The Repository @ St. Cloud State

Open Access Knowledge and Scholarship

Date of Award

5-2026

Culminating Project Type

Starred Paper

Styleguide

ieee

Department

Information Assurance and Information Systems

College

Herberger School of Business

First Advisor

Lynn Collen

Second Advisor

Erich Rice

Third Advisor

Jieyu Wang

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.

Abstract

As businesses depend more on technology, cybersecurity threats have increased in frequency. Data breaches, cyberattacks, and system failures pose serious hazards to companies. Two well-known frameworks for reducing these risks are examined in this starred paper: the FAIR (Factor Analysis of Information Risk) Framework and Chaos Engineering. This study examines and contrasts these two strategies i.e. Chaos Engineering, which stresses proactive resilience testing through controlled system failures, and the FAIR Framework, a quantitative approach for evaluating and managing cybersecurity risks -with a focus on Netflix, a pioneer in the streaming sector. Despite the fact that the two frameworks have a common goal of enhancing organizational resilience, they are different in their design, approach and implementation.

Chaos engineering is aimed at enhancing the reliability of systems by injecting failure in a controlled way to allow engineers to discover more about the system that may exist between different systems, testing redundancy, and how a system can be expected to behave when it is stressed. On the other hand, FAIR Framework uses quantitative model to determine the security threat of the cyber systems in financial forms to give the executive leadership a quantifiable amount of information on the exposure to losses, the degree of probability, and the prioritization of mitigation measures. This paper reviews the theoretical behinds of each framework, tools of implementation in use at Netflix, such as Chaos Monkey, the Simian Army, and RiskQuant, as well as assesses the advantages and disadvantages of each. The results demonstrate that Chaos Engineering is effective at defining technical vulnerabilities in the real world, and FAIR offers business-oriented strategic decisions supported by security.

In Conclusions, neither of the framework is adequate in full risk management but their combination offers a composite approach that addresses cybersecurity risk assessment and operational resilience. The paper includes the complementary characteristics of these frameworks and it suggests that the synthesis of these two frameworks leads to a more holistic and functional risk management ecosystem. Future research opportunities are further data automation of FAIR inputs, further investigations in the chaos experiments with AI, and the creation of unified frameworks to explore the strengths of the adaptive, real-time risk management through the enhanced integration of outputs of both frameworks in the intricate cloud settings.

Download

Share

COinS