FAIR Risk Quantification

Transform vendor risk from subjective ratings into actionable dollar amounts using the Factor Analysis of Information Risk methodology.

Risk in Financial Terms

Fair TPRM implements the FAIR (Factor Analysis of Information Risk) methodology to calculate Annualized Loss Expectancy for every vendor relationship. Instead of vague "high/medium/low" labels, your leadership team sees projected financial impact.

  • Annualized Loss Expectancy (ALE) calculation
  • Threat Event Frequency modeling
  • Vulnerability factor analysis
  • Loss magnitude with breach cost modeling
  • Cyber insurance coverage recommendations (3x ALE)
  • Board-ready financial reports
// Core FAIR Formula
ALE = LEF × Loss Magnitude

// Loss Event Frequency
LEF = TEF × Vulnerability

// Recommended Coverage
Insurance = 3 × ALE

How the Math Works

Every variable feeds into a transparent, auditable calculation chain.

T

Threat Event Frequency

Starts with a base rate of 1 event/year, then applies multipliers for data classification (Critical 12x, Sensitive 6x, Public 0.5x), external data sharing (+50%), and threat intelligence levels.

V

Vulnerability Factors

Begins at 50% baseline, adjusted by SRS security grade (A=20%, F=90%), ISO 27001 certification (-45%), MFA status (-30%), and patch management posture.

L

Loss Magnitude

Combines operational impact (daily cost × 4-day outage), breach costs (PII at $160/record, SPII at $200/record, SOX at $5M flat), and secondary losses including regulatory fines and reputational damage.

Risk Level Classification

Calculated ALE values map to standardized risk levels for prioritization.

ALE Range Risk Level Recommended Action
< $1,000 Very Low Standard monitoring, annual review cycle
$1,000 – $10,000 Low Routine assessment, Tier 3 SRS schedule
$10,000 – $50,000 Medium Enhanced monitoring, Tier 2 SRS schedule
$50,000 – $250,000 High Tier 1 monitoring, remediation plan required
$250,000 – $1,000,000 Very High Immediate attention, executive escalation
> $1,000,000 Critical Board-level review, contract re-evaluation

Interactive Calculator

The built-in FAIR calculator provides real-time results as analysts input vendor-specific data. Over 40 encrypted database fields store sensitive risk data at rest with AES-256-CBC encryption.

  • Real-time ALE calculation as you type
  • 40+ encrypted fields for sensitive FAIR data
  • CSV import/export for bulk analysis
  • Print-ready reports with financial justification
  • Auto-draft creation from assessment submissions
  • Searchable vendor FAIR analysis history
Vendor: CloudPayments Inc. Critical
Annualized Loss Expectancy $1.2M
Threat Event Frequency 4.5/yr
Vulnerability Factor 68%
Insurance Recommendation $3.6M
Records at Risk 50,000 PII

AI-Powered Executive Summaries

Generate board-ready risk narratives in seconds.

From Data to Narrative

Fair TPRM integrates with OpenWebUI to generate AI-powered executive summaries that combine SRS scores, FAIR analysis data, and risk findings into professional narratives ready for board presentations.

  • Automatic context assembly from all vendor data
  • Configurable AI model and parameters
  • Financial impact included in generated narratives
  • One-click PDF export with brand styling
AI Integration OpenWebUI
Output Format PDF + HTML
Data Sources Combined SRS + FAIR
Customizable Model + Temp

See How Monitoring Feeds the Analysis

FAIR analysis is powered by real-time security scores from dual SRS integrations.

Explore Security Monitoring