FAIR Analysis

Quantitative cyber risk analysis with Monte Carlo simulation and CISA KEV enrichment

Overview

FAIR Analysis is PublicRisk.ai's quantitative cyber risk modeling tool that transforms qualitative risk scenarios into defensible financial metrics using the Factor Analysis of Information Risk (FAIR) methodology.

Monte Carlo Simulation: 10,000 runs with confidence intervals for board-ready risk quantification

What is FAIR?

FAIR (Factor Analysis of Information Risk) is the international standard (Open Group Standard O-RT) for quantifying cyber and technology risk in financial terms.

Core Equation

Risk = Loss Event Frequency × Loss Magnitude

Decomposition:

Loss Event Frequency (LEF) = Threat Event Frequency × Vulnerability
Loss Magnitude (LM) = Primary Loss + Secondary Loss

Key Features

1. Automatic Cyber Detection

FAIR Analysis automatically detects cyber security queries using 8-tier pattern matching:

Confidence: 95%

CVE-2024-1234 format detection
Automatic CISA KEV lookup
Exploit maturity assessment

Example:

Query: "What's the risk of CVE-2024-3094 (XZ backdoor)?"
→ Auto-enriched with CISA KEV data
→ Threat capability set to 85th percentile

Confidence: 90%

Ransomware keywords (LockBit, BlackCat, etc.)
Sector-specific intel (K-12, healthcare, finance)
MITRE ATT&CK TTP mapping

Example:

Query: "Ransomware attack on K-12 district servers"
→ Enriched with education sector breach stats
→ TEF calibrated to K-12 specific data

Confidence: 75-85%

Critical infrastructure sectors
SCADA/ICS/OT environments
Supply chain dependencies

Example:

Query: "Water utility SCADA cyber risk"
→ Infrastructure threat profiles applied
→ Control system vulnerabilities assessed

Confidence: 75%

Vendor name detection (Microsoft, Cisco, VMware)
Third-party risk assessment
Supply chain exposure

Example:

Query: "Microsoft Exchange vulnerability impact"
→ Vendor-specific threat data
→ Patch cadence metrics included

Detection powered by cyberQueryService: 8-tier algorithm with CISA KEV database integration

2. CISA KEV Enrichment

When cyber queries are detected with confidence > 0.7, FAIR automatically enriches the scenario with:

Active Exploits: Real-world exploit activity
Threat Actor Profiles: Known ransomware groups targeting sector
Vulnerability Severity: CVSS scores and exploitability
Remediation Guidance: CISA recommended actions

Example Enrichment:

Original Query: "Ransomware on healthcare"

Enriched Scenario:
"Ransomware attack on healthcare systems
 
**CISA KEV Threat Intelligence:**
- Active threats: LockBit 3.0, Royal Ransomware (targeting healthcare)
- Key vulnerabilities: 12 KEV CVEs affecting EHR systems
- Threat capability: 85th percentile (organized crime syndicates)
- Recent incidents: 47 healthcare ransomware events (Q4 2024)

**Data Sources:** CISA KEV catalog, HHS breach portal, MITRE ATT&CK"

3. Monte Carlo Simulation

Run 10,000 simulations to generate statistical distributions:

Output Metrics:

Mean (Average Annual Loss): Expected value
Standard Deviation: Uncertainty range
Percentiles:
- P10 (Low Risk): 10th percentile
- P50 (Median): Most likely outcome
- P90 (High Risk): Planning threshold
- P99 (Extreme Tail): Catastrophic scenario

Visualization:

 Frequency
    │      ████
    │    ██████████
    │  ████████████████
    │ ██████████████████████
    │████████████████████████████
    └─────────────────────────────> Loss Amount
      $250K    $850K    $2.1M
      (P10)    (P50)    (P90)
      
Average Loss: $1.04M
90% of outcomes fall below: $2.1M

4. Distribution Types

Choose simulation distribution based on data quality:

Best for: Consensus estimates (default)

Uses triangular distribution with skew:

Min: Optimistic scenario
Most Likely: Best estimate (mode)
Max: Pessimistic scenario

