FAIR (Factor Analysis of Information Risk)
Quantitative cyber risk on one operating record

FAIR (Factor Analysis of Information Risk) explained

Factor Analysis of Information Risk (FAIR) is the most widely adopted methodology for quantitative cyber risk analysis. The methodology is maintained by the FAIR Institute and the Open Group (through the Open FAIR analyst certification stream), is referenced by NIST and ISO, and is the model most enterprise programmes converge on when they need to express cyber risk in financial terms rather than in qualitative high, medium, low language. FAIR is methodology-only: the same ontology runs in a spreadsheet, in a commercial Cyber Risk Quantification (CRQ) platform, or in an open-source Monte Carlo library. The discipline lives in the inputs and the ontology, not in the tool.

For CISOs, GRC owners, enterprise risk management teams, vulnerability management teams, AppSec teams, and the board reading the output, FAIR is the vocabulary that connects the engineering-side security record to the financial expression the executive layer consumes. Programmes already running the cyber risk quantification programme or holding the COSO ERM portfolio view typically adopt FAIR (or another quantitative method) as the engine that produces the financial output. FAIR is complementary to, not a replacement for, CVSS, EPSS, and CISA KEV; those produce the inputs FAIR combines into the financial estimate the board reads.

The FAIR ontology: how the model decomposes

FAIR decomposes risk into a small set of named factors with explicit relationships. The ontology is the discipline that prevents the analysis from collapsing into a single defended number; each node accepts a distribution that combines into the next level via Monte Carlo simulation. Analysts work the ontology top-down to scope the analysis and bottom-up to defend the inputs.

FAIR vs FAIR Lite: the pragmatic adoption variant

FAIR Lite is the variant most enterprise programmes start with. It uses the same ontology but accepts ranges (minimum, most-likely, maximum) per leaf input rather than full distributions. The output is still a Monte Carlo combination with confidence bands; only the input specification is relaxed. FAIR Lite is the recommended entry point because it surfaces the input gaps rather than forcing analysts to invent precision the underlying signal cannot support.

• FAIR uses full distributions per leaf input. FAIR Lite uses ranges (minimum, most-likely, maximum) per leaf input. The combination is the same Monte Carlo logic; only the input specification differs.
• FAIR Lite is the pragmatic entry point. Most programmes run FAIR Lite for the first two cycles and only adopt full distributions for the small set of scenarios where the inputs are mature enough to support the precision.
• FAIR Lite makes the input gaps visible. Programmes discover where the underlying signal is weak by attempting the range estimate and finding the range has to span an order of magnitude. The fix is to improve the input source, not to invent more precision.
• FAIR Lite supports calibration training. Analysts trained on calibrated estimation (the discipline of producing ranges with stated confidence) produce input ranges that hold up under audit; analysts who guess produce ranges that collapse the first time the assumptions are challenged.
• FAIR Lite output is still defensible. The output is a distribution with confidence bands rather than a point estimate. Programmes that report FAIR Lite output as point estimates lose the methodology value; the value is the explicit uncertainty around the estimate.

Where FAIR sits next to ISO 31000, NIST SP 800-30, RMF, COSO ERM, and AI RMF

FAIR is an analytical method, not a process framework. The adjacent frameworks cover the governance, the process, and the operating sequence the method runs inside. Programmes that adopt FAIR without naming the surrounding process layer get challenged the first time an auditor asks where the analysis sits in the enterprise risk management lifecycle. The matrix below names the most common adjacencies and the responsibility split each pair carries.

Where FAIR inputs come from: sourcing the leaf nodes

FAIR analyses fail at the input layer, not at the ontology layer. The methodology is well-defined; the work is sourcing the inputs from places the analysis team can defend per cycle. A FAIR programme that holds the inputs on the operating record produces analyses that refresh per cycle without rebuilding the underlying source evidence; a programme that holds the inputs separately discovers by quarter two that the input maintenance work has overwhelmed the analysis team.

