Mathematical and statistical notation on a notebook page — the formal decomposition FAIR brings to cyber risk analysis
Photo: Jakub Żerdzicki on Unsplash
← All posts RISK-QUANT 11 min read

FAIR Methodology Explained: Factor Analysis of Information Risk

FAIR (Factor Analysis of Information Risk) is the most widely adopted ontology for quantifying cyber risk. How its decomposition works, how it pairs with Monte Carlo simulation, and how to apply it without a statistician on staff.

FAIR Methodology Explained: Factor Analysis of Information Risk

FAIR — Factor Analysis of Information Risk — is the most widely adopted ontology for quantitative cyber risk analysis in 2026. It is governed as an open standard by the Open Group (as Open FAIR), implemented in commercial platforms, taught in certifications, adopted at major financial institutions, and accessible to organisations of any size. It is also, in essence, a single elegant idea developed with discipline: take the risk equation and decompose every term until each piece is small enough to estimate.

This article is the working practitioner's explanation of FAIR — what the model contains, how it decomposes risk into measurable factors, and how to run a FAIR analysis from end to end. For the broader context of why quantification matters, see the risk quantification pillar. For the case against the heat map that FAIR replaces, see From Heat Maps to Numbers.

This is not legal or actuarial advice.

The core equation

FAIR begins with a definition. Risk, in the FAIR sense, is the probable frequency and probable magnitude of future loss. This is more careful than common usage of the word, and the precision matters.

  • Risk = Loss Event Frequency × Loss Magnitude

Two terms, both expressed as distributions rather than point estimates. The whole edifice of FAIR is the structured decomposition of these two terms into factors small enough to estimate, and the recombination of those factor estimates back into a probability distribution for total loss.

The frequency side — how often does the loss happen

Loss Event Frequency (LEF) is decomposed into two factors:

  • Threat Event Frequency (TEF) — how often a threat actor attempts to act against the asset in a manner that could result in loss
  • Vulnerability (Vuln) — the probability that a threat event becomes a loss event, given that it occurs

The product is the rate of loss events: LEF = TEF × Vuln.

Threat Event Frequency

TEF is the rate of attempts — how many times per year a relevant threat actor would attempt the relevant action against the relevant asset. Estimating it requires being specific about all three: which threat actor (organised crime, hacktivist, insider, nation-state nexus), what action (credential stuffing, ransomware deployment, data exfiltration), against which asset (customer database, payment infrastructure, employee email).

FAIR decomposes TEF further into:

  • Contact Frequency — how often the threat actor comes into contact with the asset, in a manner relevant to the threat
  • Probability of Action — given contact, the probability the actor acts

For an externally exposed system facing automated attacks, contact frequency may be very high (constant scanning) and probability of action moderate (only certain hits are exploited). For an insider threat, contact frequency is essentially continuous and probability of action is very low for any given moment. The decomposition surfaces these structural differences that a single TEF estimate obscures.

Vulnerability

Vulnerability in FAIR is not what most security teams mean by the word — it is not a CVE or a software flaw. It is the probability that a threat event, given that it occurs, results in a loss event. It captures the effectiveness of controls.

FAIR decomposes Vulnerability into:

  • Threat Capability (TCap) — the level of force the threat actor can bring to bear
  • Control Strength (CS) — the level of force the control environment can resist

Vulnerability is then expressed as the probability that Threat Capability exceeds Control Strength. If the threat actor's capability is far below the control strength, the probability is near zero. If it exceeds, the probability is near one. This is where the analysis directly meets control effectiveness, which we treat in Measuring Control Effectiveness when published.

The magnitude side — how bad is each loss event

Loss Magnitude (LM) is decomposed into two layers:

  • Primary Loss — the direct loss to the entity itself, from the loss event
  • Secondary Loss — loss from secondary stakeholders' reactions to the event

Both are further decomposed into specific loss categories.

Primary Loss forms

FAIR identifies six primary loss forms:

  1. Productivity Loss — work the entity cannot perform during the event
  2. Response Loss — direct costs of detection, investigation, containment, recovery
  3. Replacement Loss — costs of replacing damaged or lost assets
  4. Fines and Judgements — direct regulatory or legal penalties on the entity
  5. Competitive Advantage Loss — loss of confidential information enabling competitor advantage
  6. Reputation Loss — loss attributable to the entity's reputation damage with primary stakeholders

Each loss form is estimated separately, with its own distribution, because each has different drivers and different evidence bases. Response loss is often well-characterised from incident response engagements; reputation loss is genuinely difficult to estimate and is where most analyses concentrate their analytical care.

Secondary Loss

Secondary loss captures the reactions of stakeholders beyond the primary entity — customers, regulators, partners, the market — and the financial consequences of those reactions on the entity. It is decomposed similarly to primary loss, with the same six forms, but interpreted as the consequence of stakeholder response rather than of the event itself.

