What is FAIR?
FAIR (Factor Analysis of Information Risk) is an international standard (ISO/IEC 27005) for quantifying cyber risk in financial terms. Unlike qualitative approaches that use subjective ratings like "High," "Medium," or "Low," FAIR enables you to express risk as a dollar amount—making it directly comparable to other business risks.
Why Quantitative Risk Analysis Matters
When executives ask "Should we spend $500K on this security control?", qualitative risk assessments can't answer effectively. FAIR provides the financial language business leaders understand, enabling data-driven security investment decisions.
The FAIR Model: Core Concepts
The fundamental FAIR equation:
How often bad things happen × How bad they are when they do
Loss Event Frequency (LEF)
How often a threat successfully causes a loss event, measured in events per year. This considers:
- Threat Event Frequency - How often a threat actor attempts an attack
- Vulnerability - The probability the attack succeeds given your controls
Example: Ransomware LEF
A healthcare organization might estimate:
Minimum: 0.5 events/year (once every 2 years)
Most Likely: 2 events/year
Maximum: 8 events/year (worst case)
Loss Magnitude (LM)
How much a single loss event costs, measured in USD. This includes:
- Productivity Loss - Downtime, recovery effort
- Response Costs - Incident response, forensics, legal
- Replacement Costs - Systems, data restoration
- Fines and Judgments - Regulatory penalties, lawsuits
- Reputation Damage - Customer loss, brand impact
Example: Ransomware LM
For the same healthcare organization:
Minimum: $150,000 (limited impact, good backups)
Most Likely: $750,000 (typical recovery costs)
Maximum: $5,000,000 (extended downtime, ransom payment, regulatory fines)
PERT Distributions: Handling Uncertainty
Cyber risk is inherently uncertain. FAIR uses PERT (Program Evaluation and Review Technique) distributions to model this uncertainty with three-point estimates:
Minimum
Best-case scenario. What happens if everything goes right (good backups, quick detection, minimal impact)?
Most Likely
Realistic scenario. What typically happens based on industry data and your specific controls?
Maximum
Worst-case scenario. What happens if everything goes wrong (no backups, extended downtime, data loss)?
Monte Carlo Simulation
OpenImpactCascade runs 10,000 simulations using your PERT estimates to calculate:
- Expected Annual Loss - Average loss per year
- Loss Exceedance Curve - Probability of exceeding different loss amounts
- Percentiles - 10th, 50th, 90th, 95th percentile losses
- Value at Risk - Maximum expected loss at a given confidence level
Why 10,000 Simulations?
Monte Carlo simulation randomly samples from your PERT distributions thousands of times to build a complete picture of possible outcomes. This captures the full range of uncertainty and provides statistically robust results for decision-making.
📊 Advanced Topic: Learn how we've modified the standard PERT distribution to better reflect real-world cyber loss patterns in our Probability Weighting Guide.
How OpenImpactCascade Implements FAIR
1. Threat-Specific Questionnaires
Our AI generates questionnaires tailored to your industry and region, identifying the most relevant threats based on MITRE ATT&CK and current threat intelligence.
2. Guided Estimation
For each threat, you provide three-point estimates for both LEF and LM. Our AI assistant helps you:
- Understand what to include in each estimate
- Reference industry benchmarks and incident data
- Account for your specific controls and environment
3. Automated Analysis
The platform automatically runs Monte Carlo simulation and presents results in business-friendly terms:
- "You can expect to lose about $X per year on average"
- "There's a 10% chance losses will exceed $Y"
- "In the worst case, losses could reach $Z"
4. Control Investment Analysis
After seeing baseline risk, you can model the impact of security investments by adjusting LEF (controls reduce attack frequency) or LM (controls reduce impact severity).
FAIR in Practice: Complete Example
Scenario: Healthcare Ransomware Risk
Inputs:
- LEF: 0.5 - 2 - 8 events/year
- LM: $150K - $750K - $5M per event
Monte Carlo Results (10,000 simulations):
- Expected Annual Loss: $1,850,000
- 50th Percentile (Median): $1,200,000
- 90th Percentile: $4,500,000
- 95th Percentile: $7,200,000
Business Interpretation:
"We expect to lose approximately $1.85M per year to ransomware. There's a 10% chance losses will exceed $4.5M in a given year. This justifies a $500K annual investment in enhanced endpoint detection and offline backups, which could reduce expected losses by 60%."
Learning More About FAIR
- FAIR Institute - Official FAIR community and resources
- What is FAIR? - Comprehensive introduction
- ISO/IEC 27005 - International standard incorporating FAIR
Ready to Quantify Your Cyber Risk?
Start with an AI-generated questionnaire that guides you through FAIR-based risk assessment, providing industry-specific threat scenarios and estimation guidance.
Generate AI Questionnaire →