Interactive Guide: FAIR Risk Scoring

Move from "High/Medium/Low" to quantifying risk in real financial terms.

What is FAIR?

FAIR (Factor Analysis of Information Risk) is a model for understanding, analyzing, and quantifying information risk in financial terms. Instead of using subjective labels, FAIR breaks risk down into its fundamental components.

The entire model boils down to one primary, high-level formula:

Risk = Loss Event Frequency × Probable Loss Magnitude

The FAIR Risk Model: A Breakdown

Risk is the combination of how often a loss happens and how bad it is when it does. We can break these two factors down even further.

1. Loss Event Frequency (LEF)

"How often will a loss event occur?"

This is determined by two factors:

  • Threat Event Frequency (TEF)

    How often does a threat actor (e.g., a hacker) come into contact with your asset?

  • Vulnerability (Vuln)

    When a threat event occurs, what's the probability it will be successful and cause a loss?

2. Probable Loss Magnitude (PLM)

"How much money will we lose when it happens?"

This is determined by two forms of loss:

  • Primary Loss

    Direct costs from the event (e.g., incident response, hardware replacement, lost revenue).

  • Secondary Loss

    Indirect "aftershock" costs (e.g., regulatory fines, reputational damage, customer churn).

Interactive Risk Calculator

Loss Event Frequency (LEF)

How many times per year does a threat *attempt* an attack?

What percentage of those attempts are *successful*?

Probable Loss Magnitude (PLM)

Average *direct* cost per successful event (e.g., response).

$

Average *indirect* cost per successful event (e.g., fines).

$

Calculated Annualized Risk (ALE)

LEF: 5.0 events/year

PLM: $100,000 per event

$500,000

per year