Quiz Entry - updated: 2026.06.12
How does the standard "frequency × magnitude" risk formula get refined for cyber risk specifically?
Same formula, but the frequency itself is a function of Threats × Exposures × Vulnerabilities ÷ Controls.
Risk = Eintrittshäufigkeit_eines_Cyber-Incidents × Schadensausmass
with:
Eintrittshäufigkeit_eines_Cyber-Incidents = f(Threats, Exposures, Vulnerabilities, Security Controls, …)
= ThreatEventFrequency × Vulnerability
So a cyber incident's frequency isn't a raw natural rate — it's how often something tries × how often it succeeds. Controls shrink either the "tries" (e.g. blocking by firewall) or the "succeeds" (e.g. patching).
Why this matters:
- For natural catastrophes, frequency comes from historical tables — actuaries have decades of data.
- For cyber, you have to build the frequency by decomposing it into measurable factors. That's exactly what the FAIR framework does.
Tip: fairinstitute.org is the open community around FAIR — they publish models, training, and tooling.