FAIR Quantitative Risk Analysis: Calculate Cyber Risk in Euros
How much does a cyber incident truly cost your organisation? Most risk analyses stop at vague labels such as "high" or "medium". The FAIR model breaks through that deadlock by translating cyber risks into concrete euro amounts. Our FAIR Quantitative Risk Analysis tool applies this internationally recognised model so you know exactly what the expected annual loss is -- and which security investments will pay for themselves.
What is the FAIR Quantitative Risk Analysis tool?
Our FAIR tool is an online cybersecurity risk analysis that applies the FAIR model (Factor Analysis of Information Risk) to calculate the financial impact of cyber threats. Rather than categorising risks into abstract categories, the tool calculates two core metrics:
- Annual Loss Expectancy (ALE) -- the expected total loss per year from a specific threat scenario, expressed in euros.
- Single Loss Expectancy (SLE) -- the expected loss from a single incident, so you know what is at stake if things go wrong.
The tool combines threat frequency, vulnerability, impact factors and existing security controls into a complete financial risk profile. The result is an analysis that executives, board members and financial stakeholders understand, because it speaks about risk in their language: euros.
Whether you are a CISO looking to justify budget, an IT manager who needs to set priorities, or a business owner who wants to know where the greatest risks lie: this tool gives you the numbers you need to make well-informed decisions.
Methodology: the FAIR model explained
FAIR is the only international open standard for quantitative information risk analysis, managed by the FAIR Institute and published as OpenFAIR by The Open Group. The model is recognised by leading frameworks and organisations:
- ISACA -- integrates FAIR into COBIT and RiskIT as a recommended quantitative method.
- NIST -- the Cybersecurity Framework cites quantitative risk analysis as a best practice for mature organisations.
- ISO 31000 -- FAIR is fully compatible with this international standard for risk management.
The FAIR decomposition
The core principle of FAIR is the decomposition of risk into measurable components. Risk is defined as:
Risk = Loss Event Frequency (LEF) × Loss Magnitude (LM)
The Loss Event Frequency is further broken down into Threat Event Frequency (how often does a threat occur?) and Vulnerability (how likely is it that the threat results in an actual loss?). The Loss Magnitude is split into Primary Loss (direct costs such as recovery, downtime and replacement) and Secondary Loss (indirect costs such as fines, reputational damage and customer attrition).
By estimating each factor separately and then combining them, a more reliable estimate is obtained than when you try to assess risk as a whole. Our tool uses Monte Carlo-style estimations to provide not just a point estimate, but also insight into the range of possible outcomes.
How does the tool work? 4 steps to financial risk insight
Select a threat scenario
You start by selecting a specific threat scenario you want to analyse. The tool offers six scenarios that together cover the most significant part of the cyber risk landscape:
- Ransomware attack -- encryption of systems accompanied by ransom demands.
- Data breach (external) -- unauthorised access to sensitive data by external attackers.
- Insider threat -- intentional or unintentional damage caused by employees.
- DDoS attack -- overloading of systems with the aim of causing operational disruption.
- Supply chain compromise -- attack via a supplier or supply chain.
- Phishing/BEC fraud -- social engineering aimed at financial fraud.
You then estimate the frequency: from very unlikely (once every 10 years) to very likely (multiple times per year). FAIR always starts with the specific threat scenario because different threats have fundamentally different risk profiles. A ransomware attack has a different frequency and impact pattern than a DDoS attack.
Assess vulnerability
In the second step, you assess the vulnerability level of your organisation for the chosen scenario. This ranges from very low (extensive controls in place) to very high (minimal security). You also indicate how quickly an incident would be detected: from immediately (minutes) to very slowly (months).
The vulnerability factor is a crucial component of the FAIR model. A high threat frequency does not necessarily lead to loss if vulnerability is low. Consider an organisation that receives daily phishing attempts but is virtually never actually compromised thanks to strong filters and well-trained staff. Detection speed influences the extent of damage: the longer an incident goes unnoticed, the greater the potential harm.
Estimate impact
The third step quantifies the potential damage. You enter your annual revenue and number of employees as scaling factors and select which impact categories apply:
- Direct financial loss -- ransom, recovery costs, forensic investigation.
- Operational downtime -- productivity loss and revenue shortfall.
- Reputational damage -- loss of customer trust and brand value.
- Fines and legal costs -- GDPR fines, lawsuits, notification obligations.
- Customer and contract loss -- cancellations and missed engagements.
- Intellectual property loss -- theft of trade secrets or innovations.
FAIR distinguishes between primary losses (direct costs that occur immediately) and secondary losses (indirect costs that arise later, such as reputational damage). This breakdown makes it clear that the total damage from a cyber incident is often many times greater than the direct recovery costs alone.
Factor in existing controls
In the final step, you indicate which security controls are already in place. The tool takes ten commonly used controls into account:
- MFA (Multi-Factor Authentication)
- EDR/XDR (Endpoint Detection & Response)
- Encryption of data at rest and in transit
- Backup following the 3-2-1 principle
- Incident Response Plan
- Security Awareness Training
- Network segmentation
- Vulnerability Management
- Cyber insurance
- DLP (Data Loss Prevention)
Each control reduces either the frequency (preventive controls such as MFA lower the probability that an attack succeeds) or the magnitude (mitigating controls such as backups limit the damage when an incident occurs). The tool calculates the combined effect of your current set of controls on the ALE.
What do you get?
After completing the four steps, the tool generates a complete financial risk profile:
- Annual Loss Expectancy (ALE) -- the expected annual loss in euros. This is the core result on which you can base security budgets and investment decisions.
- Single Loss Expectancy (SLE) -- the expected loss per incident. Essential for determining the impact of a single incident on your organisation.
