FAIR-CAM Controls

  • 2 minute(s) read
Prev Next

Introduction

FAIR-CAM Controls are a core part of SAFE's approach to measuring and quantifying cyber risk. Instead of only showing vulnerabilities or tool outputs, SAFE evaluates how your security controls actually reduce risk.

These controls are based on:

  • FAIR (Factor Analysis of Information Risk)

  • FAIR-CAM

Using FAIR-CAM, SAFE connects:

Security controls > Control effectiveness > Risk reduction > Business impact

This allows organizations to understand not just what is wrong, but what to fix first.

What are FAIR-CAM Controls?

FAIR-CAM defines controls as:

  • Controls: Anything that can be used to directly or indirectly affect the frequency or magnitude of loss

  • Control Function: How a control directly or indirectly affects the frequency or magnitude of loss

  • Functional Domain: High-level categories that group controls based on how they influence risk

In simple terms

  • A control = a security measure (tool, process, or policy)

  • A function = what that control does (prevent, detect, respond, etc.)

  • A domain = how that function impacts risk overall

FAIR-CAM Controls Categorization

FAIR-CAM groups controls into three major categories based on their role in risk reduction:

1. Loss Event Controls (LEC)

These controls directly reduce the likelihood or impact of an attack.

They:

  • Prevent attacks (e.g., email security)

  • Reduce attack success (e.g., MFA)

  • Detect threats (e.g., EDR, SIEM)

  • Respond and recover (e.g., incident response, backups)

These are your primary defense controls

2. Variance Management Controls (VMC)

These controls ensure that your security controls:

  • Work consistently

  • Do not degrade over time

They improve the stability and consistency of other controls

3. Decision Support Controls (DSC)

These controls help improve:

  • Risk-based decision making

  • Governance and policy effectiveness

They ensure the organization is making informed and structured security decisions

Control Maturity

SAFE evaluates how effective each control is using a concept called Control Maturity.

Control maturity determines:

  • How much does a control actually reduce risk

It is based on three factors:

1. Capability

Measures how strong and effective a control is when working properly

Example: Advanced MFA vs basic password protection

2. Coverage

Measures how widely the control is applied across your organization

Example: MFA applied to all users vs only a subset

3. Reliability

Measures how consistently the control performs over time

Affected by:

  • Vulnerabilities

  • Misconfigurations

  • Operational failures

How maturity is calculated

Control Maturity = Capability × Coverage × Reliability

This maturity directly impacts:

  • Attack success probability (Susceptibility)

  • Overall risk likelihood

Calculating Reliability for a Control

Reliability reflects how dependable a control is in real-world conditions.

How SAFE calculates Reliability

Reliability is primarily influenced by:

  • Security findings (vulnerabilities, misconfigurations, etc.)

  • Data from integrated tools

These findings are:

  • Scored based on severity, age, exploitability, and asset impact

  • Aggregated into a population score

  • Converted into a Reliability value

Higher findings → Lower reliability

Fewer or lower-risk findings → Higher reliability

Important Behavior in SAFE

Reliability is partially automated using integrations. However, it depends on:

  • Capability

  • Coverage

If these are missing, Reliability cannot be meaningfully calculated.

FAQs

Q: Why isn’t Automated Reliability populating for my CAM Controls?

Answer: Automated Reliability depends on Capability and Coverage maturity values.

Even if assets are populated, and findings are coming from integrations, SAFE still requires:

  • Capability (how strong the control is)

  • Coverage (where the control is applied)