PC Drama
123 views
The FAIR (Factor Analysis of Information Risk) model is the international standard for quantifying cyber risk in financial terms. Instead of red/yellow/green heat maps, FAIR gives security leaders a defensible, dollar-denominated way to communicate risk to the board.
How FAIR Works
FAIR decomposes risk into two measurable dimensions:
- Loss Event Frequency (LEF) — How often a loss event is expected to occur. This combines Threat Event Frequency (how often threats act) and Vulnerability (the probability an action results in loss).
- Loss Magnitude (LM) — The financial impact when a loss occurs. Split into Primary Loss (direct costs) and Secondary Loss (stakeholder reactions like lawsuits, fines, reputation damage).
The formula: Risk = LEF × LM, producing an annualized dollar figure — your Annual Loss Expectancy (ALE).
The Six Forms of Loss
Every cyber incident maps to one or more of FAIR's six loss categories, split across primary (direct) and secondary (stakeholder reaction) impacts:
| Type | Category | Description |
|---|---|---|
| Primary (Direct) | Productivity | Operational inability to deliver products or services |
| Primary (Direct) | Response | Costs of managing the incident (IR teams, forensics, comms) |
| Primary (Direct) | Replacement | Replacing or restoring damaged capital assets |
| Secondary (Reactions) | Fines & Judgments | Regulatory penalties, lawsuits, contractual penalties |
| Secondary (Reactions) | Competitive Advantage | Loss of IP, trade secrets, or market differentiators |
| Secondary (Reactions) | Reputation | Decreased stakeholder confidence, customer churn, stock impact |
Source: FAIR Institute
FAIR Cyber Risk Scenario Taxonomy
The FAIR CRM Scenario Taxonomy (February 2025) provides a standardized way to define risk scenarios using four elements. Each scenario follows the structure: "[Threat] impacts [Asset] via [Method], causing [Effect]."
Expand each section to explore the taxonomy:
Threats — Who Causes Harm
| Threat Actor | Intent | Description |
|---|---|---|
| Cyber Criminals | Malicious | Financially motivated groups operating ransomware, fraud, and data theft operations |
| Nation-State | Malicious | Government-sponsored actors conducting espionage, sabotage, or strategic disruption |
| Privileged Insider | Both | Employees or contractors with elevated access who misuse it deliberately or accidentally |
| Non Privileged Insider | Both | Standard users who cause harm through mistakes, social engineering, or low-level abuse |
| AI Agents | Both | Autonomous systems that cause harm through adversarial manipulation or unintended behavior |
| Hacktivists | Malicious | Ideologically motivated attackers targeting organizations for political or social causes |
| Cyber Terrorists | Malicious | Actors seeking to cause fear, disruption, or physical harm through cyber means |
| Script Kiddies | Malicious | Low-skill attackers using pre-built tools and exploits opportunistically |
| Competitor Driven | Malicious | Rivals conducting corporate espionage, IP theft, or competitive sabotage |
| Sabotage Actors | Malicious | Individuals or groups intent on destroying systems, data, or operational capability |
Assets — What Is at Risk
| Asset Category | Examples |
|---|---|
| Sensitive Personal Data | PII, PHI, financial records, biometric data |
| IP & Trade Secrets | Source code, formulas, proprietary algorithms, R&D data |
| Co-Owned Proprietary Data | Joint venture data, shared datasets, partner integrations |
| Confidential Business Information | Strategic plans, M&A data, internal financials, legal communications |
| Revenue-Generating Process | E-commerce platforms, SaaS applications, payment processing |
| Third-Party Revenue Process | Client-facing services, managed platforms, outsourced operations |
| Cost-Generating Process | Manufacturing systems, logistics, internal IT infrastructure |
| Product or Service | Software products, APIs, digital services customers rely on |
| Cash or Cash Equivalent | Bank accounts, cryptocurrency wallets, payment instruments |
| Physical Assets & Facilities | Data centers, OT/ICS systems, IoT devices, office infrastructure |
Methods — How Attacks Happen
| Attack Method | Description |
|---|---|