When to use:

Subject matter expert estimates
No historical data available
Quick analysis (board presentations)

Example:

LEF: min=0.8, mostLikely=1.6, max=3.0
LM:  min=$250K, mostLikely=$650K, max=$1.8M

Best for: Flexible fitting

Fits any shape distribution:

Handles multimodal data
No assumed distribution shape
Requires more parameters

When to use:

Historical loss data available
Complex risk profiles
Research/academic rigor

Best for: Enterprise correlation

SIPmath 3.0 Standard Library:

Correlate multiple risks
Portfolio-level analysis
Scenario planning

When to use:

Multiple interdependent risks
Enterprise risk management
Budget allocation decisions

Upload format:

{
  "SIPmath": {
    "sips": [
      {
        "name": "LEF_Ransomware",
        "value": [0.5, 0.8, 1.2, 1.6, 2.3]
      },
      {
        "name": "LM_Primary",
        "value": [200000, 450000, 650000, 900000, 1500000]
      }
    ]
  }
}

Cross-Tool Integration (NEW)

From Query Explorer to FAIR Analysis

When Query Explorer detects a cyber-related query with financial keywords, a smart hint appears:

Cyber Detection Hint:

💡 Cyber Risk Detected (92% confidence)

For quantitative risk analysis with Monte Carlo simulation and 
ALE calculations, try FAIR Analysis.

[📊 Run FAIR Analysis]

Trigger Conditions:

Cyber confidence ≥ 80%
Financial keywords present: "cost", "budget", "loss", "impact", "insurance"

What happens when you click:

FAIR Analysis page opens
Query pre-filled as scenario
Cyber context passed (query type, confidence, sector)
Optional: Auto-run analysis

From FAIR Analysis to Query Explorer

After completing FAIR simulation, two options appear:

Option 1: Explore in Query Explorer

Button: 💬 Explore in Query Explorer

Passes context:

Scenario description
Average Annual Loss (ALE)
Risk range (P10-P90 percentiles)
Cyber enhancement status

Example pre-filled query:

Based on this FAIR analysis:
- Scenario: Ransomware attack on K-12 district servers
- Average Annual Loss: $1,040,000
- 90th Percentile Risk: $2,100,000

What qualitative risk management strategies should we implement?

Use cases:

Ask about mitigation controls
Research threat actor TTPs
Find compliance requirements
Get vendor recommendations

Option 2: Ask Follow-Up Question

Button: ❓ Ask Follow-Up Question

Opens dialog with FAIR context summary:

┌─────────────────────────────────────┐
│ Ask Follow-Up Question              │
├─────────────────────────────────────┤
│ FAIR Context:                       │
│ • Scenario: Ransomware attack...    │
│ • Average Loss: $1,040,000          │
│ • Risk Range: $250K - $2.1M         │
├─────────────────────────────────────┤
│ Your Follow-Up Question:            │
│ ┌─────────────────────────────────┐ │
│ │ What controls reduce this by    │ │
│ │ 50%?                            │ │
│ └─────────────────────────────────┘ │
│                                     │
│ [Cancel]  [Ask in Query Explorer]  │
└─────────────────────────────────────┘

What happens:

Query Explorer opens with pre-filled question
FAIR context included in prompt
AI provides targeted mitigation advice
Context badge shows quantitative background

How to Use

Step 1: Enter Risk Scenario

Describe the cyber risk event you want to quantify:

Good Examples:

✅ "Ransomware attack on K-12 district servers causes 48-hour outage"
✅ "Phishing campaign targeting healthcare staff leads to data breach"
✅ "Supply chain compromise through third-party vendor"

Tips:

Be specific about asset (servers, data, systems)
Include threat actor if known (ransomware, nation-state)
Mention impact (downtime, data loss, reputation)

Step 2: Auto-Enrichment (If Cyber Query)

If cyber-related (confidence > 0.7), scenario is automatically enriched with:

CISA KEV threat intelligence
Sector-specific breach statistics
Threat capability assessment
Data source attributions

