FAIR Risk Quantification

FAIR™ (Factor Analysis of Information Risk), developed by the FAIR Institute, is the international standard for quantifying cyber risk in financial terms. Fair TPRM implements this methodology natively — connected to your security scores, vendor profiles, and assessment results — so you never need a separate spreadsheet again.

Risk in Financial Terms

The FAIR Institute's risk taxonomy provides the foundation for how Fair TPRM independently quantifies vendor risk. Typical TPRM programs export vendor data to a separate spreadsheet for FAIR modeling, then manually copy results back. Fair TPRM eliminates that gap entirely — the FAIR calculator lives inside the platform, drawing directly from vendor profiles and SRS scores to produce Annualized Loss Expectancy in real time.

  • Annualized Loss Expectancy (ALE) calculation
  • Threat Event Frequency modeling
  • Vulnerability factor analysis
  • Loss magnitude with breach cost modeling
  • Cyber insurance coverage recommendations (3x ALE)
  • Board-ready financial reports
// FAIR™ — fairinstitute.org

// Core FAIR Formula
ALE = LEF × Loss Magnitude

// Loss Event Frequency
LEF = TEF × Vulnerability

// Recommended Coverage
Insurance = 3 × ALE

How the Math Works

Built on the FAIR Institute's risk taxonomy, every variable feeds into a transparent, auditable calculation chain — and every multiplier can be tuned to match your organization's risk appetite.

T

Threat Event Frequency

Starts with a configurable base rate, then applies customizable multipliers for data classification (Critical 12x, Sensitive 6x, Public 0.5x), external data sharing, and threat intelligence levels. Adjust every weight to reflect what matters most to your organization.

V

Vulnerability Factors

Begins at a tunable baseline, adjusted by SRS security grade, ISO 27001 certification, MFA status, and patch management posture. Organizations can weight each factor up or down based on their own security priorities and risk appetite.

L

Loss Magnitude

Combines operational impact, breach costs, and secondary losses including regulatory fines and reputational damage. Per-record costs, outage durations, and regulatory multipliers are all configurable — because a healthcare organization's risk profile looks nothing like a retailer's.

Risk Level Classification

Calculated ALE values map to standardized risk levels for prioritization.

ALE Range Risk Level Recommended Action
< $1,000 Very Low Standard monitoring, annual review cycle
$1,000 – $10,000 Low Routine assessment, Tier 3 SRS schedule
$10,000 – $50,000 Medium Enhanced monitoring, Tier 2 SRS schedule
$50,000 – $250,000 High Tier 1 monitoring, remediation plan required
$250,000 – $1,000,000 Very High Immediate attention, executive escalation
> $1,000,000 Critical Board-level review, contract re-evaluation

Interactive Calculator

No external tools required. The built-in FAIR calculator provides real-time results as analysts input vendor-specific data, and assessment submissions auto-populate draft analyses. Over 40 database fields are encrypted at rest with AES-256-CBC, and all data in transit is protected by TLS 1.3 with post-quantum resistant cipher suites.

  • Real-time ALE calculation as you type
  • 40+ encrypted fields for sensitive FAIR data
  • CSV import/export for bulk analysis
  • Print-ready reports with financial justification
  • Auto-draft creation from assessment submissions
  • Searchable vendor FAIR analysis history
Vendor: CloudPayments Inc. Critical
Annualized Loss Expectancy $1.2M
Threat Event Frequency 4.5/yr
Vulnerability Factor 68%
Insurance Recommendation $3.6M
Records at Risk 50,000 PII

AI-Powered Executive Summaries

Generate board-ready risk narratives in seconds.

From Data to Narrative

Fair TPRM integrates with OpenWebUI to generate AI-powered executive summaries that combine SRS scores, FAIR analysis data, and risk findings into professional narratives ready for board presentations.

  • Automatic context assembly from all vendor data
  • Configurable AI model and parameters
  • Financial impact included in generated narratives
  • One-click PDF export with brand styling
AI Integration OpenWebUI
Output Format PDF + HTML
Data Sources Combined SRS + FAIR
Customizable Model + Temp

Tuned to Your Risk Appetite

No two organizations face the same risk landscape. Fair TPRM lets you customize every signal and threshold so the platform reflects what actually matters to your business — not a generic, one-size-fits-all model.

  • Adjustable TEF base rates and data classification multipliers
  • Configurable vulnerability factor weights per security control
  • Custom per-record breach costs by data type (PII, SPII, SOX)
  • Tunable SRS scoring weights across all five Shodan API categories
  • Configurable grade thresholds for UpGuard API letter ratings
  • Risk tier intervals matched to your review cadence
TEF Multipliers Customizable
Vulnerability Baselines Customizable
Breach Cost Models Customizable
SRS Signal Weights Customizable
Grade Thresholds Customizable
Tier Intervals Customizable

Analysis + Monitoring in One Platform

Because FAIR analysis and security monitoring share the same database, SRS scores feed directly into risk calculations — no exports, no imports, no lag.

Explore Security Monitoring