment and analysis methods
 Evaluate the efficacy of risk assessment and analysis methods
 Establish metric standards and data sources

1.2 Overview
This document provides a taxonomy describing the factors that drive risk – their definitions and
relationships. Each factor that drives risk is identified and defined. Furthermore, the
relationships between factors are described so that mathematical functions can be defined and
used to perform quantitative calculations.

This document is limited to describing the factors that drive risk and their relationships to one
another. Measurement scales and specific assessment methodologies are not included because
there are a variety of possible approaches to those aspects of risk analysis, with some approaches
being better suited than others to specific risk problems and analysis objectives.

This document does not address how to assess or analyze risk.1 This document also does not
cover those elements of risk management that pertain to strategic and tactical risk decisions and
execution.

1
Refer to the separate standard for performing risk analysis: the Risk Analysis (O-RA) Standard; see Referenced Documents.

Risk Taxonomy (O-RT), Version 3.0.1 1

 This document should be used as a foundational reference of the problem space the profession is
tasked with helping to manage; i.e., risk. Based on this foundation, methods for analyzing,
calculating, communicating about, and managing risk can be developed.

Risk analysts can choose to make their measurements and/or estimates at any level of abstraction
within the taxonomy. For example, rather than measure Contact Frequency, the analyst could
move up a layer of abstraction and instead measure Threat Event Frequency. This choice may be
driven by the nature or volume of data that is available, or the time available to perform the
analysis (i.e., analyses at deeper layers of abstraction take longer).

Although the terms “risk” and “risk management” mean different things to different people, this
document is intended to be applied toward the problem of managing the frequency and
magnitude of loss that arises from a threat (whether human, animal, or natural event). In other
words, managing “how often bad things happen, and how bad they are when they occur”.

In the overall context of risk management, it is important to appreciate that the business
objective in performing risk assessments is to identify and estimate levels of exposure to the
likelihood of loss, so that business managers can make informed business decisions on how to
manage those risks of loss – either by accepting each risk, or by mitigating it – through investing
in appropriate internal protective measures judged sufficient to lower the potential loss to an
acceptable level, or by investing in external indemnity. Critical to enabling good business
decision-making therefore is to use risk assessment methods which give objective, meaningful,
consistent results.

Fundamental to risk assessments is a sound approach:

You can't effectively and consistently manage what you can't measure,
and you can't measure what you haven't defined.

The problem here is that a variety of definitions exist, but the risk management community has
not yet adopted a consistent definition for even the most fundamental terms in its vocabulary;
e.g., threat, vulnerability, even risk itself. Without a sound common understanding of what risk
is, what the factors are that drive risk, and a standard use of the terms used to describe it, risk
analysts cannot be effective in delivering meaningful, comparable risk assessment results. This
document provides the necessary foundation vocabulary, based on a fundamental analysis of
what risk is, and then shows how to apply it to produce the objective, meaningful, and consistent
results that business managers need.

1.3 Conformance
Refer to The Open Group website for conformance requirements for this document.

1.4 Normative References

The following standards contain provisions which, through references in this standard, constitute
provisions of the Risk Taxonomy (O-RT) Standard. At the time of publication, the editions
indicated were valid. All standards are subject to revision, and parties to agreements based on
this standard are encouraged to investigate the possibility of applying the most recent editions of
the standards listed below. Members of IEC and ISO maintain registers of currently valid
International Standards.

2 The Open Group Standard (2021)

  Risk Analysis (O-RA) Standard, Version 2.0.1, The Open Group Standard (C20A),
November 2021, published by The Open Group; refer to:
www.opengroup.org/library/c20a

1.5 Terminology
For the purposes of this document, the following terminology definitions apply:

Can Describes a possible feature or behavior available to the user or application.

May Describes a feature or behavior that is optional. To avoid ambiguity, the opposite of
“may” is expressed as “need not”, instead of “may not”.

Shall Describes a feature or behavior that is a requirement. To avoid ambiguity, do not

use “must” as an alternative to “shall”.

Shall not Describes a feature or behavior that is an absolute prohibition.

Should Describes a feature or behavior that is recommended but not required.

Will Same meaning as “shall”; “shall” is the preferred term.

1.6 Future Directions

None.

Risk Taxonomy (O-RT), Version 3.0.1 3

2 Definitions

For the purposes of this standard, the following terms and definitions apply. Merriam-Webster’s
Collegiate Dictionary2 should be referenced for terms not defined in this section.

2.1 Action
An act taken against an Asset by a Threat Agent. Requires first that contact occurs between the
Asset and Threat Agent.

2.2 Asset
The information, information system, or information system component that is breached or
impaired by the Threat Agent in a manner whereby its value is diminished or the act introduces
liability to the Primary Stakeholder.

2.3 Contact Event

Occurs when a Threat Agent establishes a physical or virtual (e.g., network) connection to an
Asset.

2.4 Contact Frequency (CF)

The probable frequency, within a given timeframe, that a Threat Agent will come into contact
with an Asset.

2.5 Control
Any person, policy, process, or technology that has the potential to reduce the Loss Event
Frequency (LEF) – Loss Prevention Controls – and/or Loss Magnitude (LM) – Loss Mitigation
Controls.

2.6 FAIR
Factor Analysis of Information Risk.

2
Merriam Webster: https://www.merriam-webster.com/.

4 The Open Group Standard (2021)

2.7 Loss Event
Occurs when a Threat Agent’s action (Threat Event) is successful in breaching or impairing an
Asset.

2.8 Loss Event Frequency (LEF)

The probable frequency, within a given timeframe, that a Threat Agent will inflict harm upon an
Asset.

2.9 Loss Flow

The structured decomposition of how losses materialize when a Loss Event occurs.

2.10 Loss Magnitude (LM)

The probable magnitude of loss resulting from a Loss Event.

2.11 Loss Scenario

The story of loss that forms a sentence from the perspective of the Primary Stakeholder.

2.12 Primary Stakeholder

The person or organization that owns or is accountable for an Asset.

2.13 Probability of Action (PoA)

The probability that a Threat Agent will act against an Asset once contact occurs.

2.14 Resistance Strength (RS)

The strength of a Control as compared to the probable level of force (as embodied by the time,
resources, and technological capability; measured as a percentile) that a Threat Agent is capable
of applying against an Asset.

2.15 Risk
The probable frequency and probable magnitude of future loss.

Risk Taxonomy (O-RT), Version 3.0.1 5

2.16 Risk Analysis
The process to comprehend the nature of risk and determine the level of risk. [Source: ISO
Guide 73:2009]

2.17 Risk Assessment

The overall process of risk identification, risk analysis, and risk evaluation. [Source: ISO Guide
73:2009]

2.18 Risk Factors

The individual components that determine risk, including Loss Event Frequency, Loss
Magnitude, Threat Event Frequency, etc.

2.19 Risk Management

Coordinated activities to direct and control an organization with regard to risk. [Source: ISO
Guide 73:2009]

2.20 Secondary Stakeholder

Individuals or organizations that may be affected by events that occur to Assets outside of their
control. For example, consumers are Secondary Stakeholders in a scenario where their personal
private information may be inappropriately disclosed or stolen.

