FAIR glossary
Every acronym on screen, in one place.
The core outputs
- FAIR — Factor Analysis of Information Risk. The open quantitative cyber-risk model this tool implements (The Open Group).
- ALE — Annualized Loss Expectancy. Total cyber loss over the time horizon, combining how often losses happen and how much they cost, under the chosen event model. The scenario's headline output.
- LEC — Loss Exceedance Curve. For each loss level x, the probability that annual loss is at least x. The standard FAIR chart.
- VaR — Value at Risk. The loss level exceeded only (1 − p)% of the time — e.g. VaR-95 is the p95 annual loss.
- CVaR — Conditional Value at Risk. The average loss across the worst tail beyond a percentile — e.g. CVaR-95 is the mean of the worst 5% of simulated years. It says how bad the bad years are, not just where they begin.
The frequency side (how often)
- LEF — Loss Event Frequency. How often a threat event becomes a loss event, per unit time. Decomposes to TEF × Vulnerability.
- TEF — Threat Event Frequency. How often a threat actor takes an action against the asset. Decomposes to Contact Frequency × Probability of Action.
- CF — Contact Frequency. How often a threat actor encounters or scans the asset.
- PoA — Probability of Action. Given contact, how often the actor follows through with an attack attempt.
- Vuln — Vulnerability. The probability that a threat event becomes a loss event. Decomposes to the probability that Threat Capability exceeds Resistance Strength.
- TCap — Threat Capability. The skill, tools, and resources of the threat actor (0–100 typical scale).
- RS — Resistance Strength. The strength of the asset's controls against the threat (0–100 typical scale).
The magnitude side (how much)
- LM — Loss Magnitude. The cost per event. Decomposes to Primary Loss + Secondary Risk.
- PLM — Primary Loss Magnitude. Direct loss from the event. May decompose into forms of loss (below).
- Secondary Risk — loss from third-party reactions (regulators, customers, partners). Decomposes to SLEF × SLM.
- SLEF — Secondary Loss Event Frequency. The probability that a primary event triggers third-party responses.
- SLM — Secondary Loss Magnitude. The cost per secondary event. May decompose into forms of loss.
The six forms of loss
A loss magnitude can be broken into up to six categories:
- Productivity — degraded or interrupted ability to produce: lost work hours, transactions, output.
- Response — incident response: investigation, containment, recovery labor and tooling.
- Replacement — replacing or repairing damaged assets: hardware, software, data restoration.
- Competitive advantage — lost or compromised intellectual property and competitive position.
- Fines & judgments — regulatory fines, civil settlements, legal judgments.
- Reputation — reputational damage: customer churn, brand impact, valuation effects.
Data & distribution terms
- SIP — Stochastic Information Packet. An array of pre-generated sample values (SIPmath 3.0) a factor can use instead of a shaped distribution — useful for vendor-provided or peer-reviewed data.
- SLURP — Stochastic Library Unit with Relationships Preserved. A SIPmath library holding one or more SIPs that can share randomness (preserving correlations).
- PERT / Lognormal / Beta / … — the distribution shapes you pick from when entering an estimate. PERT (low / most-likely / high) is the friendliest starting point; the picker suggests the shapes that fit each factor.
Last updated: 7/14/26, 5:44 PM