How to Read a FAIR Number Without Getting Fooled
Someone hands the board "$680k expected, $2.4M at the 95th percentile." What does that actually mean, and how do you tell a credible estimate from confident-looking nonsense? A reader's guide to FAIR output for the people who have to act on it.
Plenty has been written about how to build a FAIR model. Almost nothing has been written for the person on the other end: the board member, the CFO, the audit committee chair who gets handed a slide that says “$680k expected loss, $2.4M at the 95th percentile” and has thirty seconds to decide whether to believe it. If you’re that person, this is for you. You don’t need to run the math. You need to know what the math is claiming and how to tell when it’s bluffing.
The two pieces we’ve written on building FAIR models and the failure modes of quantification cover the production side. This one is about consumption.
The number isn’t a number, it’s a range
The first mistake is reading “$2.4M” as a fact. It isn’t. A FAIR estimate is a probability distribution dressed up for a slide, and the single figures pulled out of it are landmarks on a curve, not measurements. The whole point of the method is to be honest that nobody knows the exact loss, so it gives you a shape of possible losses instead of a false single answer.
When you see one dollar figure with no range around it, something has been hidden. The range is the information. A point estimate is the range with the honesty filed off.
What P50 and P95 are telling you
Two landmarks do most of the work, and they’re worth understanding precisely.
P50 is the median. Half the simulated outcomes land below it, half above. It’s the “if this plays out, this is the unremarkable middle” number. Read it as the typical year.
P95 is the bad-but-plausible tail. Only 5% of simulated outcomes exceed it. It isn’t the worst case — there’s no such thing as a true worst case in a long-tailed distribution — it’s the line past which things get genuinely rare. Read it as “the bad year we should be able to survive and plan for.”
The gap between the two is the part most people skip, and it’s the most useful signal on the slide. A tight gap means the model thinks the outcome is fairly predictable. A wide gap means the risk is dominated by rare, expensive events. Those two situations call for completely different responses — one is a budgeting problem, the other is an insurance-and-resilience problem — and the spread is what tells them apart.
Three questions before you trust it
A FAIR result is only as good as what went into it, and you can interrogate that without seeing a single formula. Ask these three.
Where did the inputs come from? The model multiplies frequency of attack by probable loss. Both are estimates. Ask whether they came from your own incident history and control testing, or from someone’s gut dressed up as a parameter. Calibrated expert estimates are legitimate; unexamined guesses pointed at a simulation are not.
Has it been checked against reality? A model that has never been compared to an actual outcome is a hypothesis. Ask what happened the last time a real incident could have tested the estimate. The good answer involves the model being adjusted afterward. The bad answer is a blank stare.
Why did the number change since last quarter? This is the question that separates a living model from a decoration. If exposure dropped from $2.4M to $1.8M, someone should be able to say exactly why: these findings were verified fixed, this control came online, this assumption was revised. A number that moves without an explanation is a number nobody is actually steering.
A wide range is honesty; suspicious precision is the red flag
Here’s the counterintuitive part. The estimate that says “$1.2M to $4.1M” is usually more trustworthy than the one that says “$2,847,193.” Cyber loss is uncertain, and a model that reports uncertainty is doing its job. A model that reports a loss to the dollar is performing confidence it hasn’t earned.
Be most skeptical of the most precise number in the room. False precision is the tell of a model built to impress rather than to inform. Real risk estimates are honest about how much they don’t know.
The same logic applies to inputs. If every parameter in the model is a single confident value, the uncertainty has been quietly deleted somewhere upstream, and the clean-looking output is hiding it.
What makes a FAIR number worth acting on
Tie the whole thing back to one test: can the estimate be traced to something real, and does it move when reality moves? A figure anchored to verified remediation — exposure that drops because findings were confirmed fixed, not because someone closed a ticket — is one you can take to a board and defend under questioning. A figure that floats free of outcomes is theater, however good the chart looks.
You don’t have to trust the simulation. You have to be able to follow it back to the evidence. When you can, the number stops being a slide and starts being a decision you can stand behind.
Want FAIR estimates anchored to independently verified fixes, with every input traceable? See how Basirah quantifies risk.