Why the distinction matters: a small data breach with effective handling may have low primary loss but significant secondary loss if it triggers customer churn or regulatory penalties. A larger event with poor communications may have proportionally lower primary loss and overwhelming secondary loss. The decomposition surfaces these patterns rather than averaging them away.

The full FAIR taxonomy

The full FAIR taxonomy tree, from the top:

Risk
├── Loss Event Frequency (LEF)
│   ├── Threat Event Frequency (TEF)
│   │   ├── Contact Frequency
│   │   └── Probability of Action
│   └── Vulnerability
│       ├── Threat Capability
│       └── Control Strength
└── Loss Magnitude (LM)
    ├── Primary Loss
    │   ├── Productivity Loss
    │   ├── Response Loss
    │   ├── Replacement Loss
    │   ├── Fines & Judgements
    │   ├── Competitive Advantage Loss
    │   └── Reputation Loss
    └── Secondary Loss
        ├── Secondary Loss Event Frequency
        │   ├── ... (decomposition mirrors primary)
        └── Secondary Loss Magnitude
            ├── ... (same six forms)

This is the structure. Every FAIR analysis instantiates this tree for a specific risk scenario, populates the leaf nodes with calibrated estimates, and combines them upward through Monte Carlo simulation.

Running a FAIR analysis end to end

A workable sequence for an SME or mid-sized organisation.

1. Scope the risk scenario

The most consequential step, and the one most analyses get wrong by going too broad. A FAIR analysis is of a specific scenario: a defined threat actor, a defined action, a defined asset, in a defined context. "Cyber risk to the firm" is not a scenario. "Organised crime ransomware deployment against the customer database via phishing of finance staff over the next 12 months" is a scenario.

Scoping discipline determines analytical quality. Three to ten well-scoped scenarios usually cover most of an organisation's material cyber risk.

2. Decompose the risk into FAIR factors

Walk the taxonomy tree for the scenario. Which threat actor? What is the contact frequency for that actor against that asset? What does threat capability look like? Which loss forms apply, and which are negligible for this scenario?

Many scenarios have negligible categories — a productivity loss may be near zero for a data exfiltration scenario where no systems go down, while reputation loss may be the dominant term. The decomposition makes these distinctions visible.

3. Populate with calibrated estimates

For each leaf node, calibrated analysts produce 90% confidence intervals — or, where data exists, distributions parameterised from the data. Threat event frequencies can often be informed by threat intelligence feeds. Response loss can be informed by past incident costs or by engagement quotes from incident response firms. Reputation loss is typically the hardest and is where calibrated expert judgement does the heaviest lifting.

The calibration discipline matters: each estimator has been trained to produce intervals that match their actual uncertainty. See Calibrated Estimation: Training Analysts to Quantify Under Uncertainty when published.

4. Monte Carlo simulation

The input distributions are combined by Monte Carlo simulation. Tens of thousands of simulated years sample from each input distribution, compute the FAIR equations, and accumulate an output distribution for total annual loss. The mathematics is identical regardless of organisation size — a competent spreadsheet runs it in seconds. See Monte Carlo Simulation for Cyber Risk when published.

5. Report distributions

The output is a distribution for annual loss. The right way to report it includes:

  • Mean annual loss (sometimes called Annualised Loss Expectancy, ALE)
  • A confidence interval (typically 90%)
  • Tail values — the loss at the 95th percentile, the 99th percentile, the worst plausible case
  • A loss exceedance curve — for each loss level, the probability of exceeding it in a year

The full reporting form is in Loss Exceedance Curves and Annual Loss Expectancy when published. The point: a single number is never the right output. The distribution is.

6. Use the analysis to decide

The output supports prioritisation between control investments, communication to the board, and capital and insurance decisions. A new control's value is the change it produces in the distribution — typically a reduction in Vulnerability (via increased Control Strength) propagating through to lower expected loss and shorter tails.

A FAIR analysis that is run but not used in a decision is a missed opportunity. The frameworks justify themselves only in use.

Where FAIR is strong

Three places FAIR excels.

Decomposition clarity. The structured taxonomy means analytical disagreements become productive — analysts argue about specific factors, not about the colour of a square. This alone is a substantial improvement over qualitative methods.

Financial output. The output is in currency, and can be combined with cost estimates of controls, insurance premiums, and capital allocation. This is the translation service quantification exists to provide.

Open standard. Open FAIR is governed by the Open Group and freely available. Analyses are portable; the methodology is auditable; certifications exist for analysts. The ecosystem is mature.

Where FAIR needs care

Three honest limitations.

