Based on Cyentia Institute's Information Risk Insights Study Cyentia Institute. “Information Risk Insights Study.” 2026. https://www.cyentia.com/iris2025/ . Loss Magnitude (LM) answers a fundamental question in risk analysis: "If this threat succeeds, how much will it cost us?" Loss Magnitude combines with Loss Event Frequency to produce annualized risk—a dollar figure that enables direct comparison between different threats and informed decisions about security investments.

Overview These three variables represent the defender side of the FAIR model. Unlike TCap (which measures attacker capability from threat intelligence), CS and RS measure organizational defensive posture. Because threat intelligence does not contain information about the reader's specific control environment, this analysis uses fixed baseline values representing a "typical mid-maturity organization." Readers should adjust based on their actual control implementation. The Rela

Overview Probability of Action (PoA) measures the likelihood that a threat actor will act once contact with a target occurs. In FAIR methodology, PoA captures the threat actor's motivation and commitment to follow through on an attack opportunity. PoA is expressed as a decimal between 0.00 and 1.00 and is combined with Contact Frequency (CF) to calculate Threat Event Frequency (TEF): TEF = CF × PoA PoA Estimation Context Inferred vs. Observed Probability of Action This rubric

Overview Contact Frequency (CF) measures how often a threat actor comes into contact with organizations matching the target profile. In FAIR methodology, "contact" occurs when the threat reaches or touches the target—regardless of whether the attack succeeds. CF is expressed as an annual rate (events per year) and is combined with Probability of Action (PoA) to calculate Threat Event Frequency (TEF): TEF = CF × PoA CF Estimation Context Inferred vs. Observed Contact Frequency

Overview Threat Capability (TCap) measures the ability of a threat actor to successfully execute an attack against an organization's assets. Per Open FAIR methodology, TCap is assessed across three factors: Resources  - Tool diversity, operational duration, exploit acquisition, and custom development capability Skills/Expertise  - Technical knowledge, experience, and development capabilities Access  - Ability to reach targets through vulnerabilities, tools, and positioning Ea