• Threat intelligence subscriptions and threat reports for the threat communities relevant to the scenario, with the per-community capability and motivation profile.
• MITRE ATT&CK technique prevalence data for the threat actions named in the scenario, with the technique-to-control-coverage mapping the programme has built.
• Peer breach data (Verizon DBIR, IBM Cost of a Data Breach, industry-specific information sharing communities) for the threat event frequency and loss magnitude reference points.
• Internal incident history covering prior attempts and successful events against the asset class, with the per-event cost record finance can validate.
• Authenticated scanning evidence covering the live posture on the asset, with the control coverage gap record and the exception register entries that affect vulnerability.
• Code scanning evidence covering the developer-side controls, with the secure-coding standard adherence record and the dependency vulnerability state.
• CVSS and EPSS data for the per-CVE technical severity and exploit probability that feed the vulnerability node for vulnerability-driven scenarios.
• CISA Known Exploited Vulnerabilities (KEV) catalogue for the active-exploitation signal that elevates threat event frequency for the scenarios where the CVE matters.
• Contract terms and SLA penalties for the primary loss inputs the legal and finance functions can validate against the underlying agreements.
• Regulatory penalty schedules for the secondary loss inputs the compliance function can validate against published regulator guidance.
• Cyber insurance policy terms covering the deductible, the sub-limits, the exclusions, and the per-event recovery the insurance broker can validate.
• Customer churn and brand damage modelling from prior incidents in the sector or from internal events the marketing and revenue functions can validate.

Recurring failure modes FAIR programmes hit

Programmes that struggle with FAIR typically hit a small set of recurring failure modes. Naming them upfront lets the programme design the operating model to avoid them rather than discovering them at the second cycle when the analysis team is already overcommitted.

Evidence a FAIR programme is expected to produce

A defensible FAIR programme produces a stable evidence set per scenario. The same set reads cleanly under ISO 31000, NIST SP 800-30, COSO ERM, NIST AI RMF, regulator inquiries, board reporting, audit committee reads, and procurement-side risk questionnaires. The discipline is to hold the evidence at the scenario level rather than at the per-analysis level so the per-cycle refresh produces a delta rather than a new artefact stack.

• Scenario library with the per-scenario definition: the asset, the threat community, the threat action, the effect, and the scope statement bounding the analysis
• Per-scenario input distributions or ranges with the rationale per input, the source per input, the analyst signature, and the per-cycle refresh record
• Monte Carlo combination output per scenario, with the iteration count, the output distribution, the 10th and 90th percentile bands, the median, and the average annual loss expectancy
• Per-cycle refresh evidence covering which inputs were re-sourced, which inputs were unchanged, which inputs the analysis team flagged as requiring better data, and the analyst sign-off per refresh
• Linkage record connecting the FAIR inputs to the underlying operating evidence: scan execution records, finding triage records, exception register entries, patch records, incident records, peer breach data references
• Disposition record per scenario: mitigate, transfer, accept, share, or avoid; the named disposition owner; the rationale for the disposition; the implementation evidence reference; the review cadence
• Risk committee review record with the per-cycle agenda, the decisions taken, the open actions, the next-cycle inputs the committee asked the analysis team to source, and the attendance record
• Board reporting record with the per-cycle FAIR output presented at the board level, the narrative around the change since the prior cycle, the comparison against the risk appetite, and the board response captured in the minutes
• Audit evidence record covering the analyst calibration certifications, the methodology reference (FAIR Institute publications, Open FAIR standards, ISO 31000 cross-reference, NIST 800-30 cross-reference), and the per-analyst training record
• Per-scenario exception or override record: the cases where the analysis team accepted a non-FAIR estimate, the reason for the override, the approver, and the rationalisation against the FAIR ontology

How FAIR reads across enterprise security functions

FAIR is a cross-functional methodology. The same scenario library reads differently depending on the function that holds the work. Programmes that run FAIR as a GRC exercise alone lose the engineering depth the inputs require; programmes that run it as an engineering exercise alone lose the executive vocabulary the methodology was designed to produce. The named functions below own different parts of the same scenario record.

Running FAIR on SecPortal

SecPortal is built around the operating record a FAIR programme reads against: the engagement carries the per-scenario analysis cycle, the findings record carries the vulnerability state feeding the LEF inputs, the documents area carries the scenario library and the Monte Carlo output, and the activity log carries the audit trail the per-cycle refresh reads against. The platform alignment below maps the verified product capabilities to the FAIR methodology so the programme is held on one operating record rather than across a separate analytical environment that drifts from the live posture.

