Quantifying Cyber Risk: A CFO's Guide to FAIR Methodology

You already know how to model financial risk. You do it every quarter — market risk, credit risk, operational risk — all expressed in dollars, all backed by data, all feeding decisions that move the business forward.

Now imagine applying the same discipline to cyber risk. That is exactly what FAIR does.

FAIR — Factor Analysis of Information Risk — is the open international standard for quantifying cyber risk in financial terms. No heat maps. No red-amber-green matrices. Just the same kind of probabilistic modelling your treasury team uses for currency exposure, applied to the question every board is now asking: "How much could a cyber incident actually cost us?"

This article is your five-minute primer.

The Problem FAIR Solves

Most organisations assess cyber risk using ordinal scales. A "High likelihood × High impact" rating lands on a colour-coded matrix, and someone decides it is a priority. But that approach has a fundamental flaw: it cannot answer financial questions.

When you ask your CISO "Should we spend $2 million on a new security programme?" a heat map cannot tell you whether that investment is justified. You would never accept that kind of analysis from your credit risk team. FAIR gives cybersecurity the same rigour you already demand everywhere else.

How FAIR Works — In Plain English

FAIR breaks every cyber risk scenario into two questions:

1. How often might this attack succeed? (Loss Event Frequency)
2. How much would it cost when it does? (Loss Magnitude)

Multiply those two numbers together and you get the Annual Loss Expectancy — the dollar figure you can put on a balance sheet, compare against an insurance premium, or use to justify a security investment.

That is the entire concept. Frequency times magnitude equals expected annual loss. Everything else in FAIR is about making those two estimates more precise.

Breaking Down Frequency

Frequency decomposes into how often a threat actor attempts an attack (Threat Event Frequency) and the probability that the attempt succeeds given your current controls (Vulnerability). If attackers try once a month and your defences stop them 90 percent of the time, your loss event frequency is roughly 1.2 events per year.

Breaking Down Magnitude

Magnitude covers six categories of cost: response and remediation, lost revenue, fines and legal judgements, reputational damage, replacement of damaged assets, and competitive advantage lost. FAIR asks you to estimate each one as a range — a minimum, a most likely, and a maximum — rather than a single guess.

A Simple Worked Example

Suppose you are evaluating the risk of a ransomware attack that encrypts your ERP system.

Frequency estimates:

• Threat event frequency: attackers target your industry roughly 6 times per year.
• Vulnerability: your current endpoint controls and backups give you about a 15 percent chance of a successful encryption event per attempt.
• Loss event frequency: 6 × 0.15 = 0.9 events per year (roughly once every 13 months).

Magnitude estimates (per event):

• Incident response and recovery: $400,000 to $800,000, most likely $600,000.
• Lost revenue during downtime (5 days at $120,000/day): $400,000 to $900,000, most likely $600,000.
• Regulatory fines and legal costs: $100,000 to $500,000, most likely $200,000.
• Reputational impact on next-quarter pipeline: $200,000 to $1,000,000, most likely $400,000.
• Total per-event loss (most likely): $1,800,000.

Annual Loss Expectancy:

0.9 events/year × $1,800,000 per event = $1,620,000 per year.

Now you have a number. If a vendor proposes a $500,000 endpoint detection platform that reduces your vulnerability from 15 percent to 3 percent, you can recalculate: 6 × 0.03 = 0.18 events per year, giving a new ALE of $324,000. The investment saves roughly $1.3 million in expected annual loss. The business case writes itself.

Why FAIR Is the Standard

FAIR is not a proprietary framework sold by a single vendor. It is an open standard maintained by the FAIR Institute, a non-profit with thousands of members across industries and geographies. Think of it as the GAAP of cyber risk — a common language that lets boards, auditors, insurers, and regulators speak in the same terms.

Key facts that matter at the executive level:

• NIST endorsement. NIST Special Publication 800-30 and the Cybersecurity Framework both recognise quantitative risk analysis. FAIR is the most widely adopted methodology for implementing that guidance.
• Fortune 500 adoption. Major financial institutions, healthcare systems, and critical infrastructure operators use FAIR to set risk appetite, allocate security budgets, and report to their boards.
• Regulatory alignment. SEC cyber disclosure rules, APRA CPS 234, and the EU's DORA regulation all push towards quantified risk reporting. FAIR provides the methodology to get there.
• Insurance integration. Cyber insurers increasingly want quantified loss estimates. FAIR outputs map directly to underwriting models.

How Quoll Implements FAIR

Quoll is a cyber risk quantification platform built on FAIR from the ground up. Where traditional FAIR analysis involves spreadsheets and manual estimation, Quoll automates the heavy lifting.

Monte Carlo simulation. Rather than relying on single-point estimates, Quoll runs thousands of simulated scenarios for every risk. You provide ranges for frequency and magnitude inputs, and the platform generates a full probability distribution of potential losses — the 50th percentile, the 95th percentile, the worst realistic case. This is the same technique your actuaries use for insurance reserving.

Attack tree modelling. Quoll maps threat scenarios to structured attack trees linked to the MITRE ATT&CK framework. Instead of guessing whether an attacker can reach your crown jewels, the platform models the specific chain of techniques an adversary would need to execute — initial access, lateral movement, privilege escalation, data exfiltration — and calculates the probability of success at each step. This makes frequency estimates defensible rather than arbitrary.

Automated recalculation. When you deploy a new control or change a configuration, Quoll recalculates every affected risk scenario instantly. Your risk posture is always current, not a snapshot from last quarter's workshop.

Board-ready reporting. Quoll translates simulation outputs into the financial language boards expect: annual loss expectancy curves, cost-benefit comparisons for proposed investments, and trend analysis showing whether your risk posture is improving or degrading over time.

The Bottom Line

You would never present market risk to your board as "High." You would never evaluate a credit portfolio with traffic lights. Cyber risk deserves the same financial discipline.

FAIR provides the methodology. Quoll provides the platform that makes it practical. The result is cyber risk reporting that speaks the language of the business — dollars, probabilities, and return on investment.

If you are tired of security conversations that end with "trust us, it's important," FAIR is how you replace gut feel with financial evidence.