The Open FAIR Risk Analysis Tool

www.opengroup.org/library/i181

OPEN FAIR™
RISK ANALYSIS TOOL

The Open Group Security Forum has developed a Risk
Analysis Tool compliant with The Open Group Open
FAIR™ standards – Risk Taxonomy (O-RT) and Risk
Analysis (O-RA).

Using the Open FAIR standards to guide critical thinking and decomposition of risk questions, the Tool has been
designed to allow its user to compare “before and after risk states” of a proposed risk mitigation project.

The Tool is designed for international use, with the user able to select local currency units and the order of magnitude
(thousands, millions, billions, etc.) relevant to the analysis. Embedded graphs are controlled through intuitive settings,
letting analysts and management “zoom in” on relevant areas of the results. The Tool further informs management by
comparing and presenting statistical results such as the average annual loss exposure and user-defined percentile
thresholds of loss and chance of exceedance of annual loss.

The target audience is both students in university who are learning quantitative risk analysis, as well as risk practitioners
in a corporate environment who need a simple yet accurate risk evaluator for single risk questions. The Tool is genuinely
versatile, making it equally suitable for the university professor or corporate trainer, as well as an experienced corporate
risk analyst, who requires an easy-to-use analytic tool to analyze individual risk questions.

Risk Scroll through
individual
Risk Loss Magnitude/yr. $000s Simulated Loss simulation Loss Magnitude
100% Total Risk Trial 3/100 trials

Loss 80% Proposed Cur. Prop. Statistics based
Magnitude Current 141.9 110.8 on all trials
Diff. 31.1 appear here
Open FAIR™ 60% Specify trAbioaut ngular Loss Magnitude
RiLsoksAsnalysis Tool Adjust graph
Loss Event Magnitud 40% Average Loss settings here distributions forRisk Calculated Below Specify Secondary
Frequency Cur. Prop. Lo←ss Frequency
20% 127.7 97.7 Current and Current 1 20 50
Diff. 30.0 40
0% Proposed PrimaryLoss Event Loss Proposed
0 Frequency Magnitude
Drill Down
100% 50 100 150 200 250 300 350 400 450 Loss Magnitude
Chance of Exceeding
Percentile Loss 95% Primary Loss Magnitude Secondary Loss Magnitude
Cur. Prop.
80% Proposed 267.5 215.0 Current Min ML Max Min ML Max
Current Diff. 52.6 20
Productivity 5 18 10 ← SLEF Current 0% 30% 60% ←
←
60% Replacement 6 8 ← Proposed 10% 15% 20%
←
40% Chance Loss Response ← ←
←
Exceeds 5 Reputation ← Current Min ML Max ←
←
20% Cur. Prop. Competitive Adv. ← Productivity ←

0% 95% 95% Judgments ← Replacement ←
0 ←
100 200 300 400 Diff. 0% Response 3 9 15 ←
500 ←
Bins Width Proposed Min ML Max Reputation 4 10 16 ←
Loss Units Loss Measure 10 50 Magnitude Display Mode ←
Productivity ← Competitive Adv. 5 11 17
$ 000s
Grey loss foRrepmRlaecsebpmoonensxetes ← Judgments

Set Units and Magnitudes ←
for all screens
Loss Event Frequency can be input,Rebpuutattiaonre ← Proposed Min ML Max
not usualClyompeJtuitdivgemAednvts.
associated with the ← Productivity

← Replacement

Response 4 10 12

About given primary or SpeciCfoympCeRteuitpiruvertaeAtidonvn.t a32nd75 7
8
Loss Event Frequency/yr. 100% Loss Events/yr. secondary loss
Risk Calculated Below ProposedJudSgmeecntos ndary
← Drill up or down
Loss Event Loss Current 1 2 5 ← w0%ith Check Boxes Loss Magnitude
Frequency Magnitude Proposed 1 2 3
01234
Drill Down

Threat Event Frequency/yr. ← Vulnerability ← Specify Magnitude
Calculated Below ← Min ML Max ← Display Mode

Cur. 20 28 35 Cur. 5% 30% 70%
Prop. Prop.
Drill Down
Drill Down

Contact Probability Threat ResisEtanncteer assumptions
Frequency/yr. of Action Capacity CSturre.naPgtrtho.any level
Cur. Pro.
Cur. Pro. Cur. Pro. Min 10% Min 10%
Min 1 Min 10% ML 50% ML 50%
ML 4 ML 50% 25% Max 60% Max 60%
Max 9 Max 75% 45%
↑ ↑ Enter ↑tria↑ngular distributions estimates at
↑↑ ↑↑ any level. When lower levels are activated
upper-level estimates are bypassed.