2.21 Threat
Anything that is capable of acting in a manner resulting in harm to an Asset and/or organization;
for example, acts of God (weather, geological events, etc.), malicious actors, errors, failures.

2.22 Threat Agent

Any agent (e.g., object, substance, human) that is capable of acting against an Asset in a manner
that can result in harm.

2.23 Threat Capability (TCap)

The probable level of force (as embodied by the time, resources, and technological capability)
that a Threat Agent is capable of applying against an Asset.

2.24 Threat Community

A subset of the overall Threat Agent population that shares key characteristics.

6 The Open Group Standard (2021)

2.25 Threat Event
Occurs when a Threat Agent acts against an Asset.

2.26 Threat Event Frequency (TEF)

The probable frequency, within a given timeframe, that a Threat Agent will act against an Asset.

2.27 Vulnerability (Vuln)

The probability that a Threat Event will become a Loss Event; probability that Threat Capability
is greater than Resistance Strength. (Synonym: Susceptibility)

Risk Taxonomy (O-RT), Version 3.0.1 7

3 Risk Management Model

Per ISO Guide 73:2009 (see Referenced Documents), risk management refers to the
“coordinated activities to direct and control an organization with regard to risk”. A risk
assessment is the “overall process of risk identification, risk analysis, and risk evaluation”, and
risk analysis refers to the “process to comprehend the nature of risk and determine the level of
risk”.

Risk Governance/Organizational Oversight

Risk Management

Risk Assessment

Risk Risk
Risk Evaluation Risk Treatment Risk Monitoring
Identification Analysis

Figure 1: Risk Analysis in Context

This document expands on this to add that all risk assessment approaches should include:
 An effort to clearly identify and characterize the assets, threats, controls, and impact/loss
elements at play within the risk scenario being assessed
 An understanding of the organizational context for the analysis; i.e., what is at stake from
an organizational perspective, particularly with regard to the organization’s leadership
perspective
 Measurement and/or estimation of the various risk factors
 Calculation of risk
 Communication of the risk results to decision-makers in a form that is meaningful and
useful

An Open FAIR risk analysis fits the Risk Analysis component described by ISO Guide 73:2009
and allows decision-makers to prioritize their consistently defined and identified risks but
crucially adds the communication component, which distinguishes the risk assessment approach
defined above and the risk analysis approach defined in the O-RA Standard (see Referenced
Documents).

3.1 Why is a Tightly-Defined Taxonomy Critical?

Without a logical, tightly defined taxonomy, risk assessment approaches will be significantly
impaired by an inability to measure and/or estimate risk factor. This, in turn, means that

8 The Open Group Standard (2021)

 management will not have the necessary information for making well-informed comparisons and
choices, which will lead to inconsistent and often cost-ineffective risk management decisions.

This concept can be illustrated in what is referred to as a “risk management stack”, showing the
relationship between these elements; see Figure 2.
Effective Management
↑
Well-Informed Decisions
↑
Effective Comparisons
↑
Meaningful Measurements
↑
Accurate Risk Model

Figure 2: Risk Management Stack

As with similar relational constructs, it becomes immediately apparent that failures at lower
levels of the stack cripple the ability to achieve effectiveness at higher levels.

Risk Taxonomy (O-RT), Version 3.0.1 9

4 Technical Requirements

4.1 Risk Taxonomy Overview

In this document, “risk” is defined as the probable frequency and probable magnitude of future
loss; this is also known as the “loss exposure” that a Primary Stakeholder will bear within some
defined time period. Risk is measured by making forward-looking estimates of the probable
frequency and the probable magnitude of a loss should it occur, and it is measured and managed
from the perspective of the Primary Stakeholder, the party who bears the economic loss of the
adverse events. To further refine risk and its components, the complete risk taxonomy develops
the two sub-factors of risk: Loss Event Frequency and Loss Magnitude, as shown in Figure 3.

Risk

Loss Event
Loss Magnitude
Frequency

Threat Event Primary Loss

Vulnerability Secondary Loss
Frequency Magnitude

Contact Probability of Resistance Secondary Loss Secondary Loss

Threat Capability
Frequency Action Strength Event Frequency Magnitude

Figure 3: High-Level Risk Taxonomy Abstractions

Figure 3 is not comprehensive, as deeper layers of abstraction exist that are not shown. Some of
these deeper layers are discussed further on in this document, and theoretically, the layers of
abstraction may continue indefinitely, much like the layers of abstraction that exist in the
understanding of physical matter (e.g., molecules, atoms, particles). The deeper layers of
abstraction can be useful for understanding but are not always necessary to perform effective
analyses.

Moreover, the factors within the Loss Event Frequency side of the taxonomy have relatively
clean and clear cause-and-effect relationships with one another, which simplifies calculation.
Factors within the Loss Magnitude side of the taxonomy, however, have much more complicated
relationships that defy simple calculation. As a result, Loss Magnitude measurements and
estimates generally are aggregated by loss type (e.g., $xxx of productivity loss, plus $yyy of
legal fines and judgments).

The Open FAIR risk factors are assumed to be independently identically distributed.

10 The Open Group Standard (2021)

4.2 Risk
In this document, “risk” is defined as the probable frequency and probable magnitude of future
loss (also known as “loss exposure”).

Note: This document defines risk as resulting in a loss; it does not consider speculative risk
that may generate either a loss or a gain (e.g., as presented in ISO 31000, see
Referenced Documents).

A risk measurement is an estimate of the likelihood and impact of adverse events (losses).
Measuring risk is never a prediction of whether some adverse event will occur – such as an
earthquake will destroy a data center causing a loss of $1M within the next year – but instead is
an estimate of the likelihood or probability of that adverse event happening within the year and
the range of economic damage from that event.

Risk measurements are accurate if the actual result (how much earthquake damage occurred
within a year) measured at the end of the year lies within the range of the estimate. A risk
measurement of earthquake risk would be a reasoned, defensible analysis whose results are
something like, “There is between a 10% to 20% probability of an earthquake damaging the data
center with damage of between $1,000 and $5,000,000”. That estimate will either be found
accurate or inaccurate after the next year, five years, ten years, or twenty years when losses from
the earthquake are observed.

Analyzing risk requires differentiating between possibility and probability. Possibility can be
thought of as binary: something is possible, or it is not. Probability, however, is a continuum that
addresses the area between certainty and impossibility. Because risk is invariably a matter of
future events, there is always some amount of uncertainty, which means executives cannot
choose or prioritize effectively based upon statements of possibility. Effective risk decision-
making can only occur when information about probabilities is provided.

Moreover, risk analyses should not be considered predictions of the future. The word
“prediction” implies a level of certainty that rarely exists in the real world, and does not help
people understand the probabilistic nature of analysis. For decision-makers, even though it is
impossible to know which roll of the dice will come up, knowing that the probability is 1-in-36
is valuable information.

With this as a starting point, the first two risk factors are loss frequency and magnitude of loss.
In this document, these are referred to as Loss Event Frequency and Loss Magnitude,
respectively.