- Frequency analysis -- an overview of the estimated probability that the threat scenario actually occurs, factoring in your vulnerability and controls.
- Risk matrix -- a visual representation of your risk position based on frequency and impact.
- Impact breakdown by category -- a breakdown of the expected damage across the six impact categories, so you can see where the greatest financial consequences lie.
- Control savings -- a calculation of how much risk reduction your existing security controls deliver, expressed in euros.
Free report: instant insight into your cyber risk
The free PDF report contains the core results of your FAIR analysis. You receive a clear document with the calculated ALE and SLE, the risk matrix, and the key recommendations to reduce your risk. This report is immediately suitable for sharing with management and colleagues for risk communication.
- ALE and SLE calculation in euros
- Visual risk matrix
- Top recommendations based on your profile
- Suitable for management presentations
Premium analysis: the full FAIR decomposition
The premium report goes significantly deeper and delivers a boardroom-ready analysis that you can use directly for investment decisions and risk accountability.
- Full FAIR decomposition -- all factors (TEF, vulnerability, LEF, primary loss, secondary loss) elaborated with supporting rationale.
- Confidence intervals -- confidence intervals around the ALE and SLE, so you know not only the expected value but also the best-case and worst-case scenarios.
- Primary and secondary loss components -- detailed breakdown of direct costs (recovery, downtime, forensics) and indirect costs (reputation, fines, customer loss).
- Cost-benefit analysis per control -- for each security control, a calculation of the expected investment versus the risk reduction, including Return on Security Investment (ROSI).
- Risk reduction scenarios -- multiple scenarios showing how much your ALE decreases when implementing specific combinations of controls.
- Boardroom-ready PDF -- professionally formatted report with charts, tables and executive summary, ready to present to executives and the board.
Free vs. premium comparison
| Component | Free | Premium |
|---|---|---|
| ALE and SLE calculation | ✓ | ✓ |
| Risk matrix | ✓ | ✓ |
| Top recommendations | ✓ | ✓ |
| Full FAIR decomposition | ✗ | ✓ |
| Confidence intervals | ✗ | ✓ |
| Primary and secondary loss components | ✗ | ✓ |
| Cost-benefit analysis per control with ROI | ✗ | ✓ |
| Risk reduction scenarios | ✗ | ✓ |
| Boardroom-ready PDF | ✗ | ✓ |
Frequently Asked Questions
What is the FAIR model?
FAIR stands for Factor Analysis of Information Risk and is the only international open standard for quantitative information risk analysis. The model was developed by Jack Jones and is managed by the FAIR Institute. Unlike qualitative methods that categorise risks as high, medium or low, FAIR calculates the expected financial loss in euros. It achieves this by decomposing risk into measurable factors: threat frequency, vulnerability and loss magnitude.
What is the difference between FAIR and qualitative risk analysis?
Qualitative risk analysis uses subjective labels that mean something different to everyone. What one risk manager rates as "high", another calls "medium". FAIR eliminates this subjectivity by expressing risks in euros. This offers three advantages: risks become objectively comparable, investments can be justified with a business case, and communication with executives becomes easier because you are speaking their language.
How reliable is the Annual Loss Expectancy (ALE)?
The ALE is a statistical expected value, not a prediction of exactly what will happen. Its reliability is directly linked to the quality of the input data. By using Monte Carlo simulations, FAIR delivers not only a point estimate but also confidence intervals. The premium report displays these intervals, so you know that the ALE lies, for example, between 50,000 and 250,000 euros with 90% confidence. This range is more valuable than a seemingly precise but unfounded estimate.
Who uses the FAIR model?
FAIR is deployed worldwide by organisations across all sectors. Major financial institutions, insurers, government agencies and technology companies apply the model for risk management and compliance reporting. The FAIR Institute has thousands of members in more than 100 countries. In the Netherlands, adoption is growing particularly in the financial sector, healthcare and among organisations that fall under NIS2. The model is recognised by ISACA, the NIST Cybersecurity Framework and is compatible with ISO 31000.
How do I translate a FAIR analysis into investment decisions?
The ALE represents the expected annual loss without additional controls. Suppose your ALE for ransomware is 150,000 euros and a combination of EDR and backups reduces this by 60%. The annual risk reduction is then 90,000 euros. If the annual cost of those controls is 40,000 euros, the Return on Security Investment (ROSI) is 125%. The premium report calculates this ROSI automatically for each control, giving you an objective prioritisation for your security budget.
Is FAIR suitable for SMEs?
Absolutely. Although FAIR was originally developed for large organisations with dedicated risk teams, the model is scalable. Our tool simplifies the FAIR methodology so that you can perform a quantitative risk analysis without specialist knowledge. Especially for SMEs, it is valuable to know that the expected annual loss from ransomware is, say, 80,000 euros, so that an investment of 15,000 euros in security controls is economically justified.
What is the difference between SLE and ALE?
The Single Loss Expectancy (SLE) is the expected loss from a single incident. The Annual Loss Expectancy (ALE) is the expected total loss per year. The relationship is: ALE = SLE × annual frequency. A concrete example: if a data breach is expected to cost 200,000 euros (SLE) and the probability of a data breach is 0.3 per year, then the ALE is 60,000 euros. The SLE is important for incident planning and insurance coverage, while the ALE forms the basis for annual budgeting.
Start FAIR Analysis
Calculate the expected financial loss from cyber threats right away. Receive your ALE, SLE and risk matrix in a clear PDF report.
Start free analysisFull FAIR decomposition
Receive confidence intervals, cost-benefit analysis per control with ROI, risk reduction scenarios and a boardroom-ready PDF for € 89.
Start premium analysis