An Introduction to Factor Analysis of Information Risk (FAIR) by Jack A. Jones, CISSP, CISM, CISA is an excellent paper on understanding, analyzing and measuring risk. The basis of the paper is formed around the idea that Security Professionals need to have a common taxonomy, or classification for the ideas used in evaluating risk.
“Ask a dozen information security professionals to define risk and you’re certain to get several different answers. Pick up any information security book and you’re likely to find that the author has used the terms risk, threat, and vulnerability interchangeably (they aren’t the same thing). The simple fact is that our profession hasn’t adopted a standard lexicon or taxonomy.”
The author is very much aware that the paper represents a paradigm shift that will increase awareness and begin some needed discussions within our profession concerning the process of evaluating risk. It is well worth the read and discussion.