© March 2018 - The Open Group. All rights reserved.

Feature Benefit

Able to perform, present, and visualize the Enables simple “before and after” comparisons.
risk of two states: current and proposed.

Interactive – change a risk parameter and Allows “what if” scenarios to be modeled quickly. A dashboard lets
instantly see the result. Supports intuitive the analyst or management stakeholder define key risk thresholds
A/B comparison. to enable informed management decision-making.
Built on the Open FAIR international
standards, using a proven statistical engine Developed by an industry-based, vendor-neutral, and technology-
from Probability Management. neutral voluntary standards consensus body: The Open Group.
Uses SIPMath™ as the Monte Carlo simulator to ensure accuracy
Extensible through using additional SIPMath of calculations and approach. Data and graphics are exportable to
features. other enterprise communication tools such as Microsoft® Word and
PowerPoint.
Transparent and inspectable – all formulas,
calculations, and manipulations are visible The tool is built upon the industry standard and proven SIPMath
to the user or other evaluator. Modeler Tools from Probability Management
No requirement to be online. (www.probabilitymanagement.org), enabling experienced
analysts who are familiar with SIPMath to extend and improve the
The tool is built on the Microsoft® Excel spreadsheet using SIPMath directly if necessary. Advanced users
platform. can develop and add features themselves.

Secure All of the spreadsheet’s calculations are overt and available for
inspection, making the tool open for evaluation, extension, and
critique.

Allows maximum flexibility and independent use for a Risk
Practitioner being offsite with clients and in areas where Internet
connectivity may be highly sensitive or impractical.

Can be used equally well in a Mac or PC environment.
As
Microsoft® Excel is the global market-leading spreadsheet product,
users are almost certain to have the required licensing in place to
allow them to easily deploy. This helps significantly reduce both the
cost of acquisition and of maintaining their Risk Analysis Tool suite.

Analyses can be protected by securing the spreadsheet just as the
enterprise secures other sensitive financial information, making this
spreadsheet fit for limited but sensitive corporate purposes.

More information About The Open Group

For more information, please visit our website: The Open Group is a vendor-neutral and technology-neutral
www.opengroup.org/library/i181. consortium, whose vision of Boundaryless Information Flow™
will enable access to integrated information within and between
ArchiMate®, DirecNet®, Making Standards Work®, OpenPegasus®, Platform 3.0®, The Open enterprises based on open standards and global interoperability.
Group®, TOGAF®, UNIX®, UNIXWARE®, X/Open®, and the Open Brand X® logo are registered The Open Group works with customers, suppliers, consortia,
trademarks and Boundaryless Information FlowTM, Build with Integrity Buy with ConfidenceTM, and other standards bodies. Its role is to capture, understand,
Dependability Through AssurednessTM, EMMMTM, FACETM, the FACETM logo, IT4ITTM, and address current and emerging requirements, establish
the IT4ITTM logo, O-DEFTM, O-PASTM, Open FAIRTM, Open Platform 3.0TM, Open Process policies, and share best practices; to facilitate interoperability,
AutomationTM, Open Trusted Technology ProviderTM, SOSATM, the Open OTM logo, and The develop consensus, and evolve and integrate specifications and
Open Group Certification logo (Open O and checkTM) are trademarks of The Open Group. open source technologies; and to operate the industry's premier
SIPmath™ is a trademark of ProbabilityManagement.org. certification service.

© March 2018 - The Open Group. All rights reserved. Further information on The Open Group can be found at
www.opengroup.org.