Risk Quantification Calculator (FAIR Model)
Calculate Annual Loss Expectancy (ALE) using FAIR methodology. Input threat event frequency, vulnerability probability, and asset value to quantify cyber risk financially. Model loss event frequency and magnitude for risk prioritization.
Select threat type to auto-populate frequency estimates
Loss Event Frequency (LEF)
Expected threat attempts per year
Likelihood threat succeeds if attempted (0-100%)
Primary Loss Magnitude (Direct Costs)
Data, systems, IP value lost
Downtime, lost revenue, labor
Incident response, forensics, remediation
Secondary Loss Magnitude (Indirect Costs)
Customer churn, brand damage, lost deals
GDPR, HIPAA, PCI fines & legal fees
Embed This Calculator on Your Website
Add this free calculator to your blog, website, or CMS with a simple copy-paste embed code.
Introduction
Traditional IT risk assessments score risk as "High / Medium / Low" -- a qualitative categorization that means nothing to a CFO deciding between a $500,000 security investment and a $2M cyber insurance policy. The FAIR (Factor Analysis of Information Risk) model, developed by the FAIR Institute and recognized by the Open Group FAIR standard, translates risk into dollars. It answers the question every executive actually cares about: what is the probable financial loss if this risk event occurs, and how does the investment required to reduce it compare to the expected annual loss? The FAIR model is now required by NIST CSF 2.0 for organizations seeking alignment with cybersecurity framework risk quantification practices. Organizations that have quantified their risks using FAIR consistently allocate security budget more effectively than those using qualitative heat maps -- because they can show which controls reduce expected annual loss by the most per dollar spent.
What This Calculator Does
This calculator applies the FAIR model to estimate the annualized loss expectancy (ALE) for a specific risk scenario based on threat event frequency, vulnerability probability, primary loss magnitude (productivity, response, replacement, competitive advantage, fines/judgments), and secondary loss magnitude (reputation, regulatory). It outputs a loss event frequency distribution, a probable loss magnitude range, and an annual loss expectancy figure for use in risk prioritization and security investment justification.
The Formula
FAIR decomposes risk into two top-level factors: Loss Event Frequency (how often does this bad thing happen?) and Loss Magnitude (how much does it cost when it does?). Loss Event Frequency is the product of Threat Event Frequency (how often does the threat act against the asset?) and Vulnerability (what is the probability that the threat succeeds when it acts?). Loss Magnitude combines Primary Loss (direct costs: productivity, response, replacement, competitive advantage lost) with Secondary Loss (costs from downstream effects: reputation, regulatory, legal). All inputs are expressed as probability distributions with minimum, most likely, and maximum values to capture uncertainty.
Step-by-Step Example
Define the risk scenario precisely
Scenario: Ransomware attack on company file servers by external criminal actor. Asset: file server containing customer and operational data. Threat actor: organized ransomware group. Threat effect: encrypt and exfiltrate data, demand ransom. This specificity is required for FAIR -- 'ransomware risk' is too vague to produce useful quantification.
Estimate threat event frequency
How many times per year does this type of threat actor attempt to compromise a company of this size and industry? External ransomware attempts: industry data (Verizon DBIR) suggests 2-8 attempts per year for a $50M technology company. Use minimum 2, most likely 4, maximum 8. Vulnerability (probability of success per attempt): current controls (MFA deployed, EDR active) yield 5-15% success rate. Most likely: 8%.
Estimate loss magnitude
Primary loss if ransomware succeeds: Response (IR costs) $150,000, System recovery $80,000, Productivity loss (3 days) $120,000, Ransom payment option $200,000. Primary total: $550,000. Secondary loss: Regulatory notification and fines $200,000, Reputational damage (customer churn) $180,000. Total loss magnitude: $930,000 per event.
Calculate ALE and control comparison
LEF = 4 attempts x 8% = 0.32 events/year. ALE = 0.32 x $930,000 = $297,600/year. Control option: improve endpoint detection to reduce vulnerability from 8% to 3%: cost $35,000/year. New ALE: 4 x 3% x $930,000 = $111,600. Annual risk reduction: $186,000. Net benefit: $186,000 - $35,000 = $151,000/year. Control ROI: 431%.
Real-World Use Cases
CISO Justifying Security Budget to CFO
A CISO uses FAIR quantification for three top risk scenarios. Ransomware: ALE $297,600. Business email compromise: ALE $185,000. Third-party vendor breach: ALE $142,000. Total annual expected loss from top three risks: $624,600. Proposed security investments totaling $210,000 reduce combined ALE to $198,000. Net risk reduction: $426,600. Security program ROI: 203%. This is the CFO conversation that qualitative risk matrices cannot have.
Vendor Risk Management Prioritization
A risk analyst quantifies third-party vendor risk using FAIR for the company's top 10 vendors. Three vendors have ALE exceeding $100,000. The quantification drives a prioritized remediation schedule: vendor 1 (ALE $340,000) requires immediate contractual security requirements and audit rights. The FAIR model replaces the previous 'inherent risk' scoring that ranked 40 vendors as 'high risk' with no actionable differentiation.