Risk

Loss Event
Loss Magnitude
Frequency

Figure 4: Risk

Risk Taxonomy (O-RT), Version 3.0.1 11

4.3 Loss Event Frequency (LEF)
Loss Event Frequency is the probable frequency, within a given timeframe, that a Threat Agent
will inflict harm upon an Asset.

For a Loss Event to occur, a Threat Agent has to act upon an Asset, such that loss results, which
leads to the next two factors: Threat Event Frequency and Vulnerability.

Risk

Loss Event
Loss Magnitude
Frequency

Threat Event
Vulnerability
Frequency

Figure 5: Loss Event Frequency

Note: The Loss Event Frequency of an event that can only occur once is specified as a
probability within a specific timeframe (event X is 10% likely to occur over the next Y
months) because almost any event is possible, and if it is possible, given enough time,
the event will occur.

4.3.1 Threat Event Frequency (TEF)

Threat Event Frequency is the probable frequency, within a given timeframe, that a Threat Agent
will act against an Asset.

The only difference between this definition and the definition for Loss Event Frequency above is
that the definition for Threat Event Frequency does not include whether Threat Agent actions are
successful. In other words, Threat Agents may act against Assets but be unsuccessful in
breaching or otherwise impairing the Asset. A common example of a malicious Threat Event
(where harm or abuse is intended) would be the hacker who unsuccessfully attacks a web server.
Such an attack would be considered a Threat Event, but not a Loss Event. An example of a non-
malicious Threat Event would be a data center technician tripping over a system’s power cord.
The act of tripping would be the Threat Event, but a Loss Event would only occur if the
technician unplugged the cord (or, depending on the scenario under analysis, if the technician
were injured).

This definition also provides the two factors that drive Threat Event Frequency: Contact
Frequency and Probability of Action.

12 The Open Group Standard (2021)

 Risk

Loss Event
Loss Magnitude
Frequency

Threat Event
Vulnerability
Frequency

Contact Probability of
Frequency Action

Figure 6: Threat Event Frequency

4.3.1.1 Contact Frequency (CF)

Contact Frequency is the probable frequency, within a given timeframe, that a Threat Agent will
come into contact with an Asset. A Threat Agent coming into contact with the Asset is referred
to as a Contact Event.

Contact can be physical or “logical” (e.g., over the network). Regardless of contact mode, three
types of contact can occur:
 Random – the Threat Agent “stumbles upon” the Asset during the course of unfocused or
undirected activity
 Regular – contact occurs because of the regular actions of the Threat Agent; for example,
if a cleaning crew regularly comes by at 5:15pm, leaving cash on top of the desk during
that timeframe sets the stage for contact
 Intentional – the Threat Agent seeks out specific targets

Each of these types of contact is driven by various factors. A useful analogy is to consider a
container of fluid containing two types of suspended particles – threat particles and asset
particles. The probability of contact between members of these two sets of particles is driven by
various factors, including:
 Size (surface area) of the particles
 The number of particles
 Volume of the container
 How active the particles are
 Viscosity of the fluid
 Whether particles are attracted to one another in some fashion, etc.

4.3.1.2 Probability of Action (PoA)

Probability of Action is the probability that a Threat Agent will act against an Asset once contact
occurs.

Risk Taxonomy (O-RT), Version 3.0.1 13

 Once contact occurs between a Threat Agent and an Asset, action against the Asset may or may
not take place. For some Threat Agent types, action always takes place. For example, if a
tornado comes into contact with a house, action is a foregone conclusion. Action is only in
question when considering “thinking” Threat Agents, such as humans and other animals, and
artificially intelligent Threat Agents, such as malicious programs (which are extensions of their
human creators).

The probability that an intentional act will take place – in other words, whether a Threat Agent
will deliberately contact an Asset – is driven by three primary factors:
 Value – the Threat Agent’s perceived value proposition from performing the act
 Level of effort – the Threat Agent’s expectation of how much effort it will take to
accomplish the act
 Risk of detection/capture – the probability of negative consequences to the Threat
Agent; for example, the probability of getting caught and suffering unacceptable
consequences for acting maliciously

4.3.2 Vulnerability (Vuln)

Vulnerability, or its synonym susceptibility, is the probability that a Threat Event becomes a
Loss Event.

In stricter terms, Vulnerability is the conditional probability of a Loss Event given a Threat
Event. This definition of Vulnerability is identical to saying that the probability that the Threat
Agent’s force applied (the Threat Capability) against the Asset in a specific Loss Scenario
exceeds the Resistance Strength of the Controls protecting that Asset.

This means that there are two ways to estimate Vulnerability, and each way arrives at the same
result:
 If Threat Event Frequency and Loss Event Frequency data is available or estimated
directly, Vulnerability can be observed (or estimated) as the fraction of Threat Events that
become Loss Events
 Vulnerability can also be derived from knowing or estimating the Threat Capability and
the Asset’s Resistance Strength to that Threat Capability and then estimating or simulating
the probability that the Threat Capability exceeds Resistance Strength

14 The Open Group Standard (2021)

 Risk

Loss Event
Loss Magnitude
Frequency

Threat Event
Vulnerability
Frequency

Contact Probability of Resistance

Threat Capability
Frequency Action Strength

Figure 7: Vulnerability

Vulnerability is always relative to the type of force and vector involved: the Vulnerability of an
information Asset depends upon the Loss Scenario being analyzed. As an analogy to an
information Asset’s Vulnerability to some specific Loss Scenario, the tensile strength of a rope
is pertinent only if the Threat Agent’s force is a weight applied along the length of the rope.
Tensile strength does not generally apply to a scenario where the Threat Agent is fire, chemical
erosion, etc. Likewise, a computer anti-virus product does not reduce the Vulnerability of a
payment system from an internal employee seeking to perpetrate fraud. Open FAIR risk
analysts, therefore, evaluate Vulnerability in the context of specific threat types facing the
information Asset and Control types protecting the Asset.

Because Vulnerability is a probability, an Asset cannot be more than 100% vulnerable to

damage by any specific Threat Agent/threat vector combination. Vulnerability can exist such
that harm can occur from more than one Threat Agent through more than one threat vector, but
each of those represents a different potential Threat Event. For example, if a person is walking
down the street at night in a particularly dangerous part of town, they are vulnerable to multiple
potential Threat Events; for example, being run over by a car, being mugged, or being the victim
of a drive-by shooting. The probability of occurrence for any one of these Threat Events cannot
exceed 100% (certainty), but the aggregate risk of loss is certainly greater due to the multiple
Loss Scenarios that could occur.

4.3.2.1 Threat Capability (TCap)

Threat Capability is the probable level of force (as embodied by the time, resources, and
technological capability) that a Threat Agent is capable of applying against an Asset.

Attackers exist on a continuum of skills and resources, including at one end of the continuum
attackers with little skill, little experience, and a low level of determination, to the other end with
highly skilled, experienced, and determined attackers. The Threat Capability continuum
describes attackers as existing at various percentiles, where the 25th percentile of Threat Agents
are less skilled and able than the 50th percentile of Threat Agents who are less skilled and able
than the 99th percentile of Threat Agents.

