Cyber Risk Quantification: A FAIR-in-Practice Guide
Cyber risk quantification (CRQ) expresses cyber risk in financial terms, and the FAIR model is the most widely used method for doing it.
- CRQ turns “high/medium/low” into dollars of loss exposure leaders can act on.
- FAIR decomposes risk into Loss Event Frequency and Loss Magnitude.
- Use calibrated ranges, not false-precision single numbers.
- Quantified risk lets you compare controls by dollars of risk reduced per dollar spent.
Step 01Scope a clear risk scenario
Quantify specific scenarios, not vague “cyber risk.” A good scenario names the asset, the threat, and the effect — e.g., “ransomware encrypts production systems,” or “a third-party breach exposes customer PII.” Tight scoping makes the estimates meaningful.
Step 02Estimate Loss Event Frequency (LEF)
Estimate how often the loss event is expected to occur (e.g., per year), using internal incident history, threat intelligence, and control strength. Express it as a range (e.g., 0.1–0.5 events/year), reflecting honest uncertainty.
Step 03Estimate Loss Magnitude (LM)
Estimate the financial impact per event — direct and indirect: remediation, downtime, legal fees, fines, and reputational damage. Anchor with real benchmarks where useful (the average breach is $4.44M globally and $10.22M in the U.S., per IBM, 2025), then tailor to your size and data.
Step 04Calibrate your estimates
The quality of CRQ depends on calibrated estimation — training estimators to give ranges they’re ~90% confident contain the true value. Use ranges and distributions, not single guesses, and document your reasoning so results are defensible.
Step 05Compute loss exposure
Combine LEF and LM (typically via simulation across the ranges) to produce an annualized loss exposure in dollars, expressed as a distribution. This is your headline number: “This risk represents roughly $X in expected annual loss.”
Step 06Build a quantified risk register
Quantify your top scenarios and rank them by loss exposure. Now risks are directly comparable and additive — you can sum exposure, see concentration, and prioritize objectively, instead of debating colors on a heat map.
Step 07Communicate to the board
Translate to decisions: “Control A reduces this risk by $2.1M of annual exposure for $300K — a strong return.” Financial framing is what gets security investment approved. It also pairs naturally with continuous data, so quantification stays current rather than a once-a-year exercise.
Frequently asked questions
What is cyber risk quantification?
How do you run a FAIR analysis?
Why use ranges instead of single numbers?
How is CRQ different from a risk matrix?
See cyber risk quantification in action
Compyl unifies governance, risk, compliance and audit on one source of truth — built by CISOs, with a human approving every consequential decision.
About this guide. By Compyl Research, referencing FAIR (The Open Group / FAIR Institute) and IBM. Compyl is an AI-powered, agentic GRC platform built by CISOs that brings risk quantification into a continuous program.