According to IBM's Cost of a Data Breach 2024 report, the global average cost of a data breach reached US$ 4.88 million, a 10% rise over the previous year and the highest figure ever recorded. Faced with numbers of this magnitude, treating cyber risk with generic labels of "high" or "medium" is no longer enough: senior leadership demands to know how much, in currency, the company can lose — and how much it is worth investing to avoid it. This is exactly the bridge between technology and finance that ISO 31000 and the FAIR methodology build.

Why move from qualitative to quantitative management

Most organizations still manage risk qualitatively: experts rate each scenario on ordinal scales — low, medium, high, or scores from 1 to 5 — combining "probability" and "impact" in a color matrix. The method is fast, cheap and useful for broad triage. Its limits, however, are serious: the scales are subjective, they do not add up (you cannot aggregate "three high risks" into one number), and two assessors may reach opposite results for the same scenario.

Quantitative management expresses risk in terms the board understands: expected annual loss in currency and percentage probability of the event occurring in the period. Instead of colors, it produces a distribution of possible losses. This makes it possible to compare risks against one another, prioritize by the financial value at stake, justify the security budget by return on investment, and answer precisely the question every CFO asks: "what is our exposure?".

It is not about abandoning the qualitative approach, but about combining the two: qualitative triage to sweep the universe of risks and rigorous quantification for the few material risks that actually drive capital decisions.

ISO 31000:2018 — the umbrella standard

ISO 31000:2018 is the international reference for managing risks of any nature — strategic, financial, operational, security. It is deliberately method-agnostic: it does not dictate formulas, but establishes the foundation on which any technique (including FAIR) operates. The standard is organized into three blocks.

Principles

The central purpose is the creation and protection of value. The principles state that risk management should be integrated into the organization's activities, structured and comprehensive, customized to the context, inclusive (involving stakeholders), dynamic, based on the best available information, attentive to human and cultural factors, and subject to continual improvement.

Framework

The framework ensures that risk management is sustained by leadership. It rests on leadership and commitment from senior management and develops through a cycle of integration, design, implementation, evaluation and improvement. Without executive sponsorship, the process becomes paper on a shelf.

Process

The operational process is where risk is actually managed, in chained and continuous stages:

  • Communication and consultation with stakeholders throughout the entire cycle.
  • Defining scope, context and criteria — including risk appetite and tolerance.
  • Risk assessment, subdivided into identification, analysis and evaluation (comparison against the criteria).
  • Risk treatment — selecting and implementing the responses.
  • Monitoring and review and recording and reporting.

The FAIR methodology — putting numbers on risk

FAIR (Factor Analysis of Information Risk) is the open standard maintained by the FAIR Institute and formalized by the Open Group as Open FAIR. It is the quantitative engine that fills the gap left by ISO 31000: how to turn uncertainty into a defensible range of financial loss.

FAIR defines Risk as the probable loss over a time interval and breaks it down into two main levers:

LEF — Loss Event Frequency
How many times per year the loss event is expected to occur. It derives from threat event frequency (how often the agent acts) and vulnerability (the probability of the attack succeeding, a function of the threat's capability versus the strength of the controls).
LM — Loss Magnitude
How much is lost per event. It divides into primary loss and secondary loss.

Primary loss falls directly on the organization and tends to be more predictable: incident response costs, staff hours, asset replacement, downtime and lost productivity. Secondary loss arises from the reaction of third parties (customers, regulators, media, courts) and is usually larger and more volatile: regulatory fines — including under the LGPD —, damages, customer loss, revenue decline and reputational damage.

Each factor is not a single number, but a distribution estimated by calibrated experts as a range: minimum, most likely and maximum value. The model then runs Monte Carlo simulations — thousands of iterations drawing values within the ranges — to produce the expected annualized loss and its percentiles (for example, P50 and P90). The result is not false precision, but an honest range: "there is a 90% chance that the annual loss from ransomware will stay below R$ 6.2 million, with a most likely value of R$ 1.8 million".

How to quantify: from scenario to annual figure

Quantifying a scenario with FAIR follows a practical sequence. Take the scenario "ransomware encrypts the main data center":

  1. Estimate the LEF: based on your own telemetry, industry benchmarks and peer history, define the range of events per year (e.g., minimum 0.1; most likely 0.3; maximum 0.8 event/year).
  2. Estimate the primary loss: incident response, recovery, downtime (e.g., R$ 400,000 to R$ 2 million per event).
  3. Estimate the secondary loss: fines, customer churn, reputation, weighted by the probability that the secondary loss materializes (e.g., 40% chance, R$ 1 to R$ 8 million).
  4. Run the Monte Carlo combining the distributions and read the expected annualized loss and the percentiles.
  5. Compare the result against the risk appetite approved by leadership.

The same number lets you evaluate controls: if a program of immutable backups and segmentation costs R$ 600,000/year and reduces the expected loss from R$ 2.1 million to R$ 700,000, the treatment generates R$ 1.4 million in reduction — a clearly positive security ROI.

