By Compyl Research · Last updated June 2026
FAIR (Factor Analysis of Information Risk) is a model that quantifies cyber and information risk in financial terms — defining risk as the probable frequency and probable magnitude of future loss. Instead of “high / medium / low” heat maps, FAIR expresses risk as dollars of expected loss, so leaders can compare risks and prioritize spending the same way they make any other business decision.
Key takeaways
- FAIR turns risk into money: probable loss exposure, not a color on a chart.
- It breaks risk into two drivers — Loss Event Frequency (how often) and Loss Magnitude (how much).
- FAIR became the first international standard for information risk via The Open Group in 2009 and is maintained by the FAIR Institute.
- It pairs naturally with AI: agentic GRC platforms can feed FAIR with live data to keep quantified risk current.
What is FAIR?
FAIR is a standardized way to quantify information risk. It defines risk as “the probable frequency and probable magnitude of future loss,” and provides the terminology and math to estimate that loss in dollars. Because the factors can be measured and combined mathematically, FAIR produces a defensible, financial view of risk that boards and CFOs understand — a major upgrade over qualitative scoring.
The FAIR model in plain English
FAIR decomposes total risk into two primary components:
- Loss Event Frequency (LEF) — how often a harmful event is expected to occur in a given timeframe (for example, per year).
- Loss Magnitude (LM) — the estimated financial impact of each event, including direct and indirect costs: remediation, downtime, legal fees, fines, and reputational damage.
Multiply probable frequency by probable magnitude and you get loss exposure in dollars. FAIR uses ranges and distributions rather than false-precision single numbers, which makes it honest about uncertainty while still producing decision-ready figures.
Why FAIR matters in 2026
- It speaks the language of the business. “This risk represents $2.4M in annual loss exposure” drives better decisions than “this risk is “high.””
- It prioritizes spend. Quantified risk lets you compare controls by dollars of risk reduced per dollar spent.
- It contextualizes real numbers. With the average breach at $4.44 million globally and $10.22 million in the U.S. (IBM, 2025), FAIR helps you estimate your exposure rather than relying on industry averages.
- It’s AI-ready. Modern platforms can populate FAIR inputs from live data, keeping quantification continuous instead of a once-a-year modeling exercise.
FAIR vs. qualitative risk scoring
| Qualitative (heat map) | FAIR (quantitative) | |
|---|---|---|
| Output | High / medium / low | Dollars of loss exposure |
| Comparability | Hard to compare or sum | Directly comparable and additive |
| Audience | Security team | Board, CFO, and security |
| Best for | Fast triage | Prioritization and investment decisions |
Frequently asked questions
What is FAIR risk quantification?
FAIR (Factor Analysis of Information Risk) is a model that expresses information risk as probable financial loss — calculated from how often a loss event is likely to occur (Loss Event Frequency) and how much it would cost (Loss Magnitude).
How is FAIR different from a risk matrix?
A risk matrix produces qualitative ratings (high/medium/low) that are hard to compare. FAIR produces dollar figures you can compare, sum, and use to justify spending.
Is FAIR a standard?
Yes. FAIR became the first international standard for information risk through The Open Group in 2009 and is maintained today by the FAIR Institute.
Do you need AI to use FAIR?
No, but it helps. Feeding FAIR with live data from your environment keeps quantified risk current instead of relying on periodic, manual estimates.
About this guide. Written by Compyl Research, referencing The Open Group / FAIR Institute and IBM (2025). Compyl is an AI-powered, agentic GRC platform built by CISOs that brings risk quantification into a continuous, data-first program.