Scenario explosion. A real organisation has many threats against many assets. A FAIR analysis per scenario, multiplied out, can produce a long list. The discipline is to scope to the material scenarios — typically three to ten — rather than to attempt comprehensive coverage. Comprehensiveness defeats itself.

Reputation loss is hard. The most analytically uncertain term in many FAIR analyses is reputation loss. It is estimable, but with wide intervals, and the temptation to narrow the interval to look more confident must be resisted. Wide ranges are honest; narrow ranges that the data does not support are not.

Dependency between scenarios. FAIR analyses are typically run per scenario, and combining them assumes independence between them. In reality, a ransomware event and a major regulatory fine in the same year may be correlated (the fine triggered by the breach disclosure). More sophisticated FAIR practice handles this with dependency modelling; simpler analyses note the assumption.

How FAIR relates to other frameworks

A short orientation, because the field has more than one standard.

Hubbard's approach is methodologically compatible with FAIR. FAIR provides the structural decomposition; Hubbard provides the calibration discipline and the Monte Carlo methodology. Most mature practice uses both. See Hubbard's Approach when published.

Bayesian methods sit underneath FAIR. The probability theory FAIR uses is broadly Bayesian — calibrated priors updated with evidence — and the more advanced practice uses explicit Bayesian networks for the conditional dependencies. See Bayesian Methods and Updating with Evidence when published.

ISO 31000 and ISO 27005 are higher-level risk management standards that do not prescribe methodology. FAIR is fully compatible with both — it is the analytical layer that ISO leaves unspecified.

NIST CSF and ENISA frameworks describe controls and capabilities, not risk quantification. FAIR fits inside their risk-assessment expectations; it does not replace them.

How FAIR meets the regulatory regimes

FAIR's outputs map directly into what NIS2, DORA, and GDPR expect from risk analysis without being mandated by any of them.

  • NIS2 proportionality — Article 21(1)'s five proportionality factors all have FAIR equivalents (exposure ≈ TEF, severity ≈ LM, etc.). A FAIR analysis produces the defensible basis for the proportionality memo. See NIS2 Article 21 Explained.
  • DORA Pillar 1 — Article 8's identification and risk assessment obligation is satisfied substantively by a FAIR-style decomposition. See DORA ICT Risk Management Framework Explained.
  • GDPR DPIA — the risk-to-individuals lens differs from FAIR's organisation-loss lens, but the structural methodology — decomposition, calibrated estimation, residual risk — transfers. See DPIA Explained.

Frequently asked questions

Is FAIR free to use? The methodology is open and freely available. The Open Group publishes Open FAIR. Commercial tooling that implements FAIR is a separate consideration.

Do I need certified FAIR analysts to use the methodology? No, but certifications exist (Open FAIR Foundation and Practitioner). The methodology is documented and learnable.

How long does a single FAIR analysis take? A well-scoped scenario can be analysed by a small team in days to weeks, depending on data gathering. The first analysis takes longer; subsequent ones in the same organisation move faster as the patterns and inputs stabilise.

Does FAIR work for non-cyber operational risk? Yes. The decomposition is general — the same model applies to operational risk events with non-cyber root causes. Some FAIR practice extends explicitly into operational risk quantification.

What's the difference between FAIR and the FAIR Institute? FAIR is the methodology. The FAIR Institute is the practitioner community and research organisation; it does not own the standard. Open FAIR, the standardised version, is governed by the Open Group.

Is FAIR audited by regulators? Regulators do not certify methodologies. But a FAIR analysis is widely recognised as a defensible basis for risk decisions, including by supervisory authorities under DORA.

The bottom line

Three takeaways.

  1. FAIR's contribution is structural. The decomposition of risk into measurable factors is what enables quantification at all; without it, qualitative scoring is the alternative.
  2. The output is a distribution, not a number. Annual Loss Expectancy is a useful summary; the full distribution is the actual answer.
  3. FAIR plus calibration plus Monte Carlo is the working practitioner's combination. Each component is necessary; together they are accessible to any organisation that decides to use them.

For the methodological core, see Hubbard's Approach to Cyber Risk Quantification. For the simulation mechanics, see Monte Carlo Simulation for Cyber Risk when published.


Sources & further reading

  • The Open Group — Open FAIR Body of Knowledge, Open FAIR Risk Analysis Standard, Risk Taxonomy Standard
  • Jack Jones and Jack Freund — Measuring and Managing Information Risk: A FAIR Approach
  • FAIR Institute — case studies, research, practitioner community
  • Doug Hubbard and Richard Seiersen — How to Measure Anything in Cybersecurity Risk (2nd edition) — methodologically complementary
  • ISO/IEC 27005:2022 — Information security risk management — higher-level framework FAIR fits inside
#risk-quantification#fair#open-fair#ontology#guide