cattleguard/awesome-FAIR

An awesome list for Factor Analysis of Information Risk (FAIR) specific content.

Awesome FAIR

A curated list of Awesome resources for learning, executing, and making use of Factor Analysis of Information Risk (FAIR) risk analyses.

Contributions welcome. Add links through pull requests or create an issue to start a discussion.

Contents

• Books
• Conferences
• OpenFAIR Certification
• Software
• Data

Books

• Measuring and Managing Information Risk: A FAIR Approach 1st Edition by Jack Freund and Jack Jones - Regarded as the FAIR manual, written by the framework creator.
• How to Measure Anything in Cybersecurity Risk - Useful in filling in some of the math and measurement gaps left in Measuring and Managing Information Risk.

Conferences

• FAIRCON - Annual conference put on by the FAIR Institute. Archived talks available with membership through the forums.
• SIRACon - While not FAIR specific, usually has at least a couple of FAIR focused talks.

OpenFAIR Certification

• Open FAIR Certification - The Open Group's page - The first obvious stop, which includes links to the Open Risk Taxonomy Technical Standard (O-RT) and Open Risk Analysis Technical Standard (O-RA).
• Tony Martin-Vegue’s Recipe for Passing the OpenFAIR Exam - OpenFAIR certification study and practice outline.

Software

Closed Source

• RiskLens - Commercial FAIR platform.

Open Source

• Tidyrisk (collector and evaluator) - A collection of R packages for performing quantitative risk management using the OpenFAIR framework.
• r-shiny-fair-risk - R Shiny application for performing FAIR analysis. Mostly leveraging lognormal distributions instead of BetaPERT.

Data

• The Complete History of AWS Outages - AWS outage history. Useful for availability scenarios.
• Azure Outage History - Azure outage history that can be filtered by product, region, and date. Useful for availability scenarios.
• Exploit Prediction Scoring System (EPSS) Data
• https://github.com/danluu/post-mortems
• Software Supply Chain Compromises - IQT Labs dataset of public software supply chain compromises.
• U.S. Department of Health and Human Services Office for Civil Rights Breach Portal - Healthcare breach portal as required for OCR reporting. Includes many options for filtering.
• U.S. Department of Transportation - Valuation of a Statistical Life Guidance - Extensive guidance on VSL including a Census of Fatal Occupational Injuries (CFOI) table and table on Maximum Abbreviated Injury Scale (MAIS) factors.
• Verizon DBIR - Source for a wide range of incident data.