Skip to main content

Custom fields and formulas to represent the FAIR model

Using Drata’s custom fields and formulas to represent the FAIR model in Risk Management

Updated over a week ago

Purpose

This article explains how to configure the FAIR model in Drata’s Risk Management module using custom fields and custom formulas.

Custom fields and formulas are available in both:

  • Risk Management Standard

  • Risk Management Pro

To complete this setup, you must have Admin permissions in Drata.

What is the FAIR model?

The FAIR model (Factor Analysis of Information Risk) is a widely adopted framework for quantifying cybersecurity and operational risk in financial terms.

FAIR breaks risk into two major components:

  • Loss Event Frequency (LEF)

  • Loss Magnitude (Primary + Secondary)

This helps organizations move from subjective risk scoring to data-driven, business-aligned decision making.

Learn more from the FAIR Institute: ​https://www.fairinstitute.org

Set up the FAIR model in Drata

In Drata, each FAIR input is represented as either:

  • a Custom Field, or

  • a Custom Formula

You will first create the FAIR fields, then use them to build formulas. If you’re new to Custom Fields, refer to: Custom Fields Overview.

Step 1: Create FAIR custom fields

Go to your Settings page to create a custom field. Each FAIR field should be created under:

  • Location: Risks

  • Section: Assessment

Create a new custom field, and structure it in the following way:

FAIR 1

Field Title

FAIR 1: How often have you experienced security incidents related to these assets in the past year? Answer: Events / Year

Field Description

None (0 events/year)
Rarely (0.5 events/year)
Occasionally (1.5 events/year)
Frequently (4 events/year)
Very frequently (6+ events/year)

Field Type

Drop down (numbers)

Drop-down Options

  • 0

  • 0.5

  • 1.5

  • 4

  • 6

Placement

Location = Risks, Section = Assessment

It’s up to you if you want to make these fields required in order to edit a risk.

Additional FAIR fields

Create the remaining FAIR fields using the following configurations:


FAIR 2

Field name

FAIR 2: Based on industry reports, how common are these types of threat events in your sector? (Rare 0.5 - Extremely Common 1.5)

Field description

Very rare (0.5 factor)
Uncommon (0.75 factor)
Common (1.0 factor)
Very common (1.25 factor)
Extremely common (1.5 factor)

Field type

Drop down (numbers)

Drop-down options

  • 0.5

  • 0.75

  • 1.0

  • 1.25

  • 1.5


FAIR 3

Field name

FAIR 3: What percentage of attempted attacks are typically successful? Enter the % of the attacks based on historical data.

Field description

Enter the percentage of the attacks based on historical data.

Field type

Number


FAIR 4

Field name

FAIR 4: What are the MINIMUM direct costs ($) associated with a typical security incident (system repairs, data recovery, downtime)?

Field description

(optional)

Field type

Currency


FAIR 5

Field name

FAIR 5: What are the MAXIMUM direct costs ($) associated with a typical security incident (system repairs, data recovery, downtime)?

Field description

(optional)

Field type

Currency


FAIR 6

Field name

FAIR 6: Estimate the potential indirect MINIMUM costs ($) from a security incident (legal fees, fines, reputational damage).

Field description

(optional)

Field type

Currency


FAIR 7

Field name

FAIR 7: Estimate the potential indirect MAXIMUM costs ($) from a security incident (legal fees, fines, reputational damage).

Field description

(optional)

Field type

Currency


FAIR 8

Field name

FAIR 8: How likely are you to face severe consequences such as regulatory fines or significant reputational damage due to these incidents? (Very Unlikely 0.1 - Very Likely 1.0)

Field description

Very unlikely (factor = 0.1)
Unlikely (factor = 0.25)
Possible (factor = 0.5) Likely (factor = 0.75)
Very likely (factor = 1.0)

Field type

Drop down (numbers)

Drop-down options

  • 0.1

  • 0.25

  • 0.5

  • 0.75

  • 1.0


Create FAIR formulas

Next, you’ll create custom formulas to represent the FAIR model.

All formulas should also be placed under:

  • Location: Risks

  • Section: Assessment

Here’s what each of them will look like in Drata once you’re done:

Loss event frequency (LEF)

Loss event frequency (LEF): FAIR 1 * FAIR 2 * FAIR 3 /100

Formula name

Loss event frequency (LEF)

Formula description

(optional)

Formula

( FAIR 1 * FAIR 2 * FAIR 3) / 100

Primary Loss Magnitude (PLM)

Primary Loss Magnitude (PLM): (FAIR 4 + FAIR 5) / 2

Formula name

Primary Loss Magnitude (PLM)

Formula description

(optional)

Formula

(FAIR 4 + FAIR 5) / 2

Secondary Loss Magnitude (SLM)

Secondary Loss Magnitude (SLM): (FAIR 6 + FAIR 7)/2* FAIR 8

Formula name

Secondary Loss Magnitude (SLM)

Formula description

(optional)

Formula

(FAIR 6 + FAIR 7)/2* FAIR 8

Annual Loss Expectancy (ALE)

Annual Loss Expectancy (ALE): LEF * (PLM + SLM)

Formula name

Annual Loss Expectancy (ALE)

Formula description

(optional)

Formula

LEF * (PLM + SLM)

Did this answer your question?