You'll see: ✅ "Cyber query detected: ransomware, confidence: 0.92"

Step 3: Review FAIR Decomposition

System generates FAIR factor estimates:

📊 FAIR Standard Artifact v3.0

Loss Event Frequency (LEF): 0.8 - 3.0 per year
  ├─ Threat Event Frequency (TEF): 2 - 6 per year
  │   ├─ Contact Frequency (CF): 12 - 36 per year
  │   └─ Probability of Action (PoA): 0.1 - 0.28
  └─ Vulnerability (Vuln): 0.25 - 0.55
      ├─ Threat Capability (TCap): 65 - 90 percentile
      └─ Resistance Strength (RS): 40 - 70 percentile

Loss Magnitude (LM): $250K - $1.8M
  ├─ Primary Loss (PLM): $180K - $900K
  └─ Secondary Risk
      ├─ Secondary LEF (SLEF): 0.25 - 0.65
      └─ Secondary LM (SLM): $90K - $650K

Data Sources Mapping:

Each factor shows where data comes from:

Factor	Definition	Data Sources
TEF	How often threat acts	Firewall logs, IDS alerts, DBIR
CF	Asset exposure	VPN attempts, phishing emails
PoA	Likelihood of action	MITRE ATT&CK prevalence
Vuln	Probability of loss	Patch cadence, pen test results
TCap	Adversary skill	Threat intel, CISA KEV maturity
RS	Control strength	EDR block rates, backup tests
PLM	Direct costs	IT labor, IR vendor, downtime
SLM	Indirect costs	Trust surveys, regulatory fines

Calibration Required: Default estimates are templates. Replace with your organization's telemetry for accuracy.

Step 4: Choose Distribution Type

Select based on data availability:

PERT (Default): SME estimates (min, most likely, max)
Metalog: Historical loss data available
SIPmath: Multiple correlated risks (upload .json)

Step 5: Run Monte Carlo Simulation

Click ▶️ Run Simulation (10,000 runs)

Simulation takes: 3-5 seconds

Output:

Histogram of loss distribution
Key statistics (mean, std dev, percentiles)
Confidence intervals (80%, 90%, 95%)

Step 6: Export or Take Action

Export Options:

📄 PDF Report (board presentation)
📊 Excel (further analysis)
🔗 JSON (API integration)

Cross-Tool Actions:

💬 Explore in Query Explorer (get qualitative advice)
❓ Ask Follow-Up Question (specific mitigation query)

Workflows & Use Cases

Workflow 1: Cyber Query → Quantification

Scenario: User wants to know ransomware financial impact

Query Explorer: "What's the cost of ransomware for K-12 schools?"
Cyber hint appears: 💡 92% confidence
Click "Run FAIR Analysis" → Pre-filled scenario
Run simulation → ALE: $1.04M (mean),$ 2.1M (P90)
Board presentation: "Budget $2.1M for cyber insurance"

Time: 3 minutes end-to-end

Workflow 2: Quantitative → Mitigation Strategy

Scenario: CISO has ALE number, needs control recommendations

FAIR Analysis: Complete simulation (ALE: $850K)
Click "Ask Follow-Up Question"
Enter: "What controls reduce this risk by 50%?"
Query Explorer opens with FAIR context
AI provides: Ranked mitigation list with cost/benefit

Output Example:

Based on your FAIR analysis (ALE: $850K):

Top 3 Controls to Reduce Risk by 50%:

1. Immutable Backups ($50K investment)
   - Reduces LEF by 40% (faster recovery)
   - Reduces LM by 30% (less downtime)
   - **Expected ALE reduction: $340K**
   
2. EDR with Ransomware Rollback ($80K/year)
   - Reduces Vulnerability by 60%
   - Blocks 85% of ransomware events
   - **Expected ALE reduction: $425K**
   
3. Security Awareness Training ($20K/year)
   - Reduces Probability of Action by 50%
   - Lowers phishing success rate
   - **Expected ALE reduction: $200K**

Combined: $965K reduction → New ALE: $385K (55% decrease)

Workflow 3: Board Presentation Prep

Scenario: CFO asks "How much should we budget for cyber risk?"

