FAIR
Factor Analysis of Information Risk
Jones · Open Group Open FAIR · Aviation Safety Frameworks

FAIR is a quantitative model that decomposes information risk into the frequency of loss events and the magnitude of those losses, each broken down further into measurable factors. It produces probability-weighted loss exposure in monetary terms and is now codified by The Open Group as the Open FAIR standard.

Overview of the framework

Developed by Jack Jones in the early 2000s and formalised in the Open Group's Open FAIR Body of Knowledge (Open Group, 2021), FAIR defines risk as the probable frequency and probable magnitude of future loss. Rather than treating risk as a qualitative high/medium/low rating, it requires the analyst to estimate two top-level quantities — Loss Event Frequency (LEF) and Loss Magnitude (LM) — and combine them, typically by Monte Carlo simulation, into a distribution of annualised loss exposure.

Each top-level quantity decomposes into a small ontology. LEF is the product of Threat Event Frequency and Vulnerability, with Vulnerability itself the product of Threat Capability and Resistance Strength. LM is the sum of Primary Loss (productivity, response, replacement, fines) and Secondary Loss arising from stakeholder reactions (reputation, legal). The taxonomy gives analysts a consistent vocabulary that supports calibrated estimation, even when only ranges of values are available (Freund & Jones, 2014).

RISK Loss Event Frequency Loss Magnitude Threat Event Freq. Vulnerability Threat Cap. Resistance Primary Loss Secondary Loss Productivity · Response Replacement · Fines Reputation · Legal
Figure 1 · Open FAIR taxonomy. Risk decomposes into LEF × LM, each broken down into measurable, calibratable quantities.

When to use it

Typical applications

  • Quantifying cyber and information risk for board-level reporting in monetary terms.
  • Comparing the risk reduction delivered by competing security investments (control prioritisation).
  • Building consistent enterprise-wide risk registers across heterogeneous threat scenarios.
  • Supporting insurance, capital allocation, and regulatory submissions where defensible numbers are needed.

Aviation relevance

  • Cybersecurity assessments of airline IT, ground systems, and connected aircraft per ED-202A / DO-326A.
  • Quantifying risk of avionics-network intrusion, ACARS spoofing, or airport-OT incidents.
  • Translating findings of safety-related security risk assessments into financial loss exposure for executive decision making.
  • Supplementing qualitative ICAO Annex 17 / NIST CSF assessments with monetised exposure.

Benefits

  • Defensible quantification. Replaces colour-coded heat maps with probability distributions that can be stress-tested.
  • Decomposed estimation. Calibrated experts estimate ranges for small, well-defined factors, which are then combined — easier and more accurate than estimating the top-level risk directly.
  • Open and standardised. Open FAIR is an Open Group standard with public Body of Knowledge and certified practitioners.
  • Investment ranking. Allows direct comparison of expected loss reduction against control cost.
  • Common vocabulary. Bridges security, audit, finance, and executive stakeholders.
  • Tool support. Implementations exist (RiskLens, FAIR-U, open-source pyfair) for Monte Carlo simulation.
  • Compatible with control frameworks. NIST CSF, ISO 27005, and CIS Controls map to FAIR factors.
  • Iterative. Estimates can be refined as data improves without changing the model.

Limitations

  • Garbage-in risk. The model exposes assumptions but does not validate them; poor inputs produce confidently wrong outputs.
  • Calibration cost. Requires trained estimators using techniques such as Hubbard's calibration to avoid overconfidence.
  • Scope limited to information risk. Not designed to model physical-system safety, multi-hazard interactions, or socio-technical resonance.
  • Static frequency model. Independent-event sampling can understate correlated, coordinated, or supply-chain attacks.
  • Data scarcity. Frequency and loss magnitude data for novel cyber threats are sparse, and benchmarks (e.g., Verizon DBIR) are coarse.
  • Quantification fatigue. Some organisations find detailed scenario decomposition heavy and revert to qualitative methods for low-tier risks.
In short FAIR turns information risk into auditable numbers. Use it when you need to compare cyber investments on a like-for-like basis, when boards demand monetary risk language, or when qualitative heat maps no longer support the decisions being asked of them — but pair it with calibrated estimation discipline.

References (APA 7)

Jones, J. A. (2005). An introduction to Factor Analysis of Information Risk (FAIR). Risk Management Insight.

Freund, J., & Jones, J. (2014). Measuring and managing information risk: A FAIR approach. Butterworth-Heinemann.

The Open Group. (2021). The Open FAIR Body of Knowledge (2nd ed., Standard C20B). The Open Group.

The Open Group. (2013). Risk taxonomy (O-RT), Version 2.0 (Standard C13K). The Open Group.

The Open Group. (2013). Risk analysis (O-RA), Version 2.0 (Standard C13G). The Open Group.

Hubbard, D. W., & Seiersen, R. (2016). How to measure anything in cybersecurity risk. Wiley.

Further reading

FAIR Institute. (2020). Quantitative information risk management with the FAIR model. FAIR Institute.

National Institute of Standards and Technology. (2012). Guide for conducting risk assessments (NIST SP 800-30 Rev. 1). U.S. Department of Commerce.

RTCA / EUROCAE. (2014). DO-326A / ED-202A: Airworthiness security process specification.

European Union Aviation Safety Agency. (2020). Notice of proposed amendment 2020-12: Aircraft cybersecurity. EASA.

Hubbard, D. W. (2020). The failure of risk management: Why it's broken and how to fix it (2nd ed.). Wiley.