Summary
Measuring and Managing Information Risk by Jack Freund and Jack Jones is the definitive guide to applying the FAIR (Factor Analysis of Information Risk) model—a structured and quantitative approach to assessing and managing cybersecurity risk. The book challenges the status quo of qualitative risk assessments and offers a scientifically grounded alternative that enables better decisions, communication, and accountability.
The authors bridge the gap between security professionals and business executives by aligning cybersecurity with economic and business principles. They argue that understanding and managing information risk effectively requires consistent terminology, logical thinking, and quantifiable metrics.
Why Risk Quantification Matters
Traditional risk management often relies on qualitative approaches—using color-coded heat maps or subjective labels like “high,” “medium,” or “low.” Freund and Jones argue that such methods:
- Lack consistency and objectivity
- Don’t scale across an enterprise
- Don’t support meaningful tradeoff decisions
The FAIR model provides a way to measure risk in financial terms, such as “expected loss per year,” which aligns with how executives think about insurance, investment, and strategic risk.
Introduction to the FAIR Model
FAIR is a taxonomy and methodology for analyzing and quantifying information risk. At its core, it defines risk as the probable frequency and magnitude of future loss.
The model breaks this into two components:
- Loss Event Frequency (LEF) – How often a loss event is expected to occur.
- Probable Loss Magnitude (PLM) – The expected financial impact per event.
This foundational equation drives every FAIR analysis:
Risk = Loss Event Frequency × Probable Loss Magnitude
Component Breakdown
Loss Event Frequency (LEF)
LEF consists of two subcomponents:
- Threat Event Frequency (TEF): How often a threat agent acts against an asset.
- Vulnerability: The probability that an action results in loss.
These are further influenced by:
- Contact frequency between threats and assets
- Strength of controls
- Threat capability versus asset resistance
Probable Loss Magnitude (PLM)
PLM is broken down into six forms of loss:
- Productivity loss
- Response costs
- Replacement costs
- Fines and judgments
- Competitive advantage loss
- Reputation damage
Each category is estimated based on historical data, subject matter expertise, and industry benchmarks.
Scoping the Risk Problem
One of the most important and often overlooked steps in risk analysis is scoping—defining exactly what the risk is, what assets are involved, and what threat communities are relevant.
Poorly scoped risk scenarios lead to ambiguous or misleading results. Freund and Jones stress that good risk statements are:
- Time-bound
- Actionable
- Explicit about the threat, asset, and effect
Calibration and Estimation
FAIR doesn’t require perfect data—it requires defensible estimates. The authors describe:
- How to use ranges and confidence levels
- How to calibrate subject matter experts (SMEs) to reduce bias
- How to communicate uncertainty to decision-makers
Estimation is a skill that improves over time with training and discipline.
Using Monte Carlo Simulation
The model relies on Monte Carlo simulation to process thousands of iterations across ranges of input values, producing a probability distribution of potential outcomes. This allows:
- Visualization of risk as a curve instead of a point estimate
- Decision-making based on risk appetite and tolerance
- Prioritization of mitigation efforts by expected value
Outputs include:
- Annualized Loss Exposure (ALE)
- Value at Risk (VaR)
- Confidence intervals for loss outcomes
Application Scenarios
FAIR is flexible and can be applied to various domains:
- Evaluating the value of security investments (e.g., MFA deployment)
- Prioritizing risk mitigation across a portfolio
- Justifying budgets and risk acceptance decisions
- Comparing cloud versus on-premises risk
- Understanding the impact of third-party breaches
Case studies include analyses of DDoS protection ROI, breach preparedness, and vendor risk management.
Risk Communication
Translating technical risk data into business-relevant language is a central theme. FAIR enables this by:
- Expressing risk in financial terms
- Providing ranges rather than absolutes
- Framing conversations around value and tradeoffs
The authors offer templates and examples for presenting findings to boards, executives, and auditors.
Governance and Risk Appetite
FAIR supports the development of risk appetite statements—quantitative thresholds for acceptable risk. This enables:
- Alignment with business strategy
- Policy enforcement
- Scenario-based planning and what-if analysis
Governance models built on FAIR are more transparent, accountable, and defensible than traditional qualitative assessments.
Benefits of the FAIR Approach
- Consistency – Standardizes terminology and structure
- Objectivity – Reduces subjectivity and gut-feel decisions
- Scalability – Works for enterprise-wide risk management
- Business Alignment – Supports strategic and financial planning
- Auditability – Provides a defensible, documented process
FAIR turns cybersecurity from a vague concern into a measurable business risk.
Limitations and Challenges
- Requires training and cultural change
- Needs SME engagement and buy-in
- May encounter resistance from traditional risk owners
- Data availability varies across organizations
However, the authors argue these are surmountable with leadership commitment and iterative adoption.
FAIR vs. Traditional Risk Frameworks
FAIR complements—not replaces—other frameworks like:
- NIST Cybersecurity Framework
- ISO/IEC 27005
- COSO ERM
- OCTAVE
These models offer process guidance, while FAIR provides quantification techniques that plug into them.
Building a Risk Management Program
The book outlines a maturity roadmap:
- Ad hoc assessments – Often qualitative and inconsistent
- Structured qualitative – Defined process but limited insights
- Quantitative pilots – Targeted FAIR analyses
- Integrated risk quantification – Embedded into budgeting and governance
It also offers guidance on building a FAIR-based team and leveraging tools like RiskLens.
Key Takeaways
- Risk must be measured to be managed.
- FAIR enables informed decisions through financial analysis.
- Clear scoping and calibrated estimation are critical to success.
- Risk models must serve business goals—not abstract metrics.
- Cybersecurity leaders must become risk communicators and strategists.
Why This Book Matters
Measuring and Managing Information Risk elevates cybersecurity from reactive defense to strategic business enabler. It empowers CISOs, risk officers, auditors, and IT leaders to speak the language of business—risk, cost, value—and make smarter, data-driven decisions.
It also provides a roadmap for shifting the culture of risk management from opaque and fear-driven to transparent, credible, and actionable.