Essentials of Factor Analysis of Information Risk (FAIR)


Phone: 703-993-2109

Fax: 703-993-2121

FAIR (Factor Analysis of Information Risk) is an industry standard cyber risk model for information security and operational risk. This class will show students how to use the FAIR model to deliver financially derived results tailored for enterprise cyber risk management.

The FAIR cyber risk model is rapidly being adopted worldwide in all industries, especially in finance, government, healthcare, and retail. Intended for individuals and organizations that need to build a risk management program from the ground up or strengthen an existing one, this class provides a unique and fresh approach on how to do a basic quantitative risk analysis. This class covers key areas such as risk theory, risk calculation, scenario modeling, and communicating risk within the organization.

Introduction to FAIR
  • Terminology
  • Current state vs. FAIR state
Fundamental Concepts
  • Probability vs. possibility
  • Precision vs. accuracy
  • Effective risk management
  • Making estimates in ranges
Calibrated Estimation
  • Estimating accurately with a useful amount of precision
The FAIR Model/Ontology
  • Structure
  • Terms
  • Components
  • Analysis of vulnerability
  • Monte Carlo simulation
  • Forms of loss
The Risk Analysis Process
  • Scenario scoping
  • Collecting data/estimates
  • Running the analysis
  • Quality assurance
  • Presenting results
  • Types
  • Value of controls
  • Placement in the FAIR model
Applying Your Knowledge
  • Complete two case studies/full analyses using FAIR-U
Open FAIR Certification
  • Details
  • Process
  • Recommended study materials
Required Material - The following is provided to all students by the instructor (the cost of these materials is included in the course fee):
  • FAIR Study Guide
  • FAIR on a Page
  • O-RT Risk Taxonomy Standard, The Open Group
    Click Here
  • O-RA Risk Analysis Standard, The Open Group
    Click Here
Recommended Material - The following is recommended reading. These materials are not provided, but are available as listed below:
  • Measuring and Managing Information Risk: A FAIR Approach, Butterworth-Heinemann, 2015, by Jack Freund and Jack Jones. ISBN 978-0-12-420231-3
    Amazon Link
  • The Failure of Risk Management: Why It's Broken and How to Fix It, Wiley, 2009, by Douglas Hubbard. ISBN 978-0-470-38795-5
    Amazon Link
  • How to Measure Anything: Finding the Value of Intangibles in Business, 3rd Edition, Wiley, 2014, by Douglas Hubbard. ISBN 978-1118539279
    Amazon Link
  • How to Measure Anything Workbook: Finding the Value of Intangibles in Business, 1st Edition, Wiley, 2014, by Douglas Hubbard. ISBN 978-1118752364
    Amazon Link
This course is designed for anyone interested in cyber risk quantification, but is specifically beneficial to C-Suite level personnel (CEO, CFO, CIO, CISO), project managers, risk analysts, and business process owners.
Students who complete the course will know how to prepare for the Open Group FAIR Certification exam using the materials provided.

Students who successfully complete this course will also demonstrate an ability to:
  • Think critically about cyber risk management methods
  • Define, calculate, and analyze cyber risk in a defensible way
  • Leverage a probabilistic mindset when evaluating risk
  • Demonstrate a working knowledge of the FAIR framework
  • Translate cyber risk analysis into meaningful business decisions
Chip Block
Chip Block, Vice President and Certified Open FAIR™ Analyst, Evolver, Inc.

Mr. Block has over 30 years of advanced technology research and development experience and has spent the last 15 years in the information assurance and cyber technology arenas. He leads new market and technology development at Evolver.

He advises Evolver’s clients on cyber operations, cyber risk quantification and cyber insurance. Specific to cyber risk quantification, he works with clients to identify key business risk elements for ROI analysis, insurance considerations and streamlining vendor management utilizing the FAIR methodology.

Mr. Block was awarded an R&D 100 award as co-principal investigator in 2003. He is an author and frequent speaker on cyber risk quantification, medical devices and the Internet of Things. He is a graduate of the University of Notre Dame, the chair of the FAIR Institute’s DC Chapter, and a certified Open FAIR™ analyst.

Dave Pearl
Dave Pearl, Executive Director for Cyber Programs and Certified Open FAIR™ Analyst, Evolver, Inc.

Mr. Pearl has over 20 years of experience leading major technology initiatives and complex IT programs with a worldwide footprint on federal and commercial clients. Mr. Pearl has held various leadership positions, most recently at Grant Thornton and Deloitte. Notable projects include the development of cyber architecture for a federal agency and quantification of operational risks to assess impact on program budgets for a large, international organization.

Mr. Pearl is a certified program management professional (PMP), ITIL v.3 expert, and certified Open FAIR™ analyst. He has a certificate in Strategic Executive Leadership from Yale University. He holds a post masters in Information Systems and an M.B.A. with a concentration in Finance from The George Washington University, and a B.S. in Finance from Virginia Tech. He is also completing a Masters in Cybersecurity Technology from University of Maryland University College.

Edward Peck
Edward Peck, Cybersecurity Consultant and Certified Open FAIR™ Analyst, Evolver, Inc.

Mr. Peck consults and leads workshops for Evolver’s corporate and government clients as well as university partners on the FAIR framework and how to apply its methodology to real world scenarios. His extensive experience enables Mr. Peck to leverage first-hand knowledge of FAIR-based cyber risk management success in the classroom.

Prior to joining Evolver, Mr. Peck spent nearly two decades in the cybersecurity arena in various capacities. Most recently, he conducted FAIR assessments for a major east coast financial institution. He was also a security controls assessor helping identify security-related gaps in various sized enterprises as well as a cybersecurity engineer responsible for designing and documenting appropriate security controls for networks and applications.

Mr. Peck received his B.S. in Business from Mount St. Mary’s University. He is a Certified Information Systems Security Professional (CISSP) with a concentration in Engineering (CISSP-ISSEP), a certified Open FAIR™ analyst and a member of the FAIR Institute's DC Chapter.
Additional Discounts: George Mason University employees receive a 10% discount on Executive and Professional Education courses. Employee spouses and children, as well as alumni receive a 10% discount.

For the discount code and additional details please contact:

George Mason Executive and Professional Education:

  • © George Mason University Executive and Professional Education
  • LinkedIn
  • Twitter
  • Facebook