Skip to content
Thought Leadership January 21, 2026 · 4 min read

FAIR Risk Quantification: When 'High/Medium/Low' Stops Working

When your security team says 'critical' and engineering says 'high,' nobody wins. FAIR turns that argument into dollars.

SRD
Synodician Research Desk
Security Research

“This is a critical vulnerability.” “We disagree, it’s only high.” “Based on what?”

That argument can’t be resolved because both sides are using a scoring system that doesn’t map to business consequences. FAIR (Factor Analysis of Information Risk) replaces the severity label with a dollar figure, and the argument ends. Not because one side wins, but because the question changes from “how severe is this?” to “how much does this cost us?”

From severity labels to financial ranking. FAIR translates subjective risk into concrete dollar amounts.

Risk in dollars, not colors

Qualitative methods (high/medium/low) and simple multiplication (CVSS × asset value) can’t end the argument from the opening. They just move it from “how severe?” to “whose scale?” FAIR gives you a different kind of answer entirely: dollars.

The model works in two halves. Loss Event Frequency (LEF) asks how often this vulnerability actually gets exploited, how frequently attackers attempt it, and how likely an attempt succeeds. Loss Magnitude (LM) asks what it costs when one does: direct costs (response, recovery, replacement) and indirect costs (reputation, legal, regulatory fines).

Annualized Loss Expectancy (ALE)

The product of LEF and LM is what FAIR calls Annualized Loss Expectancy (ALE): the expected annual financial impact of a given risk scenario. ALE turns “this is a critical vulnerability” into “this vulnerability carries a $2.3M annualized loss expectancy,” and that dollar figure is what lets leadership weigh one risk against another, decide whether the remediation cost is justified, and defend that decision to auditors who ask why CVE-A was prioritized over CVE-B. Severity labels can’t do any of that.

While FAIR’s critics have a point that most security teams don’t have the actuarial data to feed a rigorous model, the alternative isn’t “no quantification.” It’s the implicit quantification that already happens when a CISO says “this is our biggest risk” without attaching a number. At least FAIR makes the assumptions visible.

Insight

Risk in dollars changes the conversation. When everyone argues about “critical vs high,” nobody wins. When the discussion is “$3.2M annualized loss vs $400K,” the prioritization becomes self-evident.

What changes when risk has a price tag

Once you’re comparing “$2.3M annualized loss expectancy” against “$450K” instead of “critical” against “high,” the argument resolves itself. Not because one side wins, but because the question shifts from subjective severity to documented financial assumptions. (The strength of those numbers depends on input quality; see FAIR + Monte Carlo: What Works and What Breaks for a deeper treatment.)

Boards don’t read heat maps. They read budgets. Present a “$15M portfolio of risk” where the top 10 items represent 80% of exposure, and the resource allocation conversation stops being abstract. And when an auditor asks why you prioritized CVE-A over CVE-B, you have documented financial reasoning, not “we thought it was more important.”

Honest about uncertainty

Real risk analysis acknowledges uncertainty. FAIR implementations use Monte Carlo simulation to produce probability distributions: P50 for the median expected loss, P90 and P95 for stress scenarios. That lets you have honest conversations like “our median expected loss is $1.2M, but there’s a 10% chance it could exceed $5M.” For a deeper treatment of Monte Carlo methodology, input credibility, and common failure modes, see FAIR + Monte Carlo: What Works and What Breaks.

FAIR built into the workflow

Basirah has FAIR risk quantification built directly into the remediation workflow. When findings are ingested, they’re automatically enriched with asset criticality from your CMDB integration, threat intelligence on exploitation activity, and loss magnitude estimates based on industry data.

What matters isn’t the enrichment. It’s what leadership sees as a result. Instead of a heat map that says “47 criticals,” the CISO presents a ranked portfolio in dollars: which risks carry the highest annualized loss expectancy, which remediations deliver the largest modeled reduction, and which exceptions have a quantified cost of acceptance that the board can evaluate against the cost of fixing them.

The next time your security team and engineering argue about priority, ask one question: how much does this cost us if we’re wrong? If nobody has a number, that’s your answer.

Need risk outputs your finance team can challenge and trust? Book a FAIR quantification walkthrough.

References

  1. 1. Open FAIR Standard (The Open Group) , accessed Feb 16, 2026
  2. 2. Open FAIR Body of Knowledge (C20B) (The Open Group) , accessed Feb 16, 2026
#FAIR #risk quantification #GRC #compliance

Want to operationalize remediation?

See how Basirah supports remediation with ownership, verification, and evidence.

Book a Walkthrough

Related Articles

Thought Leadership

February 29, 2026

The Gulf conflict tested assumptions about data sovereignty, infrastructure redundancy, and team availability that most security programs had never verified. What broke, and what didn't.

March 14, 2026
Thought Leadership

FAIR + Monte Carlo in Cyber Risk: What Works (and What Breaks)

FAIR can translate cyber risk into financial ranges, and Monte Carlo can make uncertainty explicit, but only if you treat inputs and validation honestly. Here is a pragmatic approach, common failure modes, and how Basirah anchors quantification to verified outcomes.

February 17, 2026
Thought Leadership

Sovereign AI and Enterprise Security: Who Controls Your Vulnerability Data?

As AI embeds itself in security tooling, the question of where your data lives and who can access it is no longer academic. Where sovereign AI fits, and how to evaluate the claims.

January 29, 2026
Back to All Articles