Risk management is the part of compliance work where most teams get stuck. The vocabulary comes from finance and statistics rather than from IT, and the standards refer to concepts without defining them. Risk assessment is the activity; the risk register is the artefact it produces. FAIR and Open FAIR are the methodology and the open standard for quantifying risk in financial terms rather than red, amber, and green. ALE, TEF, and LEF are the building blocks of a FAIR estimate. Monte Carlo simulation is how those estimates turn into ranges. Together these terms give risk a shared language across business and technical teams.
Glossary category
Risk Management
Quantitative risk vocabulary in plain language. FAIR, Open FAIR, ALE, TEF, LEF, Monte Carlo simulation, risk assessments, and risk registers.
Terms in this category.
16 entries.
Annual Loss Expectancy
The expected annual cost of a risk scenario in financial terms, calculated as Loss Event Frequency multiplied by Loss Magnitude, expressed as a probability distribution rather than a point estimate.
FAIR
Quantitative risk-analysis methodology that expresses cyber risk as financial loss exposure rather than ordinal severity scores, by decomposing it into loss event frequency and loss magnitude.
FAIR-CAM
The FAIR Institute extension that maps control strength and coverage to measurable reductions in loss event frequency, translating control investment decisions into annual loss expectancy changes.
Governance Theatre
The pattern of treating compliance as a documentation exercise rather than a risk-reduction programme, producing audit-ready artefacts while leaving the underlying security exposure unchanged.
Loss Event Frequency
The expected number of times per year that a threat actor's action will succeed and produce a loss, calculated as Threat Event Frequency multiplied by Vulnerability (the probability of success).
Monte Carlo Simulation
Computational technique that samples input variables from their probability distributions and aggregates the outcomes, producing a distribution of plausible results rather than a point estimate.
Open FAIR
Open standard governed by The Open Group that codifies the FAIR risk-quantification methodology as a reference taxonomy. The Open FAIR Body of Knowledge is the canonical specification.
Risk Appetite
Board-level statement of how much risk the organisation is prepared to accept in pursuit of its objectives, expressed quantitatively enough to guide trade-offs against control investment.
Risk Assessment
The structured process of identifying threats, estimating likelihood and impact, and producing a defensible record of which risks the organisation accepts, treats, or transfers.
Risk Quantification
The practice of expressing cyber risk as expected annual loss in monetary terms rather than ordinal labels, enabling direct comparison between risk exposure, control investment, and insurance.
Risk Register
The single source of truth recording every identified risk, its assessment, the control treatment chosen, the owner, and the review date.
Risk Scenario
Specific, named description of how a threat could cause loss to the organisation, written precisely enough to drive quantitative estimation of frequency and magnitude.
Threat
Anything with the potential to cause loss to an asset by exploiting a vulnerability, characterised by the actor's motivation, capability, and frequency of attempted action.
Threat Event Frequency
The expected number of times per year that a threat actor will attempt the action that could lead to a loss event, before any consideration of whether the attempt succeeds.
Threat Landscape
The evolving picture of active threat actors, attack techniques, and sector-specific conditions that organisations should factor into risk assessments rather than using generic or historical profiles.
Vulnerability
A weakness in an asset, control, or process that a threat could exploit to cause loss. In FAIR, the probability that a threat event becomes a loss event when an attempt is made.