Factor Analysis of Information Risk (FAIR)

Factor Analysis of Information Risk (FAIR) is a quantitative risk analysis methodology that helps organizations measure and understand cybersecurity and operational risk in financial terms.

Developed by Jack Jones, FAIR provides a standardized framework for assessing risk by breaking it down into its fundamental components and expressing the results in dollar amounts rather than abstract risk ratings.

The FAIR model defines risk as the probable frequency and probable magnitude of future loss, which is determined by analyzing threat event frequency and vulnerability. It examines factors such as the motivation and capability of threat actors, the strength of controls, and the potential impact of successful attacks on an organization's assets.

FAIR's strength lies in its ability to translate technical risks into business language that executives and stakeholders can understand and use for decision-making. By quantifying risk in monetary terms, organizations can better prioritize security investments, compare cybersecurity risks against other business risks, and justify budget allocations for security controls.

The methodology has gained widespread adoption across industries and has influenced international standards like ISO 27005. Many organizations use FAIR-based tools and platforms to conduct risk assessments, enabling more data-driven approaches to cybersecurity governance and helping bridge the communication gap between technical teams and business leadership.