www.opengroup.

org/library/i181

OPEN FAIR™
RISK ANALYSIS TOOL

The Open Group Security Forum has developed a Risk

Analysis Tool compliant with The Open Group Open
FAIR™ standards – Risk Taxonomy (O-RT) and Risk
Analysis (O-RA).

Using the Open FAIR standards to guide critical thinking and decomposition of risk questions, the Tool has been
designed to allow its user to compare “before and after risk states” of a proposed risk mitigation project.

The Tool is designed for international use, with the user able to select local currency units and the order of magnitude
(thousands, millions, billions, etc.) relevant to the analysis. Embedded graphs are controlled through intuitive settings,
letting analysts and management “zoom in” on relevant areas of the results. The Tool further informs management by
comparing and presenting statistical results such as the average annual loss exposure and user-defined percentile
thresholds of loss and chance of exceedance of annual loss.

The target audience is both students in university who are learning quantitative risk analysis, as well as risk practitioners
in a corporate environment who need a simple yet accurate risk evaluator for single risk questions. The Tool is genuinely
versatile, making it equally suitable for the university professor or corporate trainer, as well as an experienced corporate
risk analyst, who requires an easy-to-use analytic tool to analyze individual risk questions.

Risk Scroll through

individual
Risk
100%
Loss Magnitude/yr. $000s
Total Risk Simulated Loss
Trial 3/100
simulation Loss Magnitude
Loss
Magnitude 80%
Proposed Cur. Prop. trials
60%
Current 141.9
Diff.
110.8
31.1
Specify triangular
About

Open FAIR™ distributions for Risk

Loss Magnitude
Specify Secondary
Risk Analysis Tool 40% Calculated Below
Loss Event Loss Average Loss
Cur. Prop. Current and Current 1 20 50 Loss
← Frequency
Magnitud 20%
Frequency
127.7 97.7 Statistics based Proposed Primary Loss Event
Frequency
Loss
Magnitude
Proposed 40
0%
0 50 100 150 200 250 300 350 400 450
Diff. 30.0
on all trials Loss Magnitude
Drill Down

100%
Chance of Exceeding Percentile Loss 95% appear here Primary Loss Magnitude Secondary Loss Magnitude
Cur. Prop.
Proposed Current Min ML Max Min ML Max
80% 267.5 215.0
Diff. 52.6 Productivity 5 18 20 ← SLEF Current 0% 30% 60% ←
Current
60% Replacement 6 8 10 ← Proposed 10% 15% 20% ←
Chance Loss Response ←
40%
Exceeds 5 Reputation ← Current Min ML Max
Cur. Prop.
20%
95% 95% Adjust graph Competitive Adv.
Judgments
←
←
Productivity
Replacement
←
←
0%
0 100 200 300 400 500
Diff. 0%
settings here Response 3 9 15 ←
Loss Units Loss Measure Bins Width Magnitude Display Mode Proposed Min ML Max Reputation 4 10 16 ←
$ 000s 10 50 Productivity ← Competitive Adv. 5 11 17 ←
Replacement ← Judgments ←
Grey loss form boxes
Response ←
Set Units and Magnitudes can be input,Reputation
but are ← Proposed Min ML Max
Loss Event Frequency for all screens Competitive Adv.
not usually Judgments
←
←
Productivity
Replacement
←
←
associated with the Response 4 10 12 ←
Reputation 2 5 7 ←
About given primary or Specify Current and
Competitive Adv. 3 7 8 ←
Risk
Loss Event Frequency/yr. 100%
Loss Events/yr.
secondary loss Proposed Secondary
Judgments ←
Calculated Below
Drill up or down
Current 1 2 5 ← Loss Magnitude
Loss Event
Frequency
Loss
Magnitude
Proposed 1 2 3 ← with
0% Check Boxes
Drill Down 0 1 2 3 4

Threat Event Frequency/yr. Vulnerability

Calculated Below Min ML Max Specify Magnitude
Cur. 20 28 35 ← Cur. 5% 30% 70% ← Display Mode
Prop. ← Prop. ←
Drill Down Drill Down

Contact Probability Threat Enter assumptions

Resistance
Frequency/yr.
Cur. Pro.
of Action
Cur. Pro.
Capacity
Cur. Pro.
at any level
Strength
Cur. Pro.
Min 1 Min 10% Min 10% Min 10%
ML 4 ML 50% 25% ML 50% ML 50%
Max 9 Max 75% 45% Max 60% Max 60%

↑ ↑ ↑ ↑ ↑ ↑
Enter ↑triangular
↑
distributions estimates at
any level. When lower levels are activated
upper-level estimates are bypassed.

