Quiz Entry - updated: 2026.05.31
What are the main factors in the FAIR (Factor Analysis of Information Risk) model, and how do they fit together?
Risk = Loss Event Frequency (LEF) × Loss Magnitude (LM). LEF breaks down further into Threat Event Frequency × Vulnerability; LM into Primary + Secondary loss.
The full decomposition:
Risk (CHF/year)
/ \
Loss Event Frequency [#/year] Loss Magnitude [CHF/event]
(LEF) (LM)
/ \ / \
Threat Event Freq Vulnerability Primary Loss Secondary Loss
(TEF) [#/year] (V) [%] (PL) (SL)
/ \ / \
Contact Probab. Threat Resistance
Freq (CF) of Action Capability Strength (RS)
(PoA) (TC)
Mapped to the conceptual blocks:
- Exposure drives Contact Frequency × Probability of Action → TEF.
- Threat actor capability vs Controls resistance → Vulnerability.
- TEF × V → how often a loss actually happens.
- Primary Loss = direct cost (incident response, downtime). Secondary Loss = consequences (fines, reputation, lawsuits, churn).
Why FAIR matters: it makes cyber risk defensible in CHF. Instead of "this is a Medium-High risk", you can say "CHF 195k most likely annual loss, 90th-percentile CHF 549k" — and that's the language CFOs and boards understand.