LOGBOOK

HELP

Quiz Entry - updated: 2026.06.12

How does the standard "frequency × magnitude" risk formula get refined for cyber risk specifically?

Same formula, but the frequency itself is a function of Threats × Exposures × Vulnerabilities ÷ Controls.

Risk = Eintrittshäufigkeit_eines_Cyber-Incidents × Schadensausmass

with:

Eintrittshäufigkeit_eines_Cyber-Incidents = f(Threats, Exposures, Vulnerabilities, Security Controls, …)
                                          = ThreatEventFrequency × Vulnerability

So a cyber incident's frequency isn't a raw natural rate — it's how often something tries × how often it succeeds. Controls shrink either the "tries" (e.g. blocking by firewall) or the "succeeds" (e.g. patching).

Why this matters:

  • For natural catastrophes, frequency comes from historical tables — actuaries have decades of data.
  • For cyber, you have to build the frequency by decomposing it into measurable factors. That's exactly what the FAIR framework does.

Tip: fairinstitute.org is the open community around FAIR — they publish models, training, and tooling.

From Quiz: ISF / Risk Management | Updated: Jun 12, 2026