Last weekend’s severe storms provided a powerful, real-world illustration of how risk actually works.
Both New York City and Dallas faced intense weather systems. In FAIR terms, both cities experienced a high Threat Event Frequency (TEF); the probable frequency that a threat agent (in this case, a threat of nature) would act in a way that could cause harm. The storms were forecasted, expected, and unavoidable.
Yet the outcomes were dramatically different.
Zach Cossairt is SAFE’s Senior Director of Product Management and a longtime FAIR practitioner and leader of quantitative cyber risk management programs at Equinix, US Department of Defense and other organizations.
New York City absorbed the impact. Dallas, by contrast, experienced widespread outages, operational disruption, and significant loss. This divergence wasn’t about prediction. It was about Susceptibility; the probability that a threat event becomes a loss event.
Same Threat Event Frequency (TEF), Different Susceptibility
Under the FAIR Model, Loss Event Frequency (LEF) is driven by two factors: TEF and Susceptibility. When TEF is high, as it was for both cities, the determining factor becomes Susceptibility: whether existing controls are sufficient to resist the threat agent’s capability.
New York City has invested heavily in resistance strength, such as hardening infrastructure and introducing redundancy (also seen as a loss impact control, but in this case, acting to prevent the threat action from resulting in harm). These controls reduced Susceptibility by lowering the probability that storm activity would result in material loss.
Dallas faced the same storm conditions, but with higher Susceptibility. Less effective resistive controls meant that the threat agent’s capability exceeded the city’s resistance strength more frequently. As a result, a greater proportion of threat events became loss events, increasing Loss Event Frequency and driving real, realized impact.
This distinction is fundamental to FAIR: risk is not defined by how often threats occur, but by how often they result in loss.
Translating the Analogy to Cyber Risk
Cybersecurity leaders often focus on identifying threats; ransomware actors, phishing campaigns, supply chain exploits. But FAIR makes clear that threats alone do not equal risk.
In FAIR terms:
- Threat Event Frequency reflects how often threat agents are estimated to act against an asset on an annualized timeframe.
- Susceptibility reflects the probability that those actions result in harm, based on the relationship between Threat Capability and Resistance Strength.
- Loss Event Frequency emerges from the interaction of those two factors.
- Loss Magnitude represents the probable financial impact when loss occurs, including both primary and secondary losses.
Cyber threats, like storms, are inevitable. Organizations cannot meaningfully control TEF. What they can control is Susceptibility; by strengthening controls, improving detection and response, and reducing the likelihood that threat activity results in loss.
Organizations that fail to manage Susceptibility experience the cyber equivalent of Dallas: frequent threat activity that translates into outages, regulatory fallout, reputational damage, and measurable financial loss. Those that manage it effectively resemble New York City: exposed to the same threats, but far less likely to suffer material impact.
From FAIR Theory to Operational Decisions with SAFE
FAIR provides the structure and rigor to decompose risk into its causal components. SAFE operationalizes that structure, enabling organizations to apply FAIR consistently and at scale.
SAFE allows teams to:
- Quantify Loss Event Frequency by explicitly modeling Threat Event Frequency and Susceptibility.
- Evaluate how changes in Resistance Strength alter the probability of loss.
- Estimate Loss Magnitude in financial terms, including primary and secondary losses.
- Compare scenarios to understand how different control investments reduce residual risk.
- Communicate risk in terms executives and boards can act on; probable loss, not abstract scores.
In the storm analogy, SAFE is the decision support capability that shows, in concrete terms, how investments in resilience reduce expected loss before the storm arrives.
Risk Management Is About Changing Outcomes
The lesson from NYC and Dallas is not about better forecasting. Both cities knew the storm was coming.
FAIR reminds us that risk is the probable frequency and probable magnitude of future loss, not the presence of threats. Managing risk means reducing the likelihood that threats result in loss and limiting the magnitude when they do.
SAFE, built on the FAIR standard, helps organizations do exactly that; by shifting the conversation from fear and uncertainty to measurable preparedness and decision-making.
Because the next storm, natural or cyber, is inevitable.
What matters is whether your organization has reduced its Susceptibility before it hits.
SUBSCRIBE TO WEEKLY BLOG NEWSLETTER
SHARE THE PAGE
