Most security programs still communicate risk in colors and letters. A finding is "high," a control gap is "red," an audit posture earns a "B." Those labels are easy to produce and easy to argue about, which is exactly the problem. When a board member asks whether a 'high' is worse than three 'mediums,' or whether spending two million dollars to fix it is worth it, an ordinal scale has no answer. It was never built to be added, subtracted, or compared against a dollar of budget. FAIR — Factor Analysis of Information Risk — exists to close that gap by expressing risk in the one unit every executive already trusts: money, stated as a range with explicit uncertainty.
FAIR is an open standard, maintained as a model by the Open Group, for decomposing 'risk' into parts you can actually estimate. Its central move is deceptively simple. Risk, in FAIR terms, is the probable frequency and probable magnitude of future loss. That sentence forces two separate questions that heatmaps blur together: how often is a loss event likely to happen, and how bad is it likely to be when it does? Keeping those two questions apart is most of the value, because a rare catastrophic event and a frequent minor one can land in the same heatmap cell while demanding completely different responses.
The first factor is loss event frequency: how many times per year you should expect a given kind of loss event to actually occur. Note the word 'event' — not 'attack' and not 'vulnerability.' A scanner finding is not a loss event; a phishing email is not a loss event; both are upstream of one. A loss event is the moment a threat actor's action successfully produces harm — credentials stolen and used, data exfiltrated, systems encrypted. FAIR lets you estimate frequency directly when you have data, or build it up from how often threats make contact, how often that contact is acted on, and how often your controls fail to stop it. The discipline is the same either way: you are estimating events that cause loss, not activity that might.
The second factor is loss magnitude: when a loss event happens, how many dollars leave the building. FAIR splits this into primary and secondary loss, and the distinction matters more than it first appears. Primary loss is what you absorb directly and immediately — incident response hours, forensic vendors, system rebuilds, downtime, replaced hardware. Secondary loss is what comes back at you from other parties reacting to the event: regulatory fines, legal defense and settlements, customer churn, credit monitoring you owe, contract penalties, and the slower bleed of reputation. Secondary loss is frequently the larger and more volatile half, and it is the half that 'just patch it' conversations ignore entirely.
Once you have ranges for frequency and magnitude, you do not multiply two single numbers and call it a day. Real inputs are uncertain, so FAIR practitioners run a Monte Carlo simulation: the model draws thousands of plausible scenarios — Valty runs 10,000 — sampling a frequency and a magnitude from your estimated ranges on each pass, computing the year's loss, and recording it. Do that ten thousand times and you get a full distribution of outcomes rather than a single point. Some simulated years are quiet; a few are disastrous. The shape of that distribution, not any single figure inside it, is the actual answer to 'how much risk is here.'
From that distribution you read confidence bands. A P10 is the value that 10 percent of simulated outcomes fell below — a realistic 'good year.' The P90 is the value 90 percent fell below — a plausible bad year, though deliberately not the absolute worst imaginable. The base case sits in the middle as your central expectation. Reported together as a P10/base/P90 range, these three numbers tell a board something a single number never can: not just what you expect, but how wide the outcomes spread, and therefore how much is genuinely at stake if things break the wrong way. A tight band signals a well-understood risk; a wide one signals you are estimating in the dark.
This is why a range beats a 1-5 heatmap or a letter grade in a board conversation, and the reason is structural, not cosmetic. Ordinal scales cannot be aggregated honestly — you cannot sum 'highs' into a portfolio total, and the distance between a 3 and a 4 is undefined, so the math underneath any roll-up is fiction. Dollar distributions add up correctly. You can total exposure across business units, compare two unrelated risks on one axis, and place the number next to a budget line, an insurance limit, or a quarter's EBITDA. A CFO who would glaze over at 'we have eleven highs' will engage immediately with 'this exposure runs four to thirty million, central case eleven.'
The budget defense follows directly from the model. A control investment is worth making when it measurably moves the distribution — usually by cutting loss event frequency, sometimes by shrinking magnitude. You quantify exposure before the control and after, and the difference is risk reduced, expressed in dollars and comparable to the cost of the control. That converts a security ask from a plea for trust into a return calculation a finance team can scrutinize. It also reorders the roadmap honestly: ranking remediations by exposure reduced per dollar spent routinely surfaces a cheap configuration fix that beats an expensive platform purchase, which is a far more defensible story than 'the scanner flagged it red.'
None of this works without naming the limits plainly, and any vendor who hides them should worry you. FAIR is decision-support, not prophecy. The output is an estimate built to inform a choice between options, not an actuarial guarantee and not investment or legal advice. It tells you which of two paths reduces more exposure for the money; it does not promise next year's loss will land inside the band. Treat a P10/base/P90 range as a sharper way to reason under uncertainty, not as a number to take to the bank.
Garbage in, garbage out applies with full force. A Monte Carlo will faithfully process bad assumptions into a confident-looking distribution, and the precision of the output can mask the softness of the inputs. The discipline that protects you is calibration — estimating ranges you would genuinely bet on, sourcing magnitude from real incident costs and breach data rather than gut feel, and writing down where each number came from. The simulation does not manufacture knowledge; it only propagates the uncertainty you give it. This is why every Valty estimate carries its method, confidence, and source alongside the figure, so a skeptical reviewer can audit the reasoning instead of trusting the total.
Thin evidence should produce wide bands, and that is a feature rather than a flaw. When you genuinely do not know how often an event occurs or how costly it would be, the honest representation is a broad distribution — and a wide P10-to-P90 spread is itself a finding. It tells leadership the real problem is missing data, which often justifies investment in telemetry, logging, or an assessment before any control purchase. Beware the opposite failure: a suspiciously narrow band built on borrowed industry averages dressed up as local fact. Bands should tighten as you gather your own evidence, and watching them tighten over time is a fair measure of whether your risk program is actually maturing.
A practical detail that earns trust: Valty and FAIR-aligned tooling read from the systems you already run — scanners, GRC platforms, cloud configuration, identity providers — rather than replacing them. The quantification layer sits on top of existing signal, translating control state and finding data into frequency and magnitude inputs. That keeps the model grounded in your environment instead of a generic benchmark, and it means adopting quantification does not mean ripping out the stack that produces your evidence in the first place.
If you are evaluating this for the first time, start narrow. Pick one or two loss scenarios that matter to your business — ransomware on a critical system, a breach of your most regulated data — and quantify them end to end, primary and secondary loss included, with sources written down. Resist the urge to model everything at once; a credible range on the risks that keep your CFO awake is worth more than a sprawling register of soft estimates. Done honestly, the result is not a magic number but a defensible, auditable conversation about money and uncertainty — which, for a security leader trying to win budget from a skeptical board, is the whole point.