Identify top 3 scenarios (ransomware, phishing, vendor breach)
Run FAIR for each (10 min total)
Export PDFs with confidence intervals
Present P90 values as budget recommendation
Show control ROI using Query Explorer mitigation advice

Board Slide Example:

Cyber Risk Budget Recommendation

Ransomware:        $2.1M (P90)
Phishing:          $650K (P90)  
Vendor Breach:     $1.2M (P90)
────────────────────────────────
Total Budget:      $3.95M

Mitigation Investment: $150K
Residual Risk:         $2.5M
Insurance Coverage:    $2M (SIR: $500K)

Workflow 4: Insurance Procurement

Scenario: Need to justify cyber insurance premium

Run FAIR for top 3 threat scenarios
Calculate aggregate ALE: Sum of individual scenarios
Compare to insurance quote
Decision: Premium < 20% of ALE → Buy
Document with FAIR PDFs for underwriter

Example:

Aggregate ALE: $3.2M/year
Insurance Premium: $450K/year (14% of ALE)

Recommendation: Purchase
- Premium is cost-effective (< 20% threshold)
- Reduces board exposure to $500K SIR
- FAIR analysis justifies coverage limits

Advanced Features

1. Forms of Loss Breakdown

FAIR analysis includes 6 forms of loss per FAIR Standard Artifact v3.0:

Productivity Loss: Downtime, degraded operations
Response Costs: IR, forensics, communication, legal
Replacement Costs: System restore, data recovery
Fines and Judgments: Regulatory penalties, civil actions
Reputation Damage: Customer/partner trust, market value
Competitive Advantage: IP theft, strategy disclosure

Use case: Allocate loss estimates to specific forms for budget planning

2. Scenario Comparison

Compare multiple FAIR analyses side-by-side:

┌─────────────────────────────────────────────────┐
│ Scenario Comparison                             │
├─────────────────┬──────────┬──────────┬─────────┤
│                 │ Ransomw. │ Phishing │ Vendor  │
├─────────────────┼──────────┼──────────┼─────────┤
│ Mean (ALE)      │ $1.04M   │ $425K    │ $780K   │
│ P90 (High Risk) │ $2.1M    │ $850K    │ $1.5M   │
│ LEF (per year)  │ 1.6      │ 2.8      │ 1.2     │
│ Cyber Enhanced  │ ✅       │ ✅       │ ❌      │
└─────────────────┴──────────┴──────────┴─────────┘

Priority: Ransomware (highest P90)

3. Sensitivity Analysis

Test how changes in factors affect ALE:

If we reduce Vulnerability by 50% (better controls):
  Original ALE: $1.04M
  New ALE:      $520K (50% reduction)
  Control Cost: $150K/year
  ROI:          247% (pay back in 3.5 months)

4. Template Library

Pre-built scenarios for common risks:

Ransomware (K-12 Education): Based on sector data
Healthcare Data Breach: HIPAA-specific estimates
Financial Wire Fraud: BEC/phishing scenarios
Manufacturing OT Disruption: ICS/SCADA downtime
Retail POS Compromise: Payment card data theft

Templates provide starting estimates. Calibrate with your organization's data.

Data Sources & Calibration

Recommended Data Sources by Factor

Threat Event Frequency (TEF):

Firewall/IDS access attempt logs
VPN brute-force telemetry
Verizon DBIR sector cuts
CISA KEV ransomware notes

Contact Frequency (CF):

Email phishing campaign volume (Secure Email Gateway)
External attack surface scans
VPN login attempts by geography

Probability of Action (PoA):

MITRE ATT&CK ransomware TTP prevalence
Threat intelligence campaign success rates
Sector-specific breach reports

Vulnerability (Vuln):

Patch cadence for CISA KEV CVEs
Endpoint protection coverage %
Phishing simulation click rates
Penetration test findings

Threat Capability (TCap):

Known ransomware group profiles
CISA KEV exploit maturity ratings
Sector ISAC intelligence

Resistance Strength (RS):

Backup resilience test results
Incident response tabletop scores
EDR block/rollback success rates

Primary Loss Magnitude (PLM):

IT overtime labor rates
IR vendor retainer/invoice costs
Downtime cost per hour (lost revenue)
System restoration time estimates

Secondary Loss Magnitude (SLM):

Customer trust/satisfaction surveys
Regulatory penalty guidance (state breach laws)
Insurance claims data (sector averages)
Stock price impact studies

Critical: Default estimates are starting points. Replace with your org's telemetry for defensible analysis.

