Understanding FAIR's Contact Frequency and why it matters for risk analysis

Let’s unpack a simple-thinking question with a big idea behind it: when a bank is at risk, which FAIR variable best captures how often a robber will step through the doors?

If you’ve hung out with FAIR (Factor Analysis of Information Risk) long enough, you know the framework loves to categorize risk into clear, measurable pieces. Four big players often show up in a scenario like this:

• Loss Event Frequency (LEF)

• Threat Event Frequency (TEF)

• Contact Frequency (CF)

• Probability of Action (PoA)

Sounds like a neat lineup, right? But not every variable fits every situation. The key is matching what you’re trying to quantify with the right kind of frequency or probability.

Let’s set the scene. A bank branch sits on a busy corner. A robber visits. Sometimes that visitor circles the building, sometimes they actually step inside, sometimes they exit without incident. The question is: which FAIR variable best represents the number of times the robber will enter the bank?

The quick answer: Contact Frequency.

Here’s the thing, though: it’s not just a buzzword. It’s about what the metric actually counts. Contact Frequency in FAIR is specifically about the number of times a threat actor engages in behaviors that could lead to a loss event. In our bank scenario, every entrance the robber makes is a direct interaction with the target. Each entry potentially changes the risk landscape. So CF maps nicely to “how many times will the robber enter?”—the exact question we’re asking.

Let me explain by separating the four terms and how they correlate to real-world actions:

• Contact Frequency: This is about engagement. How often does the threat actor come into contact with the target in a way that could result in harm or loss? In our example, the robber’s entries into the bank are the meaningful engagements. Each entry is a potential turning point—more entries, higher chance of a loss event, all else equal.

• Threat Event Frequency: Think of this as the expectation that a threat occurrence will happen at all, not necessarily tied to direct engagement. It’s the baseline “will this threat show up?” without insisting that any particular action follows. In practice, TEF might tell you how often a robbery attempt could be considered as a potential event, but it doesn’t pin down how often someone actually interacts with the bank once inside.

• Loss Event Frequency: This is the bigger, outcome-focused measure. It answers the question, “How often does a loss actually occur?” It depends on many upstream factors—how often threats appear, how often they engage, and how effective defenses are. LEF is the downstream consequence, not the direct frequency of a particular action.

• Probability of Action: This is the likelihood that, once a threat has occurred or a threat has engaged, the actor takes a specific action. It’s about what happens after the threat is present, not how often the threat acts in the first place.

In the bank robbery scenario, you can see the logic clearly. If you’re trying to measure “how often will a robber enter the bank,” you’re tracking interactions with the target. That’s CF territory. TEF would tell you how often a threat could occur in a given window, but it doesn’t zero in on actual visits. LEF would concern itself with how often a loss actually happens, which could be influenced by defenses, timing, or other factors. PoA would estimate the chance that a given entrance leads to a specific action (like passing a teller line or triggering a safe mechanism) after the threat is engaged.

Now, a little digression you might enjoy. Some folks picture risk like a conveyor belt: threat frequency flows in, threat actions roll along, and losses pop out at the end. Fair doesn’t pretend there’s a single domino that tips every time. Instead, it maps the chain: who’s threatening, how often they engage, what happens next, and how likely it is that a loss occurs. In this chain, CF sits at an early, pivotal link—the moment where the threat actor actually interacts with the target. It’s honest about frequency in a way that’s directly actionable for risk management.

What does this look like in practice? Suppose you’re modeling with rough numbers to keep the math intuitive:

• You estimate a steady stream of potential threats in a given period (TEF baseline).

• You look at how often those threats actually cross into the bank’s space or interact with it (CF).

• You consider what fraction of those interactions could lead to a loss if defenses fail (PoA combined with LEF downstream).

If the bank has robust physical security, CF might be moderate even when TEF is high. The robber might be likely to come near or look inside, but not many actual entries occur due to alarms, guards, or barriers. If the bank is poorly protected, CF climbs, and so does the chance of a loss unless defenses catch the act early.

To keep the concept crisp, here are a few practical contrasts you can remember:

• CF is about engagement frequency. It answers, “How many times does the threat actor actually interact with the target in a meaningful way?”