© March 2018 - The Open Group. All rights reserved.

 Feature
Able to perform, present, and visualize the
risk of two states: current and proposed.
Interactive – change a risk parameter and
instantly see the result. Supports intuitive
A/B comparison.
Built on the Open FAIR international
standards, using a proven statistical engine
from Probability Management.
Extensible through using additional SIPMath
features.
Transparent and inspectable – all formulas,
calculations, and manipulations are visible
to the user or other evaluator.
No requirement to be online.
The tool is built on the Microsoft® Excel
platform.
Secure
More information
For more information, please visit our website:
www.opengroup.org/library/i181.
ArchiMate®, DirecNet®, Making Standards Work®, OpenPegasus®, Platform 3.0®, The Open
Group®, TOGAF®, UNIX®, UNIXWARE®, X/Open®, and the Open Brand X® logo are registered
trademarks and Boundaryless Information FlowTM, Build with Integrity Buy with ConfidenceTM,
Dependability Through AssurednessTM, EMMMTM, FACETM, the FACETM logo, IT4ITTM,
the IT4ITTM logo, O-DEFTM, O-PASTM, Open FAIRTM, Open Platform 3.0TM, Open Process
AutomationTM, Open Trusted Technology ProviderTM, SOSATM, the Open OTM logo, and The
Open Group Certification logo (Open O and checkTM) are trademarks of The Open Group.
SIPmath™ is a trademark of ProbabilityManagement.org.
© March 2018 - The Open Group. All rights reserved.
Benefit
Enables simple “before and after” comparisons.
Allows “what if” scenarios to be modeled quickly. A dashboard lets
the analyst or management stakeholder define key risk thresholds
to enable informed management decision-making.
Developed by an industry-based, vendor-neutral, and technology-
neutral voluntary standards consensus body: The Open Group.
Uses SIPMath™ as the Monte Carlo simulator to ensure accuracy
of calculations and approach. Data and graphics are exportable to
other enterprise communication tools such as Microsoft® Word and
PowerPoint.
The tool is built upon the industry standard and proven SIPMath
Modeler Tools from Probability Management
(www.probabilitymanagement.org), enabling experienced
analysts who are familiar with SIPMath to extend and improve the
spreadsheet using SIPMath directly if necessary. Advanced users
can develop and add features themselves.
All of the spreadsheet’s calculations are overt and available for
inspection, making the tool open for evaluation, extension, and
critique.
Allows maximum flexibility and independent use for a Risk
Practitioner being offsite with clients and in areas where Internet
connectivity may be highly sensitive or impractical.
Can be used equally well in a Mac or PC environment. As
Microsoft® Excel is the global market-leading spreadsheet product,
users are almost certain to have the required licensing in place to
allow them to easily deploy. This helps significantly reduce both the
cost of acquisition and of maintaining their Risk Analysis Tool suite.
Analyses can be protected by securing the spreadsheet just as the
enterprise secures other sensitive financial information, making this
spreadsheet fit for limited but sensitive corporate purposes.
About The Open Group
The Open Group is a vendor-neutral and technology-neutral
consortium, whose vision of Boundaryless Information Flow™
will enable access to integrated information within and between
enterprises based on open standards and global interoperability.
The Open Group works with customers, suppliers, consortia,
and other standards bodies. Its role is to capture, understand,
and address current and emerging requirements, establish
policies, and share best practices; to facilitate interoperability,
develop consensus, and evolve and integrate specifications and
open source technologies; and to operate the industry's premier
certification service.
Further information on The Open Group can be found at
www.opengroup.org.