Purpose

This article is designed to help customers who are utilizing our Risk Management module on how to set up the FAIR model for risk management using our custom fields and formulas. Custom fields and formulas work with both our Risk Management Pro and Standard offerings. You will need to have admin access in Drata in order to complete the workflow outlined below.

The FAIR model

The FAIR model (Factor Analysis of Information Risk) is a standard framework for quantifying cybersecurity and operational risk in financial terms. It breaks risk into key components—loss event frequency and loss magnitude—to support informed, business-aligned decisions. FAIR helps organizations move from subjective risk ratings to data-driven analysis. Learn more from the FAIR Institute: https://www.fairinstitute.org

Set up the FAIR model in Drata

Every field and calculation used in the FAIR model will be set up in Drata as either a custom field or a custom formula. First, you’ll start by creating your fields, and then you will use those fields to build your formulas. If you are new to custom fields, check out this article.

Create FAIR fields

Create a new custom field, and structure it in the following way:

FAIR 1

Field Title	FAIR 1: How often have you experienced security incidents related to these assets in the past year? Answer: Events / Year
Field Description	None (0 events/year) Rarely (0.5 events/year) Occasionally (1.5 events/year) Frequently (4 events/year) Very frequently (6+ events/year)
Field Type	Drop down (numbers)
Drop-down Options	`0` `0.5` `1.5` `4` `6`
Placement	Location = Risks, Section = Assessment

By the time you have completed this custom field, it will look like the image below. It’s up to you if you want to make these fields required in order to edit a risk.

Below are the remaining FAIR fields needed, and which Drata field to use when setting them up as custom fields.

FAIR 2

Field name	FAIR 2: Based on industry reports, how common are these types of threat events in your sector? (Rare 0.5 - Extremely Common 1.5)
Field description	Very rare (0.5 factor) Uncommon (0.75 factor) Common (1.0 factor) Very common (1.25 factor) Extremely common (1.5 factor)
Field type	Drop down (numbers)
Drop-down options	`0.5` `0.75` `1.0` `1.25` `1.5`
Placement	Location = Risks, Section = Assessment

FAIR 3

Field name	FAIR 3: What percentage of attempted attacks are typically successful? Enter the % of the attacks based on historical data.
Field description	Enter the percentage of the attacks based on historical data.
Field type	Number
Placement	Location = Risks, Section = Assessment

FAIR 4

Field name	FAIR 4: What are the MINIMUM direct costs ($) associated with a typical security incident (system repairs, data recovery, downtime)?
Field description	(optional)
Field type	Currency
Placement	Location = Risks, Section = Assessment

FAIR 5

Field name	FAIR 5: What are the MAXIMUM direct costs ($) associated with a typical security incident (system repairs, data recovery, downtime)?
Field description	(optional)
Field type	Currency
Placement	Location = Risks, Section = Assessment

FAIR 6

Field name	FAIR 6: Estimate the potential indirect MINIMUM costs ($) from a security incident (legal fees, fines, reputational damage).
Field description	(optional)
Field type	Currency
Placement	Location = Risks, Section = Assessment

FAIR 7

Field name	FAIR 7: Estimate the potential indirect MAXIMUM costs ($) from a security incident (legal fees, fines, reputational damage).
Field description	(optional)
Field type	Currency
Placement	Location = Risks, Section = Assessment

FAIR 8

Field name	FAIR 8: How likely are you to face severe consequences such as regulatory fines or significant reputational damage due to these incidents? (Very Unlikely 0.1 - Very Likely 1.0)
Field description	Very unlikely (factor = 0.1) Unlikely (factor = 0.25) Possible (factor = 0.5) Likely (factor = 0.75) Very likely (factor = 1.0)
Field type	Drop down (numbers)
Drop-down options	`0.1` `0.25` `0.5` `0.75` `1.0`
Placement	Location = Risks, Section = Assessment

Create FAIR formulas

Next, you’ll create custom formulas to represent the FAIR model. Here’s what each of them will look like in Drata once you’re done:

Loss event frequency (LEF)

Loss event frequency (LEF): FAIR 1 * FAIR 2 * FAIR 3 /100

Formula name	Loss event frequency (LEF)
Formula description	(optional)
Placement	Location = Risks, Section = Assessment
Formula	( FAIR 1 * FAIR 2 * FAIR 3) / 100

Primary Loss Magnitude (PLM)

Primary Loss Magnitude (PLM): (FAIR 4 + FAIR 5) / 2

Formula name	Primary Loss Magnitude (PLM)
Formula description	(optional)
Placement	Location = Risks, Section = Assessment
Formula	(FAIR 4 + FAIR 5) / 2

Secondary Loss Magnitude (SLM)

Secondary Loss Magnitude (SLM): (FAIR 6 + FAIR 7)/2* FAIR 8

Formula name	Secondary Loss Magnitude (SLM)
Formula description	(optional)
Placement	Location = Risks, Section = Assessment
Formula	(FAIR 6 + FAIR 7)/2* FAIR 8

Annual Loss Expectancy (ALE)

Annual Loss Expectancy (ALE): LEF * (PLM + SLM)

Formula name	Annual Loss Expectancy (ALE)
Formula description	(optional)
Placement	Location = Risks, Section = Assessment
Formula	LEF * (PLM + SLM)

Custom fields and formulas to represent the FAIR model