Skip to main content

Glossary category

Risk Management

Quantitative risk vocabulary in plain language. FAIR, Open FAIR, ALE, TEF, LEF, Monte Carlo simulation, risk assessments, and risk registers.

Risk management is the part of compliance work where most teams get stuck. The vocabulary comes from finance and statistics rather than from IT, and the standards refer to concepts without defining them. Risk assessment is the activity; the risk register is the artefact it produces. FAIR and Open FAIR are the methodology and the open standard for quantifying risk in financial terms rather than red, amber, and green. ALE, TEF, and LEF are the building blocks of a FAIR estimate. Monte Carlo simulation is how those estimates turn into ranges. Together these terms give risk a shared language across business and technical teams.

Terms in this category.

12 entries.

  • Annual Loss Expectancy

    The expected annual cost of a risk scenario in financial terms, calculated as Loss Event Frequency multiplied by Loss Magnitude, expressed as a probability distribution rather than a point estimate.

  • FAIR

    Quantitative risk-analysis methodology that expresses cyber risk as financial loss exposure rather than ordinal severity scores, by decomposing it into loss event frequency and loss magnitude.

  • Loss Event Frequency

    The expected number of times per year that a threat actor's action will succeed and produce a loss, calculated as Threat Event Frequency multiplied by Vulnerability (the probability of success).

  • Monte Carlo Simulation

    Computational technique that samples input variables from their probability distributions and aggregates the outcomes, producing a distribution of plausible results rather than a point estimate.

  • Open FAIR

    Open standard governed by The Open Group that codifies the FAIR risk-quantification methodology as a reference taxonomy. The Open FAIR Body of Knowledge is the canonical specification.

  • Risk Appetite

    Board-level statement of how much risk the organisation is prepared to accept in pursuit of its objectives, expressed quantitatively enough to guide trade-offs against control investment.

  • Risk Assessment

    The structured process of identifying threats, estimating likelihood and impact, and producing a defensible record of which risks the organisation accepts, treats, or transfers.

  • Risk Register

    The single source of truth recording every identified risk, its assessment, the control treatment chosen, the owner, and the review date.

  • Risk Scenario

    Specific, named description of how a threat could cause loss to the organisation, written precisely enough to drive quantitative estimation of frequency and magnitude.

  • Threat

    Anything with the potential to cause loss to an asset by exploiting a vulnerability, characterised by the actor's motivation, capability, and frequency of attempted action.

  • Threat Event Frequency

    The expected number of times per year that a threat actor will attempt the action that could lead to a loss event, before any consideration of whether the attempt succeeds.

  • Vulnerability

    A weakness in an asset, control, or process that a threat could exploit to cause loss. In FAIR, the probability that a threat event becomes a loss event when an attempt is made.

Back to glossary