FAIR™ in Practice: The Standard for Quantifying Cyber Risk

The Fundamental Principles of FAIR™

Origins of the Method

Every cybersecurity leader has faced the boardroom question:

“So, how much risk are we actually facing?”

Jack Jones, then Chief Information Security Officer (CISO) at Nationwide Insurance, faced this exact challenge in the early 2000s. Frustrated with imprecise heatmaps and subjective assessments, he began researching a better way to communicate cyber risk and justify the security budget.

The result of his research was the FAIR (Factor Analysis of Information Risk) taxonomy and method in 2001. Rather than relying on guesswork or qualitative scales, FAIR was developed to be a structured, data-driven model to quantify risk. Using a standardized language for risk and using objective inputs, FAIR makes it possible to communicate cybersecurity risk in clear business terms.

Becoming an Open Standard

Recognizing the need for an open standard taxonomy and quantitative risk analysis model, The Open Group formalized FAIR in 2013 as part of The Open FAIR™ Body of Knowledge. They established two key standards that lay the foundation for quantitative risk analysis: the Risk Taxonomy Standard (O-RT), which establishes consistent definitions and relationships between key risk factors, and the Risk Analysis Standard (O-RA), which outlines the process for performing quantitative risk assessments using FAIR.

FAIR’s Core Philosophy

A primary goal of a FAIR analysis is to help decision making by reducing uncertainty about risk.

The FAIR taxonomy defines risk as "the probable frequency and probable magnitude of future loss." In other words, FAIR helps you understand how often something bad will happen and how much will it cost.

This approach differs from traditional qualitative methods that rely on subjective ratings such as high, medium, or low. Instead, the FAIR model uses organizational and industry data to calculate risk in monetary values and probabilistic terms.

FAIR helps CISOs communicate to the board in a way they understand.

The FAIR Taxonomy Demystified

The Risk Taxonomy Standard (O-RT) provides a common language for risk assessment and illustrates the relationships between each of the factors. This standardized language for risk ensures consistency across different analyses and across organizations.

‍

At the heart of FAIR is a simple concept: breakdown risk into its component parts so you can measure them.

Let’s say your company is worried about phishing attacks. FAIR helps you model that risk like this:

• Threat Event Frequency: How often are phishing emails sent to your employees?

• Vulnerability: How likely is someone to fall for it, based on training and defenses?

• Loss Event Frequency: How often will phishing actually succeed?

• Loss Magnitude: If it does, what’s the damage? Stolen credentials, regulatory fines, customer churn? How much does it cost to fix?

This approach gives you something incredibly powerful: a monetary estimate of risk while reducing uncertainty. It moves away from the less actionable “high/medium/low” heat maps. Because when everything is medium risk, how do you prioritize your security investments?

The FAIR Risk Analysis Process

The FAIR methodology follows a structured five-stage process that is defined in The Open FAIR™ Risk Analysis Standard (O-RA), ensuring consistent and repeatable results:

• ‍Stage 1: Identify the Loss Scenario (Scope the Analysis) Stage 2: Evaluate the Loss Event Frequency
• Stage 2: Evaluate the Loss Event Frequency Stage 3: Evaluate the Loss Magnitude
• Stage 3: Evaluate the Loss Magnitude Stage 4: Derive and Articulate Risk
• Stage 4: Derive and Articulate Risk Stage 5: Model the Effect of Controls
• Stage 5: Model the Effect of Controls

The first stage is where risk teams put in the most time structuring their thoughts and considering numerous factors involved in scoping a scenario.

Cyber Risk Scenarios with FAIR

‍

With FAIR, your analysis is only as strong as your scenario. So, it’s important to be specific in describing your scenario. A poorly-worded scenario like:

“Ransomware is a major concern for hospital networks.”

…is not actionable. It doesn’t provide enough specificity to identify the FAIR factors that contribute to risk.

To make risk measurable, you need to paint a clear, detailed picture. Here’s a better version:

“A ransomware gang encrypts a hospital’s payroll and billing systems via encryption malware and extortion, causing system downtime, staff salaries are delayed, and a ransom is demanded.”

The second version gives you the specific factors to measure:

Loss Event Frequency: How often do hospitals experience downtime as the result of a ransomware attack via encryption malware?

Loss Magnitude: How much does it cost for each hour of downtime? What fines do I face for paying my employees late?

‍

‍ “No matter how ‘fuzzy’ the measurement is, it’s still a measurement if it tells you more than you knew before.”

Addressing Uncertainty and Quantification

By quantifying uncertainty using the FAIR method, risk professionals are able to improve the accuracy and reliability of their risk assessments, ultimately improving their ability to identify the most critical risks and then to prioritize actions.

Uncertainty is addressed by FAIR through various techniques and approaches. They include:

• Scenario analysis

• Discussions with subject matter experts

• Calibration

• Use of ranges (Min, ML, Max) in a 90% confidence interval

• Monte Carlo simulation

‍

Implementing FAIR in Your Organization

Getting Started with FAIR

FAIR doesn’t require policy change or a new risk management strategy.

Look at the data you have and go from there. One of the advantages of a FAIR analysis is that you already have plenty of data at your fingertips. It’s just a matter of contextualizing it.

Many CISOs and security teams gain value from performing a single FAIR analysis that will be used to support a single security decision.

Use Cases for FAIR

In the Gartner survey Cyber Risk Quantification (CRQ): Adoption and Impacts, 53% of IT and infosec leaders listed cyber insurance and compliance reporting among the top use cases for cyber risk quantification.

Additional use cases are:

• Improving communication with the board

• Rightsizing an infosec budget

• AI risk assessments

• Third-party risk management

• Merger and acquisition

Technology and Tools

While a FAIR analysis can done with a pen and paper, organizations can also benefit from the automation and scaling a FAIR-powered platform can provide. Quantitative risk management platforms can integrate with existing security processes and tooling to automate data collection and reduce the manual effort required for risk assessments.

The choice of a CRQ platform should always align with organizational needs and resources.

Complementing Cyber Risk Management Frameworks

FAIR complements existing risk management frameworks by providing quantitative analysis capabilities. Organizations maintain their established processes (ISO 27005, NIST CSF, EBIOS RM) for risk identification and control selection, then apply FAIR methodology to quantify the risk using many of the data points gathered in the risk management process.

Key Benefits of FAIR

Using FAIR, risk professionals use transparent, defendable and repeatable methods to quantify cyber and technology risk. This aligns closely with evolving regulatory expectations, such as those for NIS2 and DORA.

• Quantitative, Risk-Based Assessments
  FAIR translates cyber and operational risks into financial terms, supporting data-driven decision-making that regulators increasingly expect.

• Alignment with Regulatory Frameworks
  Regulatory frameworks like NIS2 and DORA call for risk-based approaches, scenario analysis, and resilience planning. FAIR’s structured methodology provides the structure and defensibility needed to meet these requirements.

• Improved Collaboration Across Lines of Defense
  FAIR establishes a common language between the first line of defense and the second line, facilitating more effective risk governance and prioritization.

• Decision Support
  FAIR also supports portfolio-level analysis, enabling organizations to understand how individual risks aggregate and interact. This perspective is crucial for strategic planning and helps prevent over-investment in low-impact risks.

• Transparency and Auditability
  The FAIR taxonomy and methodology is an open standard. It enables organizations to demonstrate how risks are identified, measured, and mitigated.

By integrating FAIR into a risk management process, organizations strengthen their risk posture and build cyber resilience.

‍