You already know how to model financial risk. You do it every quarter — market risk, credit risk, operational risk — all expressed in dollars, all backed by data, all feeding decisions that move the business forward.
Now imagine applying the same discipline to cyber risk. That is exactly what FAIR does.
FAIR — Factor Analysis of Information Risk — is the open international standard for quantifying cyber risk in financial terms. No heat maps. No red-amber-green matrices. Just the same kind of probabilistic modelling your treasury team uses for currency exposure, applied to the question every board is now asking: "How much could a cyber incident actually cost us?"
This article is your five-minute primer.
Most organisations assess cyber risk using ordinal scales. A "High likelihood × High impact" rating lands on a colour-coded matrix, and someone decides it is a priority. But that approach has a fundamental flaw: it cannot answer financial questions.
When you ask your CISO "Should we spend $2 million on a new security programme?" a heat map cannot tell you whether that investment is justified. You would never accept that kind of analysis from your credit risk team. FAIR gives cybersecurity the same rigour you already demand everywhere else.
FAIR breaks every cyber risk scenario into two questions:
Multiply those two numbers together and you get the Annual Loss Expectancy — the dollar figure you can put on a balance sheet, compare against an insurance premium, or use to justify a security investment.
That is the entire concept. Frequency times magnitude equals expected annual loss. Everything else in FAIR is about making those two estimates more precise.
Frequency decomposes into how often a threat actor attempts an attack (Threat Event Frequency) and the probability that the attempt succeeds given your current controls (Vulnerability). If attackers try once a month and your defences stop them 90 percent of the time, your loss event frequency is roughly 1.2 events per year.
Magnitude covers six categories of cost: response and remediation, lost revenue, fines and legal judgements, reputational damage, replacement of damaged assets, and competitive advantage lost. FAIR asks you to estimate each one as a range — a minimum, a most likely, and a maximum — rather than a single guess.
Suppose you are evaluating the risk of a ransomware attack that encrypts your ERP system.
Frequency estimates:
Magnitude estimates (per event):
Annual Loss Expectancy:
0.9 events/year × $1,800,000 per event = $1,620,000 per year.
Now you have a number. If a vendor proposes a $500,000 endpoint detection platform that reduces your vulnerability from 15 percent to 3 percent, you can recalculate: 6 × 0.03 = 0.18 events per year, giving a new ALE of $324,000. The investment saves roughly $1.3 million in expected annual loss. The business case writes itself.
FAIR is not a proprietary framework sold by a single vendor. It is an open standard maintained by the FAIR Institute, a non-profit with thousands of members across industries and geographies. Think of it as the GAAP of cyber risk — a common language that lets boards, auditors, insurers, and regulators speak in the same terms.
Key facts that matter at the executive level:
Quoll is a cyber risk quantification platform built on FAIR from the ground up. Where traditional FAIR analysis involves spreadsheets and manual estimation, Quoll automates the heavy lifting.
Monte Carlo simulation. Rather than relying on single-point estimates, Quoll runs thousands of simulated scenarios for every risk. You provide ranges for frequency and magnitude inputs, and the platform generates a full probability distribution of potential losses — the 50th percentile, the 95th percentile, the worst realistic case. This is the same technique your actuaries use for insurance reserving.
Attack tree modelling. Quoll maps threat scenarios to structured attack trees linked to the MITRE ATT&CK framework. Instead of guessing whether an attacker can reach your crown jewels, the platform models the specific chain of techniques an adversary would need to execute — initial access, lateral movement, privilege escalation, data exfiltration — and calculates the probability of success at each step. This makes frequency estimates defensible rather than arbitrary.
Automated recalculation. When you deploy a new control or change a configuration, Quoll recalculates every affected risk scenario instantly. Your risk posture is always current, not a snapshot from last quarter's workshop.
Board-ready reporting. Quoll translates simulation outputs into the financial language boards expect: annual loss expectancy curves, cost-benefit comparisons for proposed investments, and trend analysis showing whether your risk posture is improving or degrading over time.
You would never present market risk to your board as "High." You would never evaluate a credit portfolio with traffic lights. Cyber risk deserves the same financial discipline.
FAIR provides the methodology. Quoll provides the platform that makes it practical. The result is cyber risk reporting that speaks the language of the business — dollars, probabilities, and return on investment.
If you are tired of security conversations that end with "trust us, it's important," FAIR is how you replace gut feel with financial evidence.