Hero image for FAIR: Factor Analysis of Information Risk

FAIR: Factor Analysis of Information Risk

PC Drama
17 views

FAIR: Factor Analysis of Information Risk

The FAIR (Factor Analysis of Information Risk) model is the international standard for quantifying cyber risk in financial terms. Instead of red/yellow/green heat maps, FAIR gives security leaders a defensible, dollar-denominated way to communicate risk to the board.

How FAIR Works

FAIR decomposes risk into two measurable dimensions:

  • Loss Event Frequency (LEF) — How often a loss event is expected to occur. This combines Threat Event Frequency (how often threats act) and Vulnerability (the probability an action results in loss).
  • Loss Magnitude (LM) — The financial impact when a loss occurs. Split into Primary Loss (direct costs) and Secondary Loss (stakeholder reactions like lawsuits, fines, reputation damage).

The formula: Risk = LEF × LM, producing an annualized dollar figure — your Annual Loss Expectancy (ALE).

The Six Forms of Loss

Every cyber incident maps to one or more of FAIR's six loss categories, split across primary (direct) and secondary (stakeholder reaction) impacts:

FAIR Six Forms of Loss
Primary Loss (Direct)
Productivity
Operational inability to deliver products or services
Response
Costs of managing the incident (IR teams, forensics, comms)
Replacement
Replacing or restoring damaged capital assets
Secondary Loss (Reactions)
Fines & Judgments
Regulatory penalties, lawsuits, contractual penalties
Competitive Advantage
Loss of IP, trade secrets, or market differentiators
Reputation
Decreased stakeholder confidence, customer churn, stock impact
Source: FAIR Institute

FAIR Cyber Risk Scenario Taxonomy

The FAIR CRM Scenario Taxonomy (February 2025) provides a standardized way to define risk scenarios using four elements. Each scenario follows the structure: "[Threat] impacts [Asset] via [Method], causing [Effect]."

Click each tab to explore the taxonomy:

Threats

Who causes harm — Intent: Malicious & Accidental

Cyber Criminals
Nation-State
Privileged Insider
Non Privileged Insider
AI Agents
Hacktivists
Cyber Terrorists
Script Kiddies
Competitor Driven Threat Actors
Sabotage Actors
Assets

What is at risk

Sensitive Personal Data
IP & Trade Secrets Data
Co-Owned Proprietary Data
Confidential Business Information
Business Process Generating Revenue
Business Process for Third-Party Revenue
Business Process Generating Cost
Product or Service
Cash or Cash Equivalent
Physical Assets & Facilities
Methods

How attacks happen

Ransomware with Data Exfiltration
Ransomware without Data Exfiltration
Data Exfiltration
DDoS
Cryptomining
Account Takeover
Malware
System Outage
Data Corruption
Data Leakage

Initial Attack Method (Optional)

Phishing
SIM Swapping
Deepfake Attacks
External App Exploitation
Credential Stuffing
Physical Access
USB Drop Attacks
ML Model Evasion
Man-in-the-Middle
Supply Chain
Remote Service Exploitation
Bruteforce
Privileged Abuse
LLM Prompt Injection
Training Data Poisoning
Effects

Business impact

PRIMARY LOSSES

Information Privacy Loss
Proprietary Data Loss
Business Interruption
Cyber Extortion
Network Security

SECONDARY LOSSES

Financial Fraud
Media Fraud
Hardware Bricking
Post Breach Security Incidents
Reputation Damage

Example Scenario

Using the taxonomy structure: "Cybercriminals impact customer data via ransomware, causing data breach, business interruption, and regulatory action."

This scenario can then be quantified using FAIR: estimate the frequency (LEF) and the financial impact across all six forms of loss (LM) to produce a defensible ALE figure for your budget justification.

Learn More

The FAIR model is maintained by the FAIR Institute and standardized as Open FAIR by The Open Group. The complete CRM Scenario Taxonomy is available to FAIR Institute members.

Related Articles