Threat Agents within a single Threat Community will not have the same capabilities. Therefore,
the probability of the most capable Threat Agent acting against an Asset is something less than

Risk Taxonomy (O-RT), Version 3.0.1 15

 100%. Depending upon the Threat Community under analysis, and other conditions within the
scenario, the probability of encountering a highly capable Threat Agent may be remote.

Information security professionals and risk analysts often struggle with the notion of considering
Threat Agent capability as a percentile of a Threat Community, resulting in a probability,
perhaps only a remote one, that only the most capable threat is attacking that Asset. Many
analysts and decision-makers, instead, tend to gravitate toward focusing on the worst case, but
focusing solely on the worst case is to think in terms of possibility rather than probability.

Some Threat Agents may be proficient in applying one type of force but incompetent at others.
For example, a network engineer may be proficient at applying technological forms of attack but
relatively incapable of executing complex accounting fraud.

4.3.2.2 Resistance Strength (RS)

Resistance Strength is the strength of a Control as compared to the probable level of force (as
embodied by the time, resources, and technological capability; measured as a percentile) that a
Threat Agent is capable of applying against an Asset.

Attackers exist on a continuum of skills and resources, and Resistance Strength measures the
strength of a Control as compared to that percentile of attackers, specifically measuring the
percentile of attackers that the Asset’s Control(s) can be expected to resist.

As an analogy to the strength of an information security control, a rope’s tensile strength rating
provides an indication of how much force it is capable of resisting. The baseline measure
(Resistance Strength) for this rating is Pounds per Square Inch (PSI), which is determined by the
rope’s design and construction. This Resistance Strength rating does not change when the rope is
put to use. Regardless of whether there is a 10-pound weight on the end of the 500-PSI rope or a
2,000-pound weight, the Resistance Strength does not change.

Information security controls, however, do not have a baseline scale for force that is as well-
defined as PSI. Password strength is a simple example of how to approach this. It is possible to
estimate that a password eight characters long, comprised of a mixture of upper and lowercase
letters, numbers, and special characters, will resist the cracking attempts of some percentage of
the general Threat Agent population. Therefore, password Resistance Strength can be
represented as this percentile. (Recall that Resistance Strength is relative to a particular type of
force – in this case, cracking.)

Vulnerability is determined by comparing the Resistance Strength against the capability of the
specific Threat Community under analysis and assessing the probability that the Threat
Capability will exceed the Resistance Strength. For example, password Resistance Strength may
be estimated at the 80th percentile, yet the Threat Community within a scenario might be
estimated to have better than average capabilities, such as in the 90th percentile range.

4.3.3 Summary: Loss Event Frequency

Loss Event Frequency is the probable number of Loss Events within a given time period,
expressed as a distribution. Loss Event Frequency is composed of several sub-factors, as shown
in Table 1.

16 The Open Group Standard (2021)

 Table 1: Loss Event Frequency Factors

Loss Event
Frequency Factor Description Unit of Measure

Loss Event Frequency Probable number of economic losses Events per unit time (e.g., events per
within a given time period year); or the probability of a single Loss
Event in a given timeframe (e.g., 20%
chance within the next year)

Threat Event Frequency Probable number of Threat Agent Events per unit time (e.g., events per
attempts at creating a loss within a year); or the probability of a single
given time period Threat Event in a given timeframe (e.g.,
20% chance within the next year)

Vulnerability Probability that a Threat Event Probability (between 0-1 or measured as

becomes a Loss Event; probability a percentage, between 0 and 100%)
that Threat Capability is greater than
Resistance Strength
(Synonym: Susceptibility)

Contact Frequency Probable number of times a Threat Events per unit time (e.g., events per
Agent contacts the stakeholder’s year); or the probability of a single
Asset within a given time period Contact Event in a given timeframe
(e.g., 20% chance within the next year)

Probability of Action Probability that a Contact Event Probability (between 0-1 or measured as
becomes a Threat Event a percentage, between 0 and 100%)

Threat Capability The relative ranking of a Threat Percentile (0-100)

Agent’s skill, resources, and time
within a Threat Community

Resistance Strength The ability to resist a Threat Percentile (0-100)

Community’s range of skills,
resources, and time

4.4 Loss Magnitude (LM)

The Open FAIR method defines risk as the probable frequency and probable magnitude of future
loss. The previous section introduced the factors that drive the probability of Loss Events
occurring. This section describes the other half of the risk equation – the factors that drive Loss
Magnitude when events occur.

Loss Magnitude is the probable magnitude of economic loss resulting from a Loss Event
(measured in units of currency). Loss Magnitude is expressed as a distribution of losses, not a
single value for loss, and is always evaluated from the perspective of the Primary Stakeholder,
the party that bears the economic loss from the Loss Event.

Historically, data regarding Loss Magnitude have been scarce. Many organizations still do not
measure losses when events occur, and those that do often limit their analyses to the “easy stuff”

Risk Taxonomy (O-RT), Version 3.0.1 17

 (e.g., person-hours, equipment replacement). Furthermore, the lack of a standard taxonomy has
made it difficult to normalize data across organizations.

Because Loss Magnitude can be difficult to estimate, analysts frequently exclude analyzing it,
assess only possible, speculative worst-case outcomes, or model losses with tools that are
deceptively precise. Excluding Loss Magnitude from an analysis means the analyst is not
analyzing risk: risk always has a loss component. Citing worst-case possibilities alone removes
the probability element from the analysis – by definition, risk is a combination of the probability
of a loss along with its magnitude. Computational modeling tools that present risk results with a
precision that cannot be supported by the precision of the modeled risk factors give decision-
makers an inaccurately high understanding of the certainty inherent in the analysis.

In general, the majority of losses associated with information systems are small, but there is still
the remote chance of a large loss, usually described by a Loss Magnitude distribution having a
“fat tail”, as shown in Figure 8.

Figure 8: A Typical Loss Magnitude Distribution

4.4.1 Forms of Loss

The potential for loss stems from the value of the affected Asset(s) and/or the liability it
introduces to an organization. For example, customer information provides value through its role
in generating revenue for a commercial organization or services for a public organization, and
that same information could introduce liability to the organization if a legal duty exists to protect
it or if customers have an expectation that the information about them will be appropriately
protected.

