The FAIR Model Explained in 90 Seconds

August 22, 2019  Paige O'Reilly

How do you eat an elephant? One bite at a time. You’ve probably heard this joke before about solving complex problems. It relates to risk, too.

The big elephant in today’s boardroom is information and cyber risk. It’s a complex topic that increasingly threatens the bottom line of the business.

Fear not. FAIR—the model behind the RiskLens platform—breaks down cyber risk into bite-size pieces to serve board- and c-suite level executives the information they need to make better, more cost-effective decisions on cybersecurity.

What is FAIR?

FAIR [Factor Analysis of Information Risk] is a model that codifies and monetizes risk. In other words, it breaks down risk by identifying and defining the building blocks that make up risk and their relationship to one another. The relationships between each building block or element of risk can be measured mathematically and assigned dollar values, so that ultimately risk can be calculated as financial loss exposure.

What does FAIR enable your organization to do?

Translating the impact of cyber risk into financial terms enables the type of normal business planning that your organization practices in the non-cyber world: prioritizing effectively, making trade-offs, calculating ROI of security investments, and choosing cost-effective solutions.  Say hello to economically driven cyber risk management.

Why is FAIR better than what you’re doing now?  

Chances are that your cybersecurity practice is falling victim to a common approach focused on complying with industry or government standards, or checking off lists of controls or best practices. While these approaches are needed and helpful, they can’t answer questions like:

  • What are the organization’s top cyber risks and how much exposure do they represent?
  • Which cyber risk management investments matter most?
  • Are we investing enough (or too much) in cyber risk management?


How does FAIR work with RiskLens?

As a software company, RiskLens has built a platform on top of the FAIR model.  Like tax software, the RiskLens platform systematically guides risk analysts through a FAIR analysis with data points collected from your business and pre-populated loss tables compiled from data from your industry and embedded in the application.

The application runs this data through the FAIR model and outputs easy-to-understand reporting so executives can see risk exposure in financial terms. Like this chart, showing a range of risk (or probable loss exposure) for email compromise via phishing. Or the one below of the page, comparing reduction in risk from various cybersecurity investments.

RiskLens Platform - Phishing ALE-1

RiskLens Platform - Risk Treatment Analysis


With these estimates in hand, your team can make well informed decisions on how or if to invest in cybersecurity measures.