A Practical Guide to FAIR Risk Quantification

Why CVSS Alone Falls Short

Every security team knows the drill: a scanner dumps thousands of findings rated Critical, High, Medium, and Low. You triage by severity, patch what you can, and hope the board doesn't ask hard questions about residual risk.

The problem is that CVSS measures technical severity, not business impact. A Critical-rated vulnerability on a development server with no sensitive data is materially different from a Medium on a payment-processing database. CVSS cannot distinguish between the two.

This is where Factor Analysis of Information Risk (FAIR) comes in.

What FAIR Actually Does

FAIR is an open standard for quantifying information risk in financial terms. Instead of ordinal labels (High/Medium/Low), it produces a dollar-denominated loss distribution built from two core components:

• Loss Event Frequency (LEF) -- How often will the threat materialize?
• Loss Magnitude (LM) -- When it does, what will it cost?

Each component decomposes further. LEF breaks into Threat Event Frequency and Vulnerability (the probability of a threat succeeding). LM breaks into Primary Loss (direct costs) and Secondary Loss (regulatory fines, reputation damage, litigation).

The output is a Monte Carlo simulation: a probability distribution showing the range of likely annual losses, typically at the 10th, 50th, and 90th percentiles.

From Vulnerability Scan to Risk Register

Here is the workflow Theodolite automates:

1. Import scan data. Upload Nessus or OpenVAS output. Theodolite parses CVEs, affected hosts, and exploitability metadata.
2. Enrich with asset context. Each host is tagged with its business function, data classification, and exposure profile. A CVE on a public-facing payment server scores differently than the same CVE on an air-gapped build machine.
3. Run FAIR quantification. Theodolite estimates Loss Event Frequency from threat intelligence and exploitability data, then models Loss Magnitude using industry benchmarks and your asset classification.
4. Prioritize by annualized loss expectancy. Instead of sorting by CVSS, you sort by dollar impact. Resources flow to where they reduce the most financial risk.

A Concrete Example

Consider two findings from the same scan:

| Finding | CVSS | Asset | FAIR ALE (90th percentile) | |---|---|---|---| | CVE-2025-1234: RCE in Apache | 9.8 Critical | Internal wiki server | $12,400/year | | CVE-2025-5678: SQL injection | 7.5 High | Customer billing API | $2.1M/year |

By CVSS, the Apache RCE gets patched first. By FAIR, the billing API vulnerability receives immediate attention because the probable financial impact is 170x greater. The wiki server has no sensitive data and is not internet-facing, so the actual risk exposure is minimal despite the high severity score.

Getting Started

If you are new to FAIR, start small:

• Pick five critical assets and classify them by data sensitivity and exposure.
• Run a single scan and import the results.
• Review the FAIR output alongside the raw CVSS rankings. Note where they diverge.

Those divergence points are where your current prioritization is likely misallocating resources. Over time, expanding FAIR coverage across your asset inventory builds a risk register that speaks the language of the business: dollars, not color codes.

Further Reading

• The Open Group FAIR Standard
• NIST SP 800-30: Guide for Conducting Risk Assessments
• FAIR Institute resources on building a risk quantification program