Six forms of loss are defined within this document:

 Productivity – direct losses associated with the reduction in an organization’s ability to
generate its primary value proposition (e.g., income, goods, services); it may also include
costs associated with personnel who are unable to perform their duties but who continue
to collect their paycheck (e.g., a call center’s phone lines are down, but personnel continue
to be paid); it accounts for the loss of revenue due to operational outages and
discontinuation (e.g., revenue lost when a retail website is unavailable due to a system
outage); and it includes costs associated with the impaired productivity of personnel (e.g.,
increased costs from switching from automated to manual methods)
— Lost revenue is not delayed revenue; for example, when a retail website goes down
some proportion of its customers may wait to perform their transactions rather than use
a different retailer – the sales and marketing departments in most organizations will
have reliable data to inform these estimates

18 The Open Group Standard (2021)

  Response – direct expenditures associated with managing a Loss Event (e.g., internal or
external person-hours, logistical expenses, legal defense, public relations expenses)
 Replacement – direct expenditures associated with replacing an Asset; typically
represented as the expense associated with replacing lost or damaged Assets (e.g.,
rebuilding a facility, purchasing a replacement laptop, replacing a terminated employee,
covering the losses experienced by fraud)
 Fines and Judgments – direct expenditures associated with legal or regulatory actions
levied against an organization, including settlements and bail for any organization
members who are arrested
 Competitive Advantage – future estimated business losses associated with a diminished
competitive position, specifically associated with Assets that provide competitive
differentiation (e.g., lower production cost, higher quality, advanced capabilities) between
the organization and its competition
— Within the commercial world, examples would include operational efficiencies, trade
secrets, merger and acquisition plans, etc.
— Outside the commercial world, examples would include military secrets, secret
alliances, etc.
 Reputation – future estimated business losses associated with an external stakeholder’s
perception that an organization’s value proposition is diminished and/or that the
organization represents liability to the stakeholder; this accounts for any reduction in
revenue due to lost market share and typically materializes as reduced market share (for
commercial organizations), reduced stock price (for publicly traded companies), reduced
willingness to cooperate in joint ventures, or an increased cost of capital

4.4.2 Loss Flow

Once a Loss Event begins, there are two stages to the loss from the perspective of Loss
Magnitude: the Primary Loss and the Secondary Loss. Loss Flow is the structured
decomposition of how losses materialize when a Loss Event occurs. Loss Flow incorporates the
following:
 A Threat Agent acts against an Asset (the Threat Event)
 This Threat Event directly affects the Primary Stakeholder in terms of productivity loss,
response costs, etc. – this is the Primary Loss Event
 Sometimes this Primary Loss Event also has an effect on Secondary Stakeholders, such as
customers, regulators, media, etc., who may react against the Primary Stakeholder
 When Secondary Stakeholders react against a Primary Stakeholder, they act as new Threat
Agents against the organization’s Assets (such as reputation, legal fees, etc.), which again
affects the Primary Stakeholder – this is referred to as the Secondary Loss Event.

A couple of things to recognize:

 Secondary Losses are always predicated upon a Primary Loss

Risk Taxonomy (O-RT), Version 3.0.1 19

  Although called “Secondary Stakeholders”, they are most accurately viewed as
“Secondary Threat Agents” when they begin acting against the Primary Stakeholder’s
Assets

For example, if a Payment Processor (Primary Stakeholder) suffers a breach, it must respond and
recover from that breach. Costs incurred while recovering from the breach are Primary Losses.
However, consumers who have credit fraud committed against them due to the breach also suffer
indirect consequential harm. When those consumers (Secondary Stakeholders) demand relief
from the Payment Processor, those consumers become new Threat Agents trying to cause harm
against the Payment Processor, usually by “attacking” its financial Assets through a lawsuit. In
this case, the Payment Processor may expend resources to provide credit monitoring to those
affected consumers to mitigate additional Secondary Losses. This is an example of a Primary
Loss (response and recovery from the initial breach) followed in time by a Secondary Loss
(credit monitoring and exposure to a lawsuit’s fine).

4.4.2.1 Primary Loss

The first phase of the Loss Event, referred to as Primary Loss, occurs directly as a result of the
Threat Agent’s action upon the Asset. The owner of the affected Assets would be considered the
Primary Stakeholder in an analysis (e.g., The Open Group is the Primary Stakeholder in a
scenario where its website goes offline as a result of an infrastructure failure). Of the six forms
of loss described in the previous section, productivity, response, and replacement are generally
the forms of loss experienced as Primary Loss. The other three forms of loss only occur as
Primary Loss when the Threat Agent is directly responsible for those losses (e.g., fines and
judgments loss when the Threat Agent is filing charges/claims).

4.4.2.2 Secondary Loss

The second phase of the Loss Event, referred to as Secondary Loss, occurs as a result of
Secondary Stakeholders (e.g., customers, stockholders, regulators) reacting negatively to the
Primary Loss. This can be thought of as “fallout” from the Primary Loss. An example would be
customers taking their business elsewhere after their personal information had been
compromised or due to frustration experienced as a result of frequent service outages.

Secondary Loss has two primary components: Secondary Loss Event Frequency (SLEF) and
Secondary Loss Magnitude (SLM).

Secondary Loss Event Frequency allows the analyst to estimate the chance (percentage of time)
a scenario is expected to have secondary effects. Even though this variable is called a
“frequency”, it is estimated as a percentage because it represents the conditional probability that
a Primary Loss results in a Secondary Loss.

Secondary Loss Magnitude represents the losses that are expected to materialize from dealing
with Secondary Stakeholder reactions (e.g., fines and judgments, loss of market share).

Of the six forms of loss, response, fines and judgments, competitive advantage, and reputation
are most commonly associated with Secondary Loss. It is unusual to experience productivity or
replacement loss within Secondary Loss. In the case of the loss of competitive advantage
resulting from theft of trade secret information, the “secret” is lost immediately; the impact of
the loss is realized over a long time period, and it may or may not occur.

The effect of Secondary Loss on an organization can cascade. As losses pile up from initial
Secondary Losses, additional Secondary Stakeholders may react negatively, compounding the

20 The Open Group Standard (2021)

 effect until losses are so great that the organization fails completely (e.g., the demise of Arthur
Andersen in 2002).

4.4.3 Loss Factors

Loss factors are attributes or properties of the asset, threat, organization, or external environment
that affect the magnitude of the loss to the Primary Stakeholder of a Loss Event.

Loss factors may contribute to either/both Primary or/and Secondary Loss, so the risk analyst
must evaluate the factors within all four of these categories. However, asset and threat loss
factors are referred to as Primary Loss Factors, while organizational and external loss factors are
referred to as Secondary Loss Factors.

Risk

Loss Magnitude

Primary Loss Secondary Loss

Factors Factors

Asset Loss Threat Loss Organizational External Loss

Factors Factors Loss Factors Factors

Figure 9: Loss Factors

4.4.3.1 Asset Loss Factors

Asset loss factors include value/liability and volume.

The value/liability characteristics of an Asset play a key role in both the nature and magnitude of
loss. Value/liability can be further defined as:
 Criticality – characteristics of an Asset that have to do with the impact on an
organization’s productivity; for example, the impact a corrupted database would have on
the organization’s ability to generate revenue
 Cost – the intrinsic value of the Asset; e.g., the cost associated with replacing it if it has
been made unavailable (e.g., stolen, destroyed); for example, the cost of replacing a stolen
laptop or rebuilding a bombed-out building
 Sensitivity – the harm that can occur from unintended disclosure
Sensitivity is further broken down into four sub-categories:
— Embarrassment/Reputation – the information provides evidence of incompetent,
criminal, or unethical management and refers to reputation damage resulting from the

Risk Taxonomy (O-RT), Version 3.0.1 21

 nature of the information itself, as opposed to reputation damage that may result when
a Loss Event takes place
— Competitive Advantage – the information provides competitive advantage (e.g., key
strategies, trade secrets) and, of the sensitivity categories, this is the only one where the
sensitivity represents value; in all other cases, sensitivity represents liability
— Legal/Regulatory – the organization is bound by law or contract to protect the
information
— General – sensitive information that does not fall into any of the above categories but
would result in some form of loss if disclosed

Asset volume simply recognizes that more Assets at risk means greater Loss Magnitude if an
event occurs (e.g., two children on a rope swing versus one child, or one sensitive customer
record versus a thousand).