Risk matrix and exposure levels

Even in quantitative programs, the risk matrix (probability × impact) remains useful for visual communication and for initial triage. The mature differentiator is anchoring the axes in quantitative values, not in adjectives. The table below illustrates exposure levels calibrated in expected annual loss and the expected action according to the defined appetite.

LevelExpected annual loss (range)Relation to appetiteRecommended action
CriticalAbove R$ 5 millionExceeds the appetiteImmediate treatment; report to the board
HighR$ 1 mi to R$ 5 millionAt the limit of the appetitePrioritized treatment plan
MediumR$ 200,000 to R$ 1 millionWithin toleranceMitigate when cost-benefit is favorable
LowBelow R$ 200,000Within the appetiteAccept and monitor

Risk appetite and tolerance

Risk appetite is the amount of risk the organization is willing to retain in pursuit of its objectives — a strategic statement approved by senior leadership. In a quantitative approach, it takes numerical form: "we accept up to R$ 3 million in aggregate expected annual loss for cyber risk". Risk tolerance is the acceptable deviation around that appetite, usually expressed per objective or asset (e.g., payment system downtime cannot exceed two hours per year).

Setting these limits starts from the financial capacity to absorb losses, the regulatory context and the business strategy. Once fixed, they turn the "accept or treat" decision into an objective comparison between each scenario's estimated annualized loss and the tolerated limit.

Risk treatment: the four responses

Once the risk is identified and quantified, ISO 31000 and ISO 27005 offer four treatment strategies:

  • Mitigate (reduce): implement controls that decrease the frequency or magnitude — multi-factor authentication, network segmentation, EDR, immutable backups, vulnerability management.
  • Transfer (share): shift part of the financial impact to third parties, via cyber insurance or contractual clauses with suppliers.
  • Accept (retain): consciously assume the risk when it is within the appetite and the cost of treating it outweighs the benefit — always formalized and approved by the risk owner.
  • Avoid: eliminate the source of the risk, discontinuing the activity, system or data that gives rise to it.

The rational choice compares the cost of treatment with the reduction in expected loss it produces — a calculation that only FAIR quantification makes possible.

It is important to formally record the residual risk: the exposure that remains after treatment. No control brings risk to zero, and leadership must explicitly accept the residue, closing the accountability loop. This record also feeds the next round of assessment, in which new threats and changes in the environment are incorporated.

Common mistakes that undermine a risk program

Even organizations that adopt the right standards stumble into predictable traps. The most frequent:

  • Confusing risk assessment with compliance assessment. Ticking a checklist of controls does not tell you how much the company can lose; compliance is a means, not an end.
  • Treating the color matrix as the final result. Without financial anchoring, the matrix becomes risk theater — pretty, but unable to guide where to invest.
  • Waiting for perfect data to start. FAIR operates with calibrated estimates; the program should be born imperfect and improve with each cycle, not wait for the ideal scenario.
  • Not connecting risk to appetite. Quantifying without comparing against an approved limit leaves the decision to treat or accept without an objective reference.
  • Lack of executive sponsorship. Without leadership and commitment — an explicit requirement of ISO 31000 — the process does not influence real budget decisions.

Integration with ISO 27005 and NIST RMF

These references do not compete; they fit together in layers. ISO 31000 is the umbrella governance. ISO 27005 specializes the process for information security, connecting it to the Information Security Management System of ISO 27001. In the NIST universe, SP 800-37 (Risk Management Framework) defines the cycle of categorize, select, implement, assess, authorize and monitor controls, while SP 800-30 guides the conduct of risk assessments. FAIR runs across all of them as the quantification engine.

ReferenceRoleFocusNature
ISO 31000:2018Umbrella governanceEnterprise risk (any type)Principles and process, method-agnostic
ISO 27005Information security processInformation security riskQualitative or quantitative
NIST SP 800-37 / 800-30Framework and assessment guideSystems and information riskStructured, control-oriented
FAIR / Open FAIRQuantitative engineRisk in financial valueQuantitative (Monte Carlo)
The mature combination is straightforward: ISO 31000 provides the governance, ISO 27005 or NIST RMF provide the security process, and FAIR supplies the numbers that support the executive decision.

How Decripte puts this into practice

Turning standards and formulas into a risk program the board trusts requires method, data and tools — and few companies have an internal team to sustain this cycle continuously. Decripte runs this work end to end for organizations of any size, from a single employee to operations with more than 100,000 people: we structure risk governance in line with ISO 31000, conduct the assessment aligned with ISO 27005 and NIST, and quantify your critical scenarios in currency with FAIR, delivering an exposure view that speaks to the board in the language of business. From the residual risk, we prioritize treatment with measurable security ROI and monitor continuously.

Want to know, in numbers, what your company's cyber exposure is? Get a free diagnostic and start for free through our intelligence center, or explore our plans for continuous risk and security management — from micro-business to enterprise.