CyberROI

 Cybersecurity Investment Calculator

The FAIR Model: Quantifying Cyber Risk in Financial Terms

CyberROI Team · Risk Quantification · 6 Jul 2025

Factor Analysis of Information Risk (FAIR) is the leading international standard for quantitative cyber risk analysis. Unlike qualitative approaches that rate risk as high, medium, or low, FAIR produces financial estimates that boards and executives can compare against other business risks and investment opportunities. For CISOs seeking to elevate security discussions from technical fear to business decision-making, FAIR provides the rigorous methodology needed.

Why Qualitative Risk Assessment Falls Short

Traditional risk matrices — plotting likelihood against impact on a coloured grid — suffer from well-documented problems. They conflate ordinal scales with quantitative relationships, produce inconsistent results across different assessors, and give boards no actionable financial information. When a CISO presents a "high risk" rating, the board cannot determine whether that means a $100,000 problem or a $10 million problem.

FAIR addresses these shortcomings by decomposing risk into measurable components and producing probability distributions of financial loss. Instead of "high risk," the output might be "there is a 70% probability that annual losses from this scenario will fall between $500,000 and $2.5 million, with an expected value of $1.2 million." This is language that CFOs and board members can work with.

How FAIR Works

FAIR decomposes risk into two primary factors:

Loss Event Frequency (LEF): How often a loss event is expected to occur, derived from Threat Event Frequency (how often threats act against assets) and Vulnerability (the probability that a threat event results in loss). These factors are estimated using ranges rather than point values, acknowledging inherent uncertainty.

Loss Magnitude (LM): The financial impact when a loss event occurs, broken into six categories: productivity loss, response costs, replacement costs, fines and judgements, competitive advantage loss, and reputation damage. Each category is estimated independently using data, benchmarks, and expert judgement.

By combining frequency and magnitude through Monte Carlo simulation, FAIR produces a probability distribution of annual loss — the same type of analysis used in financial risk management and insurance.

Implementing FAIR Practically

  1. Start with your top five risk scenarios: Do not attempt to model every possible threat. Focus on the scenarios most relevant to your organisation and build expertise iteratively.
  2. Calibrate estimates with data: Use industry reports (IBM, Verizon, Ponemon, Sophos) to inform frequency and magnitude estimates. Perfect data is not required — reasonable ranges are sufficient.
  3. Use the results for decision support: Compare the expected loss reduction from proposed controls against their cost. FAIR makes it straightforward to calculate ROI and prioritise investments.
  4. Communicate in financial terms: Present risk scenarios to the board using dollar ranges and probabilities. This enables comparison with other business risks and supports informed investment decisions.

FAIR and CyberROI

The Annual Loss Expectancy methodology used in CyberROI is closely aligned with FAIR principles. Both approaches translate threat scenarios into financial terms, model control effectiveness as risk reduction, and produce ROI calculations that support investment decisions. CyberROI simplifies the process with pre-built scenarios and industry benchmarks, making quantitative risk analysis accessible without requiring a full FAIR implementation.

Apply quantitative risk analysis with CyberROI →