What is Loss Event Frequency (LEF)?

Loss Event Frequency measures how often a particular type of security incident happens within a given timeframe—usually expressed as events per year.

It's one half of the equation that helps organizations put actual numbers on cyber risk, working alongside loss magnitude (how bad each incident is) to calculate things like Annualized Loss Expectancy. You might track, for instance, that your organization experiences approximately 2.3 successful phishing incidents per year that result in credential compromise, or 0.8 ransomware events annually across your industry segment.

Getting this number right requires good data. Organizations pull from their own incident history, industry sharing forums, threat intelligence feeds, and sometimes expert estimates when historical data is thin. The frequency isn't static—it shifts based on how attractive you are as a target, how vulnerable your systems are, what controls you have in place, and what's happening in the broader threat landscape. A company that implements MFA might see their credential stuffing frequency drop dramatically, while an organization in a newly targeted sector might see frequency climb even with unchanged defenses.

This metric matters because it transforms risk conversations from vague concerns into comparable scenarios. Instead of arguing whether phishing or insider threats deserve more budget, you can compare their frequencies, magnitudes, and combined expected losses to make decisions grounded in your actual risk profile.

Loss Event Frequency emerged from the insurance and actuarial sciences, where calculating the frequency of claims has been standard practice for over a century. The concept migrated into information security as the field matured beyond purely technical controls and began adopting risk management frameworks from other disciplines. Early attempts at quantitative security risk analysis in the 1980s and 1990s often struggled because organizations lacked the incident data and measurement practices to generate meaningful frequency estimates.

The real shift came in the 2000s as organizations started implementing Security Information and Event Management systems and developing more systematic incident response capabilities. The FAIR framework, introduced by Jack Jones in the mid-2000s, formalized Loss Event Frequency as a specific component of its risk model, distinguishing between threat event frequency (how often threat actors act) and vulnerability (how often those actions succeed). This distinction helped clarify that frequency wasn't just about external threat activity but about the interaction between threats and defensive posture.

As breach disclosure requirements expanded through regulations like HIPAA and state-level laws, more data became available through both mandatory reporting and voluntary information sharing organizations. This growing data pool, combined with improved analytics capabilities, has made frequency estimation increasingly sophisticated, though challenges around data quality and comparability persist.

Modern cybersecurity investments increasingly demand quantitative justification. Executives and boards want to know not just that threats exist, but how likely they are and what they'll cost. Loss Event Frequency provides the foundation for those conversations, transforming abstract vulnerabilities into projected incident counts that finance teams can work with. When you can say "we expect 12 business email compromise attempts to succeed this year at an average cost of $47,000 each," you're speaking a language that resonates in budget discussions.

The metric also reveals how security investments change risk over time. After deploying endpoint detection and response tools, organizations should see frequency drop for certain incident types—if they don't, that's valuable feedback about effectiveness. Similarly, rising frequency for a particular event type signals either deteriorating controls or increased threat actor focus, both of which demand attention.

The challenge is getting frequency estimates that are actually useful. Too many organizations either rely on generic industry statistics that don't reflect their specific environment, or they lack the incident tracking rigor to generate reliable internal numbers. Underestimating frequency leads to inadequate preparation, while overestimating can justify wasteful spending on low-probability scenarios. The discipline required to track, categorize, and analyze security events consistently is substantial, but it's what makes the difference between frequency estimates that inform decisions and ones that just fill spreadsheets.

Plurilock's governance, risk, and compliance services help organizations develop the data collection and analysis capabilities needed for meaningful loss event frequency calculations.

Our Cyber Risk Quantification practice works with your actual incident data, threat intelligence, and control effectiveness measures to generate frequency estimates grounded in your environment rather than generic industry averages.

We help establish the tracking systems and categorization frameworks that turn incident response into usable risk data, then connect those frequency measures to business impact analysis for genuinely informed risk decisions. This isn't about filling in a FAIR template—it's about building the measurement discipline that makes quantitative risk management actually work.