4.4.3.2 Threat Loss Factors

Threat loss factors include action, competence, and whether the Threat Agent is internal or
external to the organization, and how the Threat Agent then uses the compromised information
Asset can affect the loss suffered by the Primary Stakeholder.

Threat Agents can take one or more of the following actions against an Asset:
 Access – unauthorized access of Asset(s)
 Misuse – unauthorized use of Asset(s)
 Disclose – illicit disclosure of sensitive information
 Modify – unauthorized changes to Asset(s)
 Deny Access – prevention or denial of authorized access

Note: Any of these actions may be the assigned mission of a Threat Agent.

Threat Agents take these actions after they have succeeded in committing a confidentiality,
integrity, or availability breach against the stakeholder’s information Asset, as shown in Table 2.
Table 2: Threat Agent Actions Following a Successful Breach

Observed Information
Asset Breach Threat Agent Exploitation Post-Breach

Confidentiality Access – the Threat Agent gains unauthorized access but takes no further action
beyond “having” the data.
Misuse – the Threat Agent makes unauthorized use of the Asset in committing
consequential losses to the Primary or Secondary Stakeholders, such as
committing identity theft, setting up a pornographic distribution service on a
compromised server, etc.
Disclose – the Threat Agent illicit disclosure of sensitive information
distributes information to other unauthorized parties.

22 The Open Group Standard (2021)

 Observed Information
Asset Breach Threat Agent Exploitation Post-Breach

Integrity Modify – the Threat Agent creates or modifies information that makes that
information or information processing inaccurate or otherwise unreliable or
untrustworthy. The stakeholder bears consequential losses from using
inaccurate (unauthorized) information in its business processes.

Availability Deny Access – the Threat Agent prevents or denies authorized access to the
Asset. This includes deleting information, taking systems offline, and
ransomware style events.

By gaining unauthorized access to information Assets, Threat Agents may establish a foothold in
that Asset for later malicious use. If undetected, this foothold is not yet a loss to the Primary
Stakeholder. When detected, the loss will be a confidentiality, integrity, or availability loss with
the consequences that come from that loss. Threat Agents may gain a foothold as part of a long-
term strategy to accomplish their assigned mission, such as to defeat or compromise an enemy
military’s future operation.

Each of these actions affects Assets differently, which drives the degree and nature of loss. The
combination of the Asset, kind of violation, and kind of exploitation of this violation determines
the fundamental nature and degree of loss. For example, the potential for productivity loss
resulting from a destroyed or stolen Asset depends upon how critical that Asset is to the
organization’s productivity. If a critical Asset is simply illicitly accessed, there is no direct
productivity loss. Similarly, the destruction of a highly sensitive Asset that does not play a
critical role in productivity will not directly result in a significant productivity loss. However,
that same Asset, if disclosed, can result in significant loss of competitive advantage or
reputation, and generate legal costs.

Which action(s) a Threat Agent takes will be driven primarily by that attacker’s motive (e.g.,
financial gain, revenge, recreation) and the nature of the Asset. For example, a Threat Agent
bent on financial gain is less likely to destroy a critical server than to steal an easily pawned
Asset like a laptop. For this reason, the risk analyst must have a clear definition of the Threat
Community and its intended goal to evaluate Loss Magnitude effectively.

Threat competence is a measure of how able the Threat Agent is in exploiting the compromised
Asset to accomplish some Threat Agent goal; it is the amount of damage a Threat Agent is
capable of inflicting once the information Asset compromise occurs to the Primary or Secondary
Stakeholders. For instance, a Threat Agent with low threat competence may not cause a large
loss despite having sufficient Threat Capability to overcome the Asset’s Controls.

Note: Threat competence differs from Threat Capability: threat competence affects Loss
Magnitude while Threat Capability affects Loss Event Frequency.

Whether a Threat Agent is external or internal to the organization can play a pivotal role in how
much loss occurs. Specifically, Loss Events generated by malicious internal Threat Agents
(including employees, contractors, etc.) typically have not resulted in significant regulatory or
reputation losses because it is recognized that trusted insiders are exceedingly difficult to protect
against.

Risk Taxonomy (O-RT), Version 3.0.1 23

 Threat Loss
Factors

Internal versus
Competence Action
External

Access Misuse Disclose Modify Deny Access

Figure 10: Threat Loss Factors

4.4.3.3 Organizational Loss Factors

Organizational loss factors are those specific to the organization or business that suffers the loss
and include when the Loss Event occurred, whether the organization took reasonable care in
protecting the information Asset breached, and how it was able to detect the Loss Event in the
first place.

When a Loss Event occurs, its timing can significantly impact Loss Magnitude. For example, the
disclosure of earnings before public release or disclosure of a potential acquisition by an
organization before the deal is publicly disclosed.

An organization’s duty of reasonable care to protect the information Asset can affect the legal
liability an organization faces from an event. Whether reasonable and appropriate preventative
measures are in place (given the threat environment, value of the Asset, and legal and regulatory
compliance requirements) can determine the severity of consequential legal and reputational
damage.

How effectively an organization responds to an event can spell the difference between an event
nobody remembers a year later and an event that stands out as an example (good or bad) in the
annals of history. There are three components to a response:
 Containment – an organization’s ability to limit the breadth and depth of an event (e.g.,
cordoning-off the network to contain the spread of a worm)
 Remediation – an organization’s ability to remove the Threat Agent (e.g., eradicating the
worm)
 Recovery – the ability to bring things back to normal

All three of these response components must exist, and the degree to which any of them is
deficient can have a significant impact on Loss Magnitude.

Response capabilities are usually considered solely within the context of criticality; e.g., the
ability to return productivity to normal. However, response capabilities can also significantly
affect losses resulting from sensitive information disclosure. For example, an organization that
experiences a publicly disclosed breach of confidential customer information generally can
significantly reduce its losses by being forthright in its admissions and by compensating harmed
parties fully. Conversely, an organization that denies and deflects responsibility is much more
likely to become a pariah and a media whipping post.

24 The Open Group Standard (2021)

 The organization must detect the Loss Event before it can respond and mitigate it. Incidents can
take place that are undetected for a considerable period of time. However, for such an event to
result in a material loss, it must first be detected. For example, the damage from sensitive
competitive advantage information that makes its way to a competitor is likely to materialize and
be recognized, though perhaps with less-than-timely detection. Only when detected, however,
can the organization respond and reduce its losses, such as by taking legal action against a
competitor who stole proprietary information.

Note: “Undetected Loss Events”, such as advanced persistent threats or situations described
as a Threat Agent gaining a “foothold” (as described in Section 3.5.3.2) in a system to
exploit at a later time are defined as Threat Events before they are detected and, once
detected, become Loss Events.

