Quantitative risk analysis model that expresses cyber and operational risk in financial terms using loss-event frequency and magnitude.

FAIR provides a taxonomy and methodology to measure information risk by decomposing it into loss-event frequency and loss magnitude, enabling Monte Carlo simulations and cost-benefit analysis. Organizations use FAIR to prioritize security investments by translating technical vulnerabilities into dollar exposure. A bank, for instance, might model the annualized loss expectancy of a ransomware scenario to justify endpoint-detection budgets. FAIR is maintained by the FAIR Institute and integrates with tools like RiskLens.