LOGBOOK

HELP

Quiz Entry - updated: 2026.05.31

What are the main factors in the FAIR (Factor Analysis of Information Risk) model, and how do they fit together?

Risk = Loss Event Frequency (LEF) × Loss Magnitude (LM). LEF breaks down further into Threat Event Frequency × Vulnerability; LM into Primary + Secondary loss.

The full decomposition:

                                Risk (CHF/year)
                               /                \
       Loss Event Frequency [#/year]      Loss Magnitude [CHF/event]
       (LEF)                              (LM)
       /          \                       /              \
Threat Event Freq  Vulnerability        Primary Loss   Secondary Loss
(TEF) [#/year]     (V) [%]              (PL)           (SL)
   /     \            /        \
Contact   Probab.   Threat       Resistance
Freq (CF) of Action Capability   Strength (RS)
          (PoA)    (TC)

Mapped to the conceptual blocks:

  • Exposure drives Contact Frequency × Probability of Action → TEF.
  • Threat actor capability vs Controls resistance → Vulnerability.
  • TEF × V → how often a loss actually happens.
  • Primary Loss = direct cost (incident response, downtime). Secondary Loss = consequences (fines, reputation, lawsuits, churn).

Why FAIR matters: it makes cyber risk defensible in CHF. Instead of "this is a Medium-High risk", you can say "CHF 195k most likely annual loss, 90th-percentile CHF 549k" — and that's the language CFOs and boards understand.

From Quiz: ISF / Risk Management | Updated: May 31, 2026