FAIR (Factor Analysis of Information Risk)

FAIR (Factor Analysis of Information Risk) is an open-source, quantitative framework designed to help organizations understand, analyze, and measure information risk in financial terms. Unlike traditional qualitative methods that rely on subjective scales such as high-medium-low ratings or heat maps, FAIR provides a structured methodology for calculating the probable frequency and magnitude of future loss events. It breaks risk down into its core components—including threat event frequency, threat capability, control strength, vulnerability, asset value, and various forms of primary and secondary losses—enabling a precise assessment of an organization's actual financial exposure to cyber threats.

By translating abstract risk concepts into measurable financial outcomes, FAIR empowers security and business leaders to make data-driven decisions about security investments, prioritize mitigation strategies based on genuine return on investment, and communicate complex risk scenarios with clarity to stakeholders and executive boards. Widely adopted across industries, the framework serves as a foundational best practice for sophisticated risk management, threat intelligence, and strategic governance, helping organizations build resilience against an ever-evolving threat landscape.