# Understanding FAIR Inputs The FAIR model (Factor Analysis of Information Risk) breaks down cyber risk into measurable components, using structured inputs to estimate probable loss exposure. Below is an overview of each input, its meaning, and how it influences the simulation. ## 1. Threat Event Frequency (TEF) **What it means:**\ The number of times a threat actor is expected to act against an asset in a year. **Why it matters:**\ Higher frequency increases the chance of loss events occurring. TEF helps establish *how often* you're exposed to risk. **How it’s modeled:**\ As a **BetaPERT distribution**, using: * **Low** (minimum plausible frequency) * **Most Likely** (expected frequency) * **High** (maximum plausible frequency) ## 2. Vulnerability **What it means:**\ The likelihood that a threat event will result in a loss — i.e., the asset is *susceptible* to the threat. **Why it matters:**\ This is the conditional probability that TEF leads to a realized incident. **How it’s modeled:**\ As a **constant** value between 0 and 1 (e.g., `0.4` = 40% chance).\ Even if threat events are frequent, a low vulnerability reduces overall risk. ## 3. Primary Loss Magnitude (PLM) **What it means:**\ The direct financial impact of a successful threat event (e.g., data breach response, recovery costs). **Why it matters:**\ This determines the *severity* of a single realized loss. **How it’s modeled:**\ As a **BetaPERT distribution**, using: * **Low** (minimum plausible loss) * **Most Likely** * **High** (worst-case direct loss) ## 4. Secondary Loss Event Frequency (SLEF) **What it means:**\ The chance that secondary losses (like fines, lawsuits, or reputational fallout) occur **after** a primary event. **Why it matters:**\ Not every incident results in secondary effects — but when they do, they can be costly. **How it’s modeled:**\ As a **BetaPERT distribution**, reflecting how often secondary effects are expected. ## 5. Secondary Loss Magnitude (SLEM) **What it means:**\ The financial cost of the secondary effects that occur. **Why it matters:**\ This completes the picture of *total risk* by adding indirect or follow-on loss exposure. **How it’s modeled:** As a **BetaPERT distribution**, using: * **Low** (minimum plausible loss) * **Most Likely** * **High** (worst-case direct loss) ## Summary Together, these five input types allow the simulation to estimate a **probabilistic distribution** of annual loss exposure — not just a single number. This supports better-informed decisions, trade-offs, and risk prioritization. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.securemetrics.io/understanding-fair-inputs.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.