Troubleshooting

Common Issues

Issue: "Simulation results seem too low/high"

Cause: Default estimates not calibrated to your org
Solution: Replace factor ranges with actual telemetry data

Issue: "Cyber enhancement not triggering"

Cause: Query doesn't match cyber patterns (confidence < 0.7)
Solution: Add cyber keywords: "ransomware", "CVE", "phishing", "breach"

Issue: "SIPmath upload fails"

Cause: JSON format incorrect
Solution: Use SIPmath 3.0 Standard format (see Distribution Types tab)

Issue: "Can't export PDF"

Cause: Browser popup blocker
Solution: Allow popups from publicrisk.ai domain

Technical Details

Backend API

Endpoint:

https://publicrisk--publicrisk-consolidated-backend-serve.modal.run/analyze

Request:

{
  "scenario": "Ransomware attack on K-12 district servers",
  "mode": "fair",
  "distribution_type": "pert"
}

Response:

{
  "fair_analysis": {
    "scenario": "Ransomware attack...",
    "risk": {
      "lef": { "min": 0.8, "mostLikely": 1.6, "max": 3.0 },
      "lm": { "min": 250000, "mostLikely": 650000, "max": 1800000 }
    },
    "ale": { "min": 250000, "mostLikely": 1040000, "max": 3600000 }
  },
  "simulation_results": {
    "mean": 1040000,
    "std": 450000,
    "p10": 250000,
    "p50": 850000,
    "p90": 2100000,
    "p99": 3600000
  }
}

Monte Carlo Engine

Implementation:

Library: pyfair (Python)
Simulations: 10,000 (configurable)
Distributions: PERT, Metalog, SIPmath
Correlation: Supported via SIPmath
Performance: 3-5s on Modal cloud (cold start: 30-60s)

Best Practices

1. Start with Templates

Use pre-built scenarios as starting points, then calibrate:

Template: Ransomware (K-12)
↓
Calibrate TEF with your firewall logs
↓
Calibrate Vuln with your phishing sim results
↓
Calibrate PLM with your actual IR costs

2. Validate with SMEs

Review FAIR factors with subject matter experts:

IT: Threat frequency, patch cadence
Security: Threat capability, vulnerability
Finance: Loss magnitudes, cost models
Legal: Regulatory fines, litigation risk

3. Document Assumptions

Include data source notes in scenario description:

"Ransomware attack on K-12 district servers (48-hour outage)

Data Sources:
- TEF: Firewall logs (Jan-Nov 2024) + CISA K-12 threat brief
- Vuln: Q3 2024 phishing sim (18% click rate)
- PLM: IT labor cost ($150/hr) + IR vendor quote ($80K)
- SLM: Trust survey (15% parent concern post-breach)

Assumptions:
- No immutable backups (increases PLM)
- Current EDR deployed (reduces Vuln)
- Cyber insurance: $1M limit, $500K SIR"

4. Update Quarterly

Re-run FAIR analyses every quarter to reflect:

New threat intelligence
Control improvements
Updated telemetry data
Regulatory changes

5. Use P90 for Budgeting

Why P90 (not mean)?

P90 = "90% of outcomes fall below this"
Conservative planning threshold
Aligns with insurance actuarial practices
Defensible to boards/CFOs

Mean:  $1.04M (average - underestimates tail risk)
P90:   $2.1M   (planning threshold - ✅ recommended)
P99:   $3.6M   (extreme tail - too conservative)

FAIR Analysis

Query Explorer

Cyber Security Center

AI Processing

On this page