up:: Doing the Work MOC

Cyber Risk Quantification (FAIR)

Cyber Risk Quantification with FAIR (Factor Analysis of Information Risk) is the recognized method for expressing cyber risk as a probable financial loss rather than a red-amber-green heat map. It breaks a risk into how often a loss event is likely to happen and how much it would cost, estimates each with calibrated ranges instead of single guesses, and runs the numbers to produce a probability distribution of loss in dollars. It’s the bridge that turns a technical finding, including quantum exposure, into the kind of number a board actually funds decisions on.

The short version:

  • FAIR answers “how much risk, in dollars,” where a heat map only answers “what color.”
  • It decomposes risk into two things: how often a loss happens (frequency) and how much it costs (magnitude), each estimated as a range.
  • It uses distributions and simulation, not a single fabricated figure, so the output is honest about uncertainty (a curve of “probability of losing at least $X”).
  • It’s a published standard (the Open Group’s O-RT and O-RA), not a proprietary formula, which is what makes it defensible to a board or an auditor.
  • For the quantum transition, it’s how “our RSA is quantum-vulnerable” becomes “expected loss of $X, which exceeds our stated risk tolerance.”

Think of it like the difference between a doctor saying “your risk is elevated” and an actuary saying “there’s a 20% chance of a claim over $2 million in the next five years.” Both describe risk, but only the second one lets a board weigh it against the cost of the fix.

What is FAIR?

FAIR is a model and a taxonomy for information risk, standardized by the Open Group. Where most risk registers rate a risk as “high/medium/low” or a colored cell, FAIR defines risk precisely as the probable frequency and probable magnitude of future loss, and gives a repeatable structure for estimating both. The Open Group publishes it as two standards: O-RT, the risk taxonomy (the definitions and the decomposition tree), and O-RA, the risk analysis method (how to estimate and compute). The FAIR Institute stewards the practitioner community, and the canonical text is Jack Jones and Jack Freund’s Measuring and Managing Information Risk: A FAIR Approach (2015).

Sources: The Open Group Open FAIR; FAIR Institute.

Why quantify cyber risk in dollars?

Because boards allocate budget in dollars, and a heat map only offers colors. A heat map can tell an executive that quantum risk is “red,” but “red” gives them no way to weigh a $2 million migration program against a footnote, and two analysts will color the same risk differently. Quantification does three things a heat map leaves out:

  • It makes risks comparable. A dollar figure lets the board weigh quantum migration against every other investment competing for the same budget.
  • It makes the fix justifiable. When the expected loss exceeds the cost of mitigation, the decision makes itself; when it doesn’t, you’ve saved the spend.
  • It’s defensible. A number built from a published method and stated assumptions survives scrutiny from an auditor or a regulator in a way a subjective color rating does not.

The heat map isn’t useless, it’s a fine way to triage quickly, but it can’t carry a budget decision, and it dissolves under a skeptical CFO’s questions.

How does the FAIR model work?

FAIR decomposes risk into a tree, and estimates the leaves rather than guessing the top. The core relationship:

Risk = Loss Event Frequency (LEF) × Loss Magnitude (LM)

LEF = Threat Event Frequency (TEF) × Vulnerability
LM  = Primary Loss + Secondary Loss
  • Loss Event Frequency is how often a loss actually occurs, itself the product of how often a threat attempts something (Threat Event Frequency) and how likely that attempt succeeds (Vulnerability).
  • Loss Magnitude is the total cost when it does occur, split into primary loss (the direct hit, response, replacement, lost productivity) and secondary loss (the fallout, fines, legal liability, reputation, customer churn), where secondary loss has its own frequency and magnitude because it doesn’t always follow.

Each of those leaf factors is estimated as a calibrated range or distribution, a most-likely value with a low and high bound, rather than a single number nobody can defend. The model is then run by Monte Carlo simulation: it samples the distributions thousands of times and aggregates the results into a loss-exceedance curve, a plot of the probability of losing at least a given amount. The output is not “the risk is 500K, a 10% chance it exceeds $2M,” which is a far more honest and decision-useful statement.

How does FAIR apply to quantum risk?