• TEF is about threat presence. It answers, “How often would a threat likely appear, even before any direct contact?”

• LEF is about outcomes. It asks, “How often does a loss actually occur after everything plays out?”

• PoA is about the action after contact. It asks, “If the threat has engaged, how likely is it that the actor takes the consequential step?”

A quick aside on misfits: if you’re studying a scenario where threats arrive, but don’t touch the target at all, TEF starts to look more relevant and CF looks less useful. If threats touch the target but defenses keep them from causing trouble, LEF might be kept low even with high TEF and CF. In other words, the right metric depends on where you’re trying to influence risk.

Back to our bank example, you may wonder: could CF ever mislead you? It can, if you confuse frequency of contact with severity. You could have many entrances but strong safeguards that prevent a loss. Or you could have few entrances but high-value assets that make each entry disproportionately risky. The skill is to pair CF with mitigation insights and other FAIR pieces to get a complete picture.

Let me connect this to a familiar mental model. Picture a concert venue with layered security: cameras, guards, controlled entry points, and panic buttons. When you count CF for a potential robber, you’re tallying how many times the person actually attempts to step inside or interacts with the entry control. If the security team tightens the doors and adds more guards, CF drops. Fewer entry attempts mean fewer opportunities for a loss event, all else equal. That’s the practical power of CF: it’s a lever you can influence with concrete controls.

If you’re cataloging risk in a real scenario, you’ll often assemble a picture like this:

• TEF tells you the baseline chance of a threat appearing.

• CF reframes that into how often the threat interacts with your target.

• PoA and LEF then refine the downstream consequences, factoring in defenses, response times, and recovery plans.

One more framing note that helps many learners: think of CF as a bridge between “threat presence” and “loss potential.” It’s the moment the threat meets the target. If the bridge is sturdy (guards, alarms, design choices), the number of crossings your risk model records might stay low, even if threats are frequent. If the bridge is weak, every crossing could carry real peril.

In terms of practical guidance, here are a few takeaways you can apply without turning risk analysis into a black box:

• When you have a scenario involving direct interaction with a target, start with Contact Frequency to quantify how often those interactions occur.

• Use TEF to set the stage for whether threats are around in the first place, but don’t over-index on TEF when your primary concern is the actual engagement with the target.

• Always tie CF back to defenses. If you see a high CF, you should ask: what controls are in place to interrupt or reduce those interactions? Could cameras be improved, lighting enhanced, or guards repositioned to limit entry opportunities?

A quick, memorable summary: if the question is “how often will a robber enter the bank?” CF is your best answer because it captures the real, observable engagements with the target. TEF tells you about threat presence. LEF tells you about losses after the fact. PoA tells you what happens after a threat engages.

If you’re building risk models or just trying to reason clearly about risk, remember that the beauty of FAIR is its modular approach. You don’t have to squeeze every situation into one metric. You pick the measure that lines up with the moment you’re analyzing. In the bank robbery scenario, that moment is the robber’s entry, and the natural metric for that moment is Contact Frequency.

Before we wrap, here’s a tiny thought experiment to keep sharp: imagine a bank with its doors locked by a clever security system. The number of times someone tries to enter (CF) would be influenced by how inviting the door looks, how easy it is to bypass, and how quickly alarms trigger. If you multiplied those factors differently, would TEF or CF become the more useful measure for the risk conversation you’re having with your team? The answer, again, is CF, because it pins the discussion to what actually happens—the robber’s visits.

In the end, the map matters as much as the terrain. FAIR gives you the landmarks, and Contact Frequency is the straightforward, direct line to understanding how often those perilous brush-ins occur. It’s not flashy, but it’s effective. And in risk work—where clarity saves days and decisions save dollars—that kind of honesty is invaluable.

If you’re curious to go deeper, you can explore how different security layers influence CF in real-world settings, from door engineering to remote monitoring. It’s fascinating how a small tweak on a doorway can ripple through a risk model and change the numbers you rely on to keep people and assets safe. And that, more than anything, is the practical beauty of using FAIR in the field: you connect the math to real life, and real life tends to push you toward better, smarter defenses.