Organizational
Loss Factors

Reasonable
Timing Response Detection
Care

Containment Remediation Recovery

Figure 11: Organizational Loss Factors

4.4.3.4 External Loss Factors

External loss factors include external party detection, legal and regulatory, competitors, media,
and Secondary Stakeholders (e.g., customers, partners, stockholders, shareholder activists).

These five categories represent entities that can inflict Secondary Loss upon the organization as
a consequence of an event. In other words, events will often result in direct forms of loss (e.g.,
productivity, response, replacement) due to the criticality and inherent value characteristics of
Assets. Secondary Losses may also occur based upon the external reaction to a Loss Event (e.g.,
sensitive information disclosure).

Moreover, all of the factors within these external categories can be described as “reactive to an
event”. In other words, for an external factor to affect Loss Magnitude, the external party first
must detect the event. For example, if an employee misuses his legitimate access to customer
information to commit identity theft, the customer(s), regulators, and lawyers cannot inflict harm
upon the organization unless that theft is tied back to the organization. Likewise, if a
productivity outage is not detected by customers, partners, etc., then the organization will not be
subject to a negative response on the part of those stakeholders.

External party detection can be thought of as a binary factor on which all other external factors
are predicated. Detection of an event by an external party can happen as a consequence of the
severity of the event, through intentional actions by the Threat Agent, through unauthorized
disclosure by someone on the inside who is familiar with the event, through intentional
disclosure by the organization (either out of a sense of duty, or because it is required by law), or
by accident.

Risk Taxonomy (O-RT), Version 3.0.1 25

 The legal and regulatory landscape likely affects the Primary Stakeholder’s exposure to fines,
judgments, and other sanctions associated with a Primary Loss. Primary Stakeholders can
recognize that environment, seek appropriate legal guidance, and act to mitigate their risk
associated with legal and regulatory compliance.

Losses associated with the competitive landscape typically have to do with the competition’s
ability and willingness to take advantage of the Primary Stakeholder’s loss of control of sensitive
information.

Media reaction can have a significant effect on how stakeholders, lawyers, and even regulators
and competitors view the event. If the media chooses to vilify the organization and keep it in the
headlines for an extended period, the result can be much more significant. Conversely, if the
media paints the organization as a well-intentioned victim that exercised reasonable care but still
suffered the event at the hands of a criminal, then legal and reputation damage can be
minimized. This is why organizations must have effective crisis communication processes in
place.

External Loss
Factors

External Party Legal & Secondary

Competitors Media
Detection Regulatory Stakeholders

Figure 12: External Loss Factors

4.4.4 Summary: Loss Magnitude

Loss Magnitude consists of the Primary Stakeholder’s economic loss, measured in money or
currency of a materialized Loss Event. These events consist of a direct impact, called the
Primary Loss, and a potential secondary impact, called the Secondary Loss, initiated as a
reaction to that Primary Loss by Secondary Stakeholders who become Secondary Threat Agents.
Losses manifest themselves in six forms: productivity, response, replacement, fines and
judgments, competitive advantage, and reputation.

Losses can be amplified or diminished by loss factors, which are how qualities of the asset,
threat, organization, or external environment affect losses once they begin to occur.
Table 3: Loss Magnitude Factors

Loss Magnitude Factor Description Unit of Measure

Total Loss Magnitude Sum of Primary and Secondary Loss Money, currency
Magnitude; an economic loss

Primary Loss Magnitude Direct economic losses associated with a Money, currency
confidentiality, integrity, or availability loss
of information Assets

26 The Open Group Standard (2021)

 Loss Magnitude Factor Description Unit of Measure

Secondary Loss Indirect, conditional losses associated with Money, currency

Magnitude Secondary Stakeholders affected by the
Primary Loss becoming Threat Agents and
trying to cause a loss to the Primary
Stakeholder

Secondary Loss Event Conditional probability that a Primary Loss Probability (between 0-1 or
Frequency will result in a Secondary Loss measured as a percentage,
between 0 and 100%)

Forms of Loss Six forms of loss that completely describe Money, currency
possible losses and can occur as a Primary or
Secondary Loss: productivity, response,
replacement, fines and judgments,
competitive advantage, and reputation.

Loss Factors Four loss factors that affect magnitude of Dimensionless scalars,
loss: asset, threat, organizational, external multipliers

Risk Taxonomy (O-RT), Version 3.0.1 27

A Risk Taxonomy in the Context of Risk Analysis

Extensive discussion in development of this risk taxonomy included considerations that can be
grouped into four categories:
 Concerns regarding complexity of the model
 The availability of data to support statistical analyses
 The iterative nature of risk analyses
 Perspective

Many of these considerations are not so much critical of the Open FAIR framework, but rather
are observations and concerns that apply no matter what method is used to analyze risk.

A.1 Complexity of the Model

There is no question that the Open FAIR framework goes into greater detail than most (if any
other) information risk models, and if usage of the framework required analyses at the deepest
layers of granularity, then it would indeed be impractical for most risk analyses. Fortunately,
most analyses can be performed using data and/or calibrated estimates at higher levels of
abstraction within the model; e.g., measuring Threat Event Frequency rather than attempting to
measure Contact Frequency and Probability of Action. This flexibility within the framework
allows the user to choose the appropriate level of analysis depth based on their available time,
data, as well as the complexity and significance of the scenario being analyzed.

Of course, the fact that the framework includes greater detail provides several key advantages:
 The aforementioned flexibility to go deep when necessary
 A greater understanding of contributing factors to risk
 The ability to better troubleshoot/critique analysis performed at higher layers of
abstraction

Another consideration to keep in mind is that risk is inherently complicated. If it were not, then
there would be no need for well-defined frameworks and no challenges over analyzing risk and
communicating about it. Using over-simplified and informal models almost invariably results in
unclear and inconsistent assumptions, leading to flawed conclusions, and therefore false
recommendations. With that in mind, even the detailed Open FAIR taxonomy is not a perfect or
comprehensive treatment of the problem. There are no perfect taxonomies/models of real-world
complexity.

With regard to communicating complex risk information to business decision-makers (who often
want information like this delivered in simple form), the problem is not inherently with the
model, but rather with the user. As is the case with any complex problem, results must be
articulated in a way that is useful and digestible to decision-makers. It is also not unusual for

28 The Open Group Standard (2021)

 management to ask how the analyst arrived at their results, and having a rigorous framework to
refer to in the explanation tends to improve credibility and acceptance of the results.

A.2 Availability of Data

In risk assessments, good data is especially difficult to acquire for infrequent events. In the
absence of such data, how do we arrive at valid frequency estimates?

Good data has been and will continue to be a challenge within the risk problem space for some
time to come. In part, this stems from the absence of a detailed framework that:
 Defines which metrics are needed
 Provides a model for applying the data so that meaningful results can be obtained

The Open FAIR framework has been proven in practice to help solve those two issues. It does
not, of course, help with those instances where data is unavailable because events are rare. In
those cases, regardless of the analysis method chosen, the estimates cannot be as well
substantiated by data. On the other hand, the absence of data due to the infrequency of events is
data – of sorts – and can be used to help guide our estimates. As additional information is
acquired over time, it is possible to adjust the initial estimates.

