Understanding FAIR Inputs

The FAIR model (Factor Analysis of Information Risk) breaks down cyber risk into measurable components, using structured inputs to estimate probable loss exposure. Below is an overview of each input, its meaning, and how it influences the simulation.

1. Threat Event Frequency (TEF)

What it means: The number of times a threat actor is expected to act against an asset in a year.

Why it matters: Higher frequency increases the chance of loss events occurring. TEF helps establish how often you're exposed to risk.

How it’s modeled: As a BetaPERT distribution, using:

Low (minimum plausible frequency)
Most Likely (expected frequency)
High (maximum plausible frequency)

2. Vulnerability

What it means: The likelihood that a threat event will result in a loss — i.e., the asset is susceptible to the threat.

Why it matters: This is the conditional probability that TEF leads to a realized incident.

How it’s modeled: As a constant value between 0 and 1 (e.g., 0.4 = 40% chance). Even if threat events are frequent, a low vulnerability reduces overall risk.

3. Primary Loss Magnitude (PLM)

What it means: The direct financial impact of a successful threat event (e.g., data breach response, recovery costs).

Why it matters: This determines the severity of a single realized loss.

How it’s modeled: As a BetaPERT distribution, using:

Low (minimum plausible loss)
Most Likely
High (worst-case direct loss)

4. Secondary Loss Event Frequency (SLEF)

What it means: The chance that secondary losses (like fines, lawsuits, or reputational fallout) occur after a primary event.

Why it matters: Not every incident results in secondary effects — but when they do, they can be costly.

How it’s modeled: As a BetaPERT distribution, reflecting how often secondary effects are expected.

5. Secondary Loss Magnitude (SLEM)

What it means: The financial cost of the secondary effects that occur.

Why it matters: This completes the picture of total risk by adding indirect or follow-on loss exposure.

How it’s modeled:

As a BetaPERT distribution, using:

Low (minimum plausible loss)
Most Likely
High (worst-case direct loss)

Summary

Together, these five input types allow the simulation to estimate a probabilistic distribution of annual loss exposure — not just a single number. This supports better-informed decisions, trade-offs, and risk prioritization.

PreviousUsing the Template NextWelcome to CRQ Pro

Last updated 1 month ago

1. Threat Event Frequency (TEF)

What it means: The number of times a threat actor is expected to act against an asset in a year.

Why it matters: Higher frequency increases the chance of loss events occurring. TEF helps establish how often you're exposed to risk.

How it’s modeled: As a BetaPERT distribution, using:

Low (minimum plausible frequency)

Most Likely (expected frequency)

High (maximum plausible frequency)

2. Vulnerability

What it means: The likelihood that a threat event will result in a loss — i.e., the asset is susceptible to the threat.

Why it matters: This is the conditional probability that TEF leads to a realized incident.

How it’s modeled: As a constant value between 0 and 1 (e.g., 0.4 = 40% chance). Even if threat events are frequent, a low vulnerability reduces overall risk.

3. Primary Loss Magnitude (PLM)

What it means: The direct financial impact of a successful threat event (e.g., data breach response, recovery costs).

Why it matters: This determines the severity of a single realized loss.

How it’s modeled: As a BetaPERT distribution, using:

Low (minimum plausible loss)

Most Likely

High (worst-case direct loss)

4. Secondary Loss Event Frequency (SLEF)

What it means: The chance that secondary losses (like fines, lawsuits, or reputational fallout) occur after a primary event.

Why it matters: Not every incident results in secondary effects — but when they do, they can be costly.

How it’s modeled: As a BetaPERT distribution, reflecting how often secondary effects are expected.