FAIR (Factor Analysis of Information Risk)
What is FAIR (Factor Analysis of Information Risk)?
FAIR (Factor Analysis of Information Risk)An open international standard for quantifying information and cyber risk in financial terms by decomposing risk into loss event frequency and loss magnitude factors.
FAIR, maintained by the FAIR Institute and standardised by The Open Group (O-RA, O-RT), is the most widely adopted quantitative cyber risk model. It decomposes risk into Loss Event Frequency (threat event frequency multiplied by vulnerability) and Loss Magnitude (primary and secondary losses), each driven by sub-factors that practitioners estimate with calibrated ranges. Tooling such as FAIR-U and commercial platforms typically run Monte Carlo simulations to produce loss distributions, including ALE and loss exceedance curves. FAIR is used to prioritise security investments, support board and regulator discussions, set risk appetite, and underwrite cyber insurance. It is complementary to ISO 31000, NIST RMF, and ERM frameworks.
● Examples
- 01
FAIR analysis of business email compromise to justify funding for advanced email protection.
- 02
Quarterly FAIR-based top-risks report for the audit committee.
● Frequently asked questions
What is FAIR (Factor Analysis of Information Risk)?
An open international standard for quantifying information and cyber risk in financial terms by decomposing risk into loss event frequency and loss magnitude factors. It belongs to the Compliance & Frameworks category of cybersecurity.
What does FAIR (Factor Analysis of Information Risk) mean?
An open international standard for quantifying information and cyber risk in financial terms by decomposing risk into loss event frequency and loss magnitude factors.
How does FAIR (Factor Analysis of Information Risk) work?
FAIR, maintained by the FAIR Institute and standardised by The Open Group (O-RA, O-RT), is the most widely adopted quantitative cyber risk model. It decomposes risk into Loss Event Frequency (threat event frequency multiplied by vulnerability) and Loss Magnitude (primary and secondary losses), each driven by sub-factors that practitioners estimate with calibrated ranges. Tooling such as FAIR-U and commercial platforms typically run Monte Carlo simulations to produce loss distributions, including ALE and loss exceedance curves. FAIR is used to prioritise security investments, support board and regulator discussions, set risk appetite, and underwrite cyber insurance. It is complementary to ISO 31000, NIST RMF, and ERM frameworks.
How do you defend against FAIR (Factor Analysis of Information Risk)?
Defences for FAIR (Factor Analysis of Information Risk) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for FAIR (Factor Analysis of Information Risk)?
Common alternative names include: FAIR, FAIR analysis.
● Related terms
- compliance№ 889
Quantitative Risk Analysis
A risk analysis approach that expresses likelihood and impact in numbers, typically as probabilities and monetary loss distributions, to support data-driven decisions.
- compliance№ 705
Monte Carlo Risk Simulation
A computational technique that estimates risk by running thousands of randomized scenarios drawn from input probability distributions, producing a distribution of possible outcomes.
- compliance№ 935
Risk Assessment
A structured activity within risk management that identifies threats, vulnerabilities, and impacts on specific assets and rates the resulting risk to support treatment decisions.
- compliance№ 936
Risk Management
The coordinated process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks to keep them within an organization's defined tolerance.
- compliance№ 383
Enterprise Risk Management (ERM)
An integrated, organization-wide approach to identifying, governing, and treating strategic, financial, operational, compliance, and cyber risks in line with business objectives.
- compliance№ 733
NIST Risk Management Framework
A seven-step NIST process, defined in SP 800-37, for integrating security, privacy, and supply-chain risk management into the system lifecycle.