| Ransomware + Exfiltration | Encrypts systems and steals data for double extortion leverage |
| Ransomware (Encryption Only) | Locks systems without data theft, pressuring victims to pay for decryption |
| Data Exfiltration | Unauthorized extraction of sensitive data without encrypting systems |
| DDoS | Overwhelms infrastructure to cause service outages |
| Cryptomining | Hijacks compute resources for unauthorized cryptocurrency mining |
| Account Takeover | Compromises user or admin accounts to impersonate legitimate users |
| Malware | Deploys trojans, worms, or spyware for persistence and control |
| System Outage | Causes operational disruption through destructive attacks or misconfiguration |
| Data Corruption | Alters or destroys data integrity without necessarily exfiltrating it |
| Data Leakage | Unintentional exposure through misconfiguration, oversharing, or poor access controls |
Initial Attack Vectors
| Vector | Description |
|---|---|
| Phishing | Social engineering via email, SMS, or voice to trick users into granting access |
| SIM Swapping | Hijacks phone numbers to bypass SMS-based MFA |
| Deepfake Attacks | AI-generated audio or video used to impersonate executives or authorize transactions |
| External App Exploitation | Targets vulnerabilities in internet-facing applications (CVEs, zero-days) |
| Credential Stuffing | Automated login attempts using breached username/password pairs |
| Physical Access | On-site intrusion to install implants, steal hardware, or access terminals |
| USB Drop Attacks | Malicious USB devices planted to exploit auto-run or curious employees |
| ML Model Evasion | Adversarial inputs designed to fool machine learning classifiers |
| Man-in-the-Middle | Intercepts and potentially alters communication between two parties |
| Supply Chain | Compromises a vendor, library, or update mechanism to reach downstream targets |
| Remote Service Exploitation | Attacks exposed RDP, VPN, SSH, or other remote access services |
| Bruteforce | Systematic password guessing against authentication endpoints |
| Privileged Abuse | Legitimate access misused by insiders for unauthorized purposes |
| LLM Prompt Injection | Manipulates AI language models to bypass safety controls or exfiltrate data |
| Training Data Poisoning | Corrupts ML training data to degrade model accuracy or introduce backdoors |
Effects — Business Impact
| Effect | Type | Description |
|---|---|---|
| Information Privacy Loss | Primary | Exposure of personal or regulated data triggering notification and compliance obligations |
| Proprietary Data Loss | Primary | Theft or destruction of trade secrets, source code, or competitive intelligence |
| Business Interruption | Primary | Operational downtime that prevents revenue generation or service delivery |
| Cyber Extortion | Primary | Ransom demands tied to encrypted systems, stolen data, or threatened disclosure |
| Network Security | Primary | Compromise of network integrity enabling lateral movement or persistent access |
| Financial Fraud | Secondary | Unauthorized transactions, BEC wire transfers, or payment diversion |
| Media Fraud | Secondary | Manipulation of public communications, fake press releases, or brand impersonation |
| Hardware Bricking | Secondary | Permanent destruction of firmware or hardware requiring full replacement |
| Post Breach Incidents | Secondary | Follow-on attacks exploiting data or access gained in the initial breach |
| Reputation Damage | Secondary | Loss of customer trust, stock price decline, and stakeholder confidence erosion |
Example Scenario
Using the taxonomy structure: "Cybercriminals impact customer data via ransomware, causing data breach, business interruption, and regulatory action."
This scenario can then be quantified using FAIR: estimate the frequency (LEF) and the financial impact across all six forms of loss (LM) to produce a defensible ALE figure for your budget justification.
Learn More
- FAIR Institute — What is FAIR?
- FAIR Cyber Risk Scenario Taxonomy (2025)
- Crash Course on Loss Magnitude
- FAIR Materiality Assessment Model (FAIR-MAM)
The FAIR model is maintained by the FAIR Institute and standardized as Open FAIR by The Open Group. The complete CRM Scenario Taxonomy is available to FAIR Institute members.