Cyber Insurance Adequacy Review
An organization's top 5 risk scenarios sum to $2.8M in combined ALE. Current cyber insurance: $3M policy. The FAIR analysis shows that the 90th percentile loss for the worst-case scenario alone is $6.2M -- exceeding the policy limit. The quantification justifies a policy limit increase to $7M, adding $18,000 to the annual premium against a $3.2M coverage gap at the 90th percentile.
Comparison
| Risk Assessment Method | Output Type | CFO-Actionable? | Investment Comparison | Time Required |
|---|---|---|---|---|
| Qualitative (High/Medium/Low) | Color coding | No | Impossible | 1-2 days |
| CVSS Scoring | Numeric vulnerability score | No | Difficult | Hours per vulnerability |
| FAIR Model (basic) | Dollar ALE range | Yes | Direct ROI comparison | 4-8 hours per scenario |
| FAIR Model (Monte Carlo) | Loss distribution curve | Yes | Precise control ROI | 1-2 days per scenario |
| Threat Modeling (STRIDE) | Threat enumeration | No | Indirect | 2-4 days |
| Cyber Risk Quantification Platform | Dashboard ALE | Yes | Automated comparison | Ongoing |
Common Mistakes to Avoid
Using single-point estimates instead of ranges for FAIR inputs. FAIR explicitly models uncertainty through minimum, most likely, and maximum values for each input. Plugging in a single 'best guess' for threat event frequency and vulnerability removes the uncertainty modeling that makes FAIR defensible. Risk analysts who provide single-point FAIR estimates are doing FAIR wrong.
Confusing threat event frequency with loss event frequency. Threat event frequency counts how often the threat acts (e.g., 50 phishing attempts per year). Loss event frequency is threat event frequency multiplied by vulnerability (50 x 4% = 2 loss events per year). Conflating these inflates ALE by the full threat frequency rather than the actual loss event rate.
Including all possible loss categories without evidence. FAIR analysts sometimes add reputation damage, competitive advantage loss, and regulatory fines to every scenario regardless of whether they are probable. This inflates ALE and erodes leadership confidence when the numbers seem unrealistic. Include secondary loss categories only when there is a credible pathway from the threat event to that loss type.
Frequently Asked Questions
Accuracy and Disclaimer
Risk quantification estimates using the FAIR model are based on user-provided probability distributions and industry loss data. Actual loss events depend on specific threat actor capabilities, organizational control effectiveness, and incident circumstances that cannot be fully anticipated. FAIR outputs are probabilistic estimates intended for risk prioritization and investment justification, not for predicting specific incident costs. This calculator does not constitute financial or cybersecurity advice.
Conclusion
FAIR model outputs are most actionable when used to justify specific control investments. After calculating annual loss expectancy, compare it against the cost of reducing the risk using our Penetration Testing Cost Estimator to quantify whether a penetration test is cost-justified for a given risk scenario. For scenarios where the residual risk after controls warrants insurance, use our Cyber Insurance Premium Estimator to determine appropriate coverage limits.
Related Cybersecurity & Compliance Calculators
Data Breach Cost Estimator
Estimate total data breach costs using IBM/Ponemon 2026 methodology. Calculate per-record costs, response expenses, regulatory fines, and business disruption based on industry, breach size, and containment speed. Average global breach cost: $4.88M.
Use CalculatorCybersecurity & ComplianceCyber Insurance Premium Estimator
Estimate annual cyber insurance premiums based on coverage amount, company revenue, industry risk factors, security maturity, and claims history. Calculate cost for $1M-$10M+ coverage limits with deductible options for 2026.
Use CalculatorCybersecurity & ComplianceGDPR/CCPA Fine Exposure Calculator
Calculate maximum regulatory fine exposure under GDPR (€20M or 4% revenue) and CCPA ($2,663-$7,988 per violation). Model fines based on violation type, data volume, revenue, and aggravating factors for 2026 enforcement rates.
Use CalculatorCybersecurity & CompliancePenetration Testing Cost Estimator
Estimate penetration testing costs based on scope (web app, network, API, cloud), methodology (black/grey/white box), compliance requirements (PCI, HIPAA, SOC 2), and organization size. 2026 ranges: $5K-$75K+ depending on complexity.
Use CalculatorYou May Also Find Useful
Tax Calculator
Estimate your 2026 federal income tax based on filing status, gross income, deductions, and current tax brackets. See your marginal and effective tax rates instantly.
Use CalculatorFinance & AccountingSalary to Hourly Calculator
Convert your annual salary to an hourly wage instantly. Adjust for hours per week, weeks per year, and overtime to find your true hourly rate.
Use CalculatorFinance & AccountingCommission Calculator
Determine sales commissions based on revenue, rate tiers, and bonus structures.
Use Calculator