• Engagement management as the workspace anchor for the FAIR programme, with the per-scenario analysis cycle tracked as an engagement that carries the scenario definition, the input set, the Monte Carlo output, the disposition, and the review cadence as a single record rather than as a separate analytical project
• Findings management with CVSS 3.1 calibration so the per-finding severity reading the vulnerability input under LEF reads against is consistent across the scanner intake, the analyst triage, the exception register, and the remediation SLA record
• Compliance tracking across ISO 31000, NIST SP 800-30, NIST SP 800-37 (RMF), COSO ERM, NIST AI RMF, ISO 27001, SOC 2, and PCI DSS so the FAIR scenarios the programme runs read against the same control catalogue and the disposition records consume cleanly into the parallel framework reads
• Authenticated scanning so the vulnerability node under LEF reads against the live posture record on the asset rather than against a snapshot from the analysis week, with the per-asset coverage record archived per scenario refresh
• Code scanning via Semgrep against connected repositories so the AppSec input feeding the vulnerability node for application-breach scenarios reads against the live code state, with the per-repo finding state archived per scenario refresh
• Document management for the scenario library, the input rationale per leaf node, the Monte Carlo output reports, the board reporting decks, and the audit evidence package so the FAIR programme lives on the operating record rather than across a folder hierarchy that drifts from the analysis reality
• Activity log with CSV export so every change to a scenario definition, an input source, an analyst sign-off, a disposition, or a review cycle is reproducible from one source, which is the audit trail the FAIR programme reads against during the per-cycle defence
• AI report generation that turns the per-cycle scenario record into the board-readable narrative, the risk committee briefing pack, and the audit committee summary so the executive layer reads the FAIR output in the language each stakeholder consumes
• Team management with RBAC so the analyst, the reviewer, the approver, and the executive role boundaries the FAIR programme reads against are enforced at the workspace layer rather than at the per-document level
• Multi-factor authentication for workspace access so the analyst sign-off, the disposition approval, and the review cadence evidence the audit committee reads against carry the authentication record the methodology defence expects
• Retesting workflows paired to the remediation commitments arising from the FAIR disposition record so the closure evidence the next-cycle refresh reads against carries the verify-after-fix record rather than a status statement

Related reading on SecPortal

• ISO 31000 risk management framework is the umbrella process and principle standard FAIR runs inside; the standard mentions quantification as one of the techniques the framework supports.
• Cyber risk quantification guide covers FAIR adoption, the operating model that survives the second cycle, and the board language the methodology produces.
• COSO ERM is the enterprise risk management framework FAIR analyses feed into through the severity (Principle 11) and portfolio (Principle 14) reads.
• NIST SP 800-37 (RMF) is the federal operating sequence the AO reads the residual-risk determination against; FAIR is the most common method for the quantitative path.
• NIST SP 800-30 risk assessment guide is the federal four-step assessment process (Prepare, Conduct, Communicate, Maintain) FAIR operationalises the quantitative path within when federal programmes need financial expression for the assessment output.
• NIST AI Risk Management Framework pairs with FAIR for the AI scenarios where financial expression is required, particularly under the GenAI Profile (NIST AI 600-1).
• CVSS scoring is the technical-severity input FAIR reads against under the vulnerability node of loss event frequency.
• EPSS score contributes to threat event frequency for the vulnerability-driven scenarios where exploit probability matters.
• CISA KEV catalogue elevates threat event frequency for the active-exploitation scenarios that warrant quantitative treatment.
• Board-level security reporting covers the executive narrative FAIR output supports and the cadence the risk committee reads against.
• Security leadership reporting workflow is the operating workflow that holds the FAIR scenario library and the per-cycle output on the executive briefing path.
• Vulnerability acceptance and exception management is the workflow that holds the disposition record FAIR scenarios point to when the decision is to accept rather than mitigate.
• Threat-intelligence-driven prioritisation feeds the threat event frequency input under loss event frequency for the scenarios where threat-actor context drives the analysis.
• SecPortal for CISOs covers the executive workspace that holds the FAIR programme alongside the operating record the analyses read against.
• SecPortal for GRC and compliance teams covers the GRC workspace that holds the cross-framework reconciliation FAIR analyses consume into.