Free Cyber Risk Analysis: Your Top Cyber Risks in 3 Clicks

Get Started
Request Demo

Cyber Risk Quantification, FAIR

The FAIR Risk Model: A Practical Guide for Organizations


Contending with the increased interest by Boards and executive leaders in cybersecurity, CISOs and security teams need a risk assessment model that can easily translate cyber risk data into financial insights. Cybersecurity data can be pretty technical and is not easily understood by business-side professionals. Yet, these insights can no longer be glossed over because they seem daunting. Security professionals can leverage the Factor Analysis of Information Risk (FAIR) model to assess cyber risks in financial terms.

FAIR is the only international standard quantitative model for information security and operational risk. This model translates the impact of these risks by analyzing risk scenarios and aggregating the scenarios to quantify potential loss exposure in financial terms. 

The FAIR approach is unique compared to other cyber risk quantification approaches as it delivers actionable and transparent insights, unlike black-box risk scores that provide a risk score based on unknown calculations. Security teams might be given a score of 3 out of 5. What does this mean for the team? What actions can the team take to improve? What areas exactly need improvement? And, most importantly, what can the Board understand from a score of 3? 

The FAIR Risk Model Explained 

The FAIR model uses three concepts to calculate risk metrics. 

  • Annualized loss expectancy (ALE): ALE is the average expected annual loss from a loss event.
  • Annualized rate of occurrence (ARO): ARO is the frequency with which a loss event is expected to occur over a given period. The ARO is calculated by estimating the likelihood of a threat exploiting a vulnerability and causing a loss event. This can be done using historical data, industry benchmarks, and expert judgment.
  • Loss magnitude (ML): ML is the average financial impact of a loss event. The ML is calculated by estimating the financial impact of a loss event, considering factors such as the cost of repairing damage, the cost of downtime, and the cost of reputational damage.

By multiplying the ARO by the ML, risk teams get an ALE that can be used to decide how to mitigate the risk. 

Let’s look at an example of a FAIR calculation. Suppose an organization has a customer information database worth $50 million. The security team has identified a vulnerability that may lead to data exploitation. The group estimates that the ARO is 20% and the ML is $15 million. 




20% x 15,000,000



This calculation means that the company expects to lose an average of $3 million per year due to the vulnerability in the database. Security teams can report on this metric to executives to underscore the importance of mitigating this risk and provide mitigation tactics to deploy. Security teams should also use these calculations as a starting point to track risk remediation over time and changes in ALE.  

The FAIR model also considers the effectiveness of controls in reducing the risk of a loss event—the more effective the controls, the lower the ARO and ML.

FAIR Model Ontologies 

The FAIR risk model is one of the most comprehensive risk quantification approaches. Take a look at the several ontologies that represent the various concepts that are involved in CRQ. 



Asset Ontology

This ontology considers the different types of assets that can be affected by cyber risks.

Vulnerability Ontology

This ontology refers to the different types of vulnerabilities that threat actors exploit.

Control Ontology

This ontology represents the different types of controls organizations can implement to mitigate cyber risks.

Threat Ontology

This ontology represents the different types of actors and events that pose a cyber risk.

Loss Event Ontology

This ontology refers to the adverse outcomes that can occur when threats exploit vulnerabilities and controls fail.


Depending on the CRQ tool your organization is leveraging, it will refer to this set of ontologies to complete FAIR cyber risk quantification. The FAIR ontologies are designed to be interoperable so that organizations can combine different ontologies to meet their specific needs. Overall, the FAIR model aims to compile as much contextual information as possible to enhance the calculation of ALE. 

CyberSaint’s Approach to FAIR 

The CyberStrong platform offers FAIR-based assessments, NIST 800-30, and CyberInsight. Honing in on the idea of contextualizing cyber risk data to deliver more accurate data as FAIR does, with the availability of multiple risk models - CyberStrong users can leverage multiple models to quantify risk at all maturity levels. 

The FAIR risk model connects two essential components in cyber risk management - cyber risk assessment data and executive reporting. Translate critical information to encourage executive buy-in and interest with this quantitative model. Discover more about FAIR in our webinars. Schedule a conversation with the CyberSaint team to learn more about our approach to CRQ.

You may also like

Critical Capabilities of Cyber ...
on May 20, 2024

In today's digital landscape, robust cybersecurity risk assessment tools are crucial for effectively identifying and mitigating cyber threats. These tools serve as the first line ...

A Practical Approach to FAIR Cyber ...
on May 10, 2024

In the ever-evolving world of cybersecurity, managing risk is no longer about simply setting up firewalls and antivirus software. As cyber threats become more sophisticated, ...

Unveiling the Best Cyber Security ...
on April 24, 2024

Considering the rollout of regulations like the SEC Cybersecurity Rule and updates to the NIST Cybersecurity Framework; governance and Board communication are rightfully ...

April Product Update
on April 18, 2024

The CyberSaint team is dedicated to providing new features to CyberStrong and advancing the CyberStrong cyber risk management platform to address all your cybersecurity needs. ...

Bridging the Gap: Mastering ...
on April 22, 2024

In today's digital landscape, cybersecurity has become essential to corporate governance. With the increasing frequency and sophistication of cyber threats, the SEC has set forth ...

March Product Update
on March 21, 2024

The CyberSaint team is dedicated to advancing the CyberStrong platform to meet your cyber risk management needs. These latest updates will empower you to benchmark your ...