A.3 Iterative Risk Analyses

Due to the inherent complexity of risk, risk analyses tend to be iterative in nature. In other
words, initial risk analyses tend to be “sighting shots” that become more precise as additional
analyses are performed. Furthermore, there comes a point of diminishing returns beyond which
additional precision is not warranted given the necessary time and expense of deeper/broader
analyses. Of course, this is true of any analysis method, including the Open FAIR model.

A.4 Perspective
An alternative view held by some is that “exposure” should be the focus rather than “risk”. The
argument put forward here is that “risk” can be thought of as the inherent worst-case condition,
and “exposure” represents the residual risk after Controls were applied.

Setting aside the possibility that those who hold this view misinterpret the definition of risk
within the Open FAIR model, both issues are related (sort of a “before” and “after” perspective)
and relevant. The Open FAIR framework provides the means to analyze both conditions by
allowing the analyst to derive unmitigated risk as well as mitigated risk levels.

Risk Taxonomy (O-RT), Version 3.0.1 29

B Practical Use of the Open FAIR Method

B.1 The Risk Language Gap

Over time, the ways to manage risk have evolved to keep up with ways to conduct business.
There is a long history here, predating the use of IT in business. As the scope, scale, and value of
business operations have evolved, specializations to manage the risk have similarly evolved, but
in doing so, each specialization has developed its own view of risk and how to describe its
components. This has resulted in a significant language gap between the different
specializations, all of whom are stakeholders in managing risk.

This gap is particularly evident between business managers and their IT risk/security
specialists/analysts. For example, business managers talk about “impact” of loss, not in terms of
how many servers or operational IT systems will cease to provide normal service, but rather
what the impact will be of losing these normal services on the business’s capacity to continue to
trade normally, measured in terms of $-value; or will the impact be a failure to satisfy applicable
regulatory requirements which could force them to limit or even cease trading and perhaps
become liable to heavy legal penalties.

Therefore, a business manager tends to think of a “threat” as something which could result in a
loss that the business could not absorb without seriously damaging its trading position. Compare
this with our risk taxonomy definitions for “Threat” and “Vulnerability”:
 Threat: anything that is capable of acting in a manner resulting in harm to an Asset and/or
organization; for example, acts of God (weather, geological events, etc.), malicious actors,
errors, failures
 Vulnerability: the probability that a Threat Event will become a Loss Event

Similar language gaps exist between other stakeholders in management of risk. Politicians and
lawyers are particularly influential stakeholders: they are in the powerful position of shaping
national and international policy (e.g., OECD, European Commission), which in turn influences
national governments to pass laws and regulatory regimes on business practices that become
effective one to three years down the line.

B.2 Key Risk Concepts

This document is an essential step towards enabling all stakeholders in risk management to use
key risk management terms – especially Control, Asset, Threat, and Vulnerability – with precise
meanings to bridge the language gap between IT specialists, business managers, lawyers,
politicians, and other professionals, in all sectors of industry and commerce and the critical
infrastructure, whose responsibilities bear on managing risk.

30 The Open Group Standard (2021)

B.3 Using the Open FAIR Model with Other Risk Assessment
Frameworks
This document describes the factors that contribute to risk and how they affect each other, and is
primarily concerned with establishing accurate estimates for the probable frequency and
probable magnitude of future Loss Events associated with information and information
technology. It is not, per se, a “cookbook” that describes how to perform an enterprise (or
individual) risk assessment. For example, the Open FAIR documentation does not specify where
and how an analyst should obtain information to use in the assessment, as much as it explains
how to describe the value of that information and how the information contributes to risk. In
particular, this document specifies the factors and their relationships that comprise risk but not a
single, deterministic model to calculate each factor.

Many information security standards and frameworks specify that information risk assessments
should be done but provide little to no specifications on how to do them. The O-RT and O-RA
Standards along with guidance documentation from The Open Group provide a way to quantify
risk in those information security standards and frameworks.

Senior management and boards of directors are guided by best practices within their professional
domains to treat information risk as an enterprise risk, and the Open FAIR model is one standard
that allows that risk to be expressed in economic, business terms, and in the same units of
measure as other enterprise risks. This compatibility of the unit of measure of risk between
information risk and other business operational risks allows information risk to be compared,
contrasted, and aggregated to develop overall enterprise-wide risk assessments. In essence, “risk
is risk”, whether it is related to an enterprise’s operation, a bank’s loan portfolio, a trading desk’s
value at risk, or information technology: it is the probable frequency of an uncertain loss and the
magnitude of that loss expressed as a distribution of economic outcomes.

Practitioners who must perform information technology risk assessments to comply with other
industry and regulatory standards, frameworks, and methodologies can use the Open FAIR
taxonomy and framework to build consistent and defensible risk statements that are measured in
the same economic terms as other risks they have to manage.

Risk Taxonomy (O-RT), Version 3.0.1 31

 Index
abstraction ................................... 2, 10 response............................................24
Asset volume ................................... 22 containment....................................24
competitive landscape ..................... 26 recovery .........................................24
competitors ...................................... 25 remediation ....................................24
contact ............................................. 13 risk....................................................10
intentional ..................................... 13 risk assessment .................................. 8
random .......................................... 13 risk factor .......................................... 1
regular ........................................... 13 risk factor variables ........................... 9
Contact Frequency (CF) .................. 13 risk management stack ...................... 9
data metrics ..................................... 29 risk measurement .............................11
detection .................................... 25, 26 Secondary Loss ................................20
flexibility ......................................... 28 Secondary Loss Event ......................19
information security risk ................... 1 Secondary Loss Event Frequency
legal and regulatory ......................... 25 (SLEF) .........................................20
loss................................................... 18 Secondary Loss Factors ....................21
competitive advantage ................... 19 Secondary Loss Magnitude (SLM) ..20
fines/judgments ............................. 19 secondary stakeholders.....................25
productivity ................................... 18 sensitivity
replacement ................................... 19 competitive advantage ...................22
reputation ...................................... 19 embarrassment/reputation ..............21
response......................................... 19 general............................................22
loss analysis ..................................... 17 legal/regulatory ..............................22
Loss Event Frequency (LEF)........... 12 Threat Capability (TCap) .................15
loss exposure ............................. 10, 11 threat competence.............................23
Loss Magnitude (LM) ..................... 17 Threat Event Frequency (TEF) ........12
media ......................................... 25, 26 threat loss factors .............................22
password strength ............................ 16 action .............................................22
possibility ........................................ 11 competence ....................................22
prediction......................................... 11 internal or external to the
Primary Loss ................................... 20 organization ...............................22
Primary Loss Event ......................... 19 timing ...............................................24
Primary Loss Factors ....................... 21 unintended disclosure .......................21
probability ................................. 11, 14 value/liability ...................................21
probability factor cost .................................................21
level of effort ................................. 14 criticality ........................................21
risk of detection/capture ................ 14 sensitivity .......................................21
value .............................................. 14 volume..............................................21
Probability of Action (PoA) ............ 13 Vulnerability (Vuln) .........................14
Resistance Strength (RS) ................. 16

32 The Open Group Standard (2021)