The quantum threat maps cleanly onto the two halves of the FAIR tree, which is what lets an abstract cryptographic weakness become a quantified exposure:

  • Loss Magnitude comes from what a compromise would actually cost: the volume of sensitive records under quantum-vulnerable cryptography, their regulatory and breach costs, and the downstream liability. This is where HNDL exposure enters, harvested data that becomes readable later is a future loss event with a magnitude you can bound.
  • Loss Event Frequency comes from the likelihood and timing of the enabling capability, when a capable quantum computer plausibly arrives and how reachable the data is to a harvester. This is where the timing logic of Mosca’s theorem enters a quantified model.
FAIR factorWhat it estimatesFor quantum risk
Threat Event FrequencyHow often an adversary attempts the lossThe rate of harvesting or attack attempts against the data
VulnerabilityHow likely an attempt succeedsWhether the cryptography is quantum-breakable
Loss Event FrequencyHow often a loss actually occursLikelihood and timing of a quantum-enabled compromise
Loss MagnitudeTotal cost when a loss occursRegulatory and breach cost of the exposed records
Primary lossThe direct hitResponse, remediation, records exposed
Secondary lossThe falloutFines, legal liability, reputation, customer churn

Framing it this way turns “our systems use RSA, which quantum computers will break” into “the expected loss from that exposure is a distribution centered on $X, which sits above the tolerance we’ve set,” which is the sentence that moves a migration from a technical backlog item to a funded program.

Why use ranges instead of a single number?

Because a single number in a domain this uncertain is a fabrication, and a sophisticated board knows it. FAIR’s insistence on distributions is a feature, not a hedge: it forces the analyst to state uncertainty honestly, and it produces a result that’s robust to the fact that nobody knows exactly when a quantum computer arrives or exactly how many records would be exposed. Calibrated estimation (giving a range you’re ~90% confident contains the true value) is a trained skill, and it’s more defensible than false precision. Stating loss as a curve with explicit assumptions, rather than a single point, is both better FAIR practice and simple intellectual honesty.

How does FAIR relate to other risk frameworks?

FAIR is the quantification layer, and it complements rather than replaces the qualitative frameworks. NIST SP 800-30, for instance, provides a structured qualitative risk process; FAIR supplies the dollar-denominated impact term that a qualitative process leaves fuzzy, so many organizations use them together, 800-30 for the structure, FAIR for the number. FAIR is also distinct from a controls framework like the NIST Cybersecurity Framework: those tell you what to do, while FAIR tells you how much a risk is worth, which is what decides which controls are worth funding.

Common misconceptions

  • “FAIR gives you a precise number.” The opposite. It produces a distribution precisely because the inputs are uncertain. A single point estimate is a misuse of the method.
  • “It’s just guessing with extra steps.” Calibrated range estimation is a disciplined, testable skill, and decomposing a big unknown into smaller estimable factors is far more accurate than intuiting the whole. FAIR structures the judgment; it doesn’t pretend to remove it.
  • “You need perfect data to use it.” You need calibrated ranges, not perfect data. FAIR is designed for exactly the data-poor, high-uncertainty situations, like quantum timelines, where point estimates fail.
  • “Quantification replaces the qualitative heat map.” They do different jobs. Heat maps triage fast; FAIR carries the budget decisions. Mature programs use both.

Questions people ask

Is FAIR an open standard or a product? An open standard. The Open Group publishes the taxonomy (O-RT) and the analysis method (O-RA), and the FAIR Institute runs the practitioner community. It’s a method, not a proprietary tool, which is part of why it’s defensible.

Do I need special software to do FAIR? No, the method is tooling-agnostic. Monte Carlo can be run in a spreadsheet or dedicated software; the discipline is in the decomposition and the calibrated estimates, not the tool.

How is FAIR different from a risk heat map? A heat map assigns a subjective color; FAIR produces a probable-loss distribution in dollars. The heat map is faster and coarser; FAIR is what a board decision and an audit actually stand on.

Can you really quantify quantum risk when the timeline is unknown? Yes, and the uncertainty is exactly why you use ranges. FAIR expresses “we don’t know the year” as a distribution over arrival times feeding the frequency term, rather than pretending to a date. Uncertain inputs produce an honest curve, not a false certainty.

Does FAIR replace NIST 800-30 or the CSF? No. It complements them: 800-30 gives qualitative structure, the CSF governs controls, and FAIR supplies the dollar-denominated impact those frameworks leave qualitative. They’re used together.


Everything here is the map, given freely. When your team needs quantum exposure actually quantified against your own records, dollars, and deadlines, defensible to your board and your regulator, that’s the work I do, and there’s an alignment briefing for it.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.