Skip to main content

Open FAIR

Also known as: O-RA, Open Risk Analysis

Open standard governed by The Open Group that codifies the FAIR risk-quantification methodology as a reference taxonomy. The Open FAIR Body of Knowledge is the canonical specification.

Written by Askara Solutions editorial team · Updated

Open FAIR is the open-standard form of FAIR, governed by The Open Group rather than the FAIR Institute. The two are aligned in substance; the difference is that Open FAIR comes with a published, citable specification (the Open FAIR Body of Knowledge, sometimes referenced as the O-RA standard) and a certification track for analysts.

For procurement and contracts, the distinction matters. A customer contract that requires a quantitative risk methodology can cite Open FAIR by version number; FAIR-Institute methodology is harder to reference unambiguously. Most organisations using FAIR in production are running an Open FAIR analysis without naming it that way.

The Risk Investigation Agent uses Open FAIR by default. The factors, the decomposition tree, the three-point estimate elicitation, and the Monte Carlo aggregation all match the Body of Knowledge. The benefit of citing the open standard is that the analysis is portable: another organisation, another auditor, another insurer can follow the same model end to end without translation.

Related terms

Where this connects.

  • FAIR

    Quantitative risk-analysis methodology that expresses cyber risk as financial loss exposure rather than ordinal severity scores, by decomposing it into loss event frequency and loss magnitude.

  • Annual Loss Expectancy

    The expected annual cost of a risk scenario in financial terms, calculated as Loss Event Frequency multiplied by Loss Magnitude, expressed as a probability distribution rather than a point estimate.

  • Threat Event Frequency

    The expected number of times per year that a threat actor will attempt the action that could lead to a loss event, before any consideration of whether the attempt succeeds.

  • Loss Event Frequency

    The expected number of times per year that a threat actor's action will succeed and produce a loss, calculated as Threat Event Frequency multiplied by Vulnerability (the probability of success).

  • Monte Carlo Simulation

    Computational technique that samples input variables from their probability distributions and aggregates the outcomes, producing a distribution of plausible results rather than a point estimate.

Authoritative sources

Where to read more.

Back to Risk ManagementBack to glossary