Box 2 and Box 7 combine to define risk in the FAIR framework.

What makes risk feel real in FAIR? It’s not a single number or a lone event. It’s a two-part story about how often something could go wrong and how bad it would be if it did. In the Factor Analysis of Information Risk framework, two pieces—Box 2 and Box 7—play the starring roles in that story. When you bring them together, you get a clearer picture of risk that can guide where you spend time and money.

Let’s start with the basics, in plain language.

Box 2: How often could a loss happen?

Think of Box 2 as the “when” in the risk equation. It represents the potential loss event frequency—the likelihood that a loss event could occur within a given period. It’s not a forecast of a single incident; it’s a sense of how often a loss event might the happen if you let things run their course. This could be influenced by several factors: how often threats act, how exposed your assets are, and how effectively your defenses are in place. If you tune your controls to reduce the frequency of events, you’re lowering Box 2.

Box 7: How bad would it be if it happened?

Box 7 is the “how hard” part—the probable loss magnitude. It asks: if a loss event occurs, how severe would the impact be? This covers things like data loss, downtime, regulatory penalties, brand damage, and the cost to recover. It’s the scale of pain you’d feel after the event. Reducing the magnitude means hardening your assets, improving recovery capabilities, and designing safeguards that cap the damage when something slips through.

Now, the magic—or, more accurately, the math—happens when you combine these two boxes.

Risk as a function of frequency and magnitude

In FAIR, risk isn’t a one-note concern. It’s a function of both how often losses could occur and how big the losses would be. Put simply, risk = frequency × magnitude. If you picture this as a simple multiplication, you can see why both pieces matter.

• If the frequency is low but the potential impact is astronomical, the risk can still be significant.

• If the frequency is high but the impact is modest, risk grows, too—but perhaps not as explosively as you’d fear.

• If both frequency and magnitude are high, risk climbs quickly and relentlessly.

A couple of quick thought experiments can make this click in your mind.

1. The rare but catastrophic event

Suppose a system is well defended day-to-day, so losses happen rarely. But when they do, they’re nasty—think a multi-hour outage that costs millions, plus compliance trouble. Even with low frequency, the huge magnitude keeps risk high. In this case, you might invest more in resilience and rapid recovery to trim the potential damage.

2. The frequent but manageable event

Now imagine smaller incidents happen often—think frequent, short outages or minor data exposures. If each event costs a small amount, but they happen a lot, the total impact across a year can be sizable. Here, you’d focus on mechanisms to cut frequency—better threat monitoring, smarter access control, faster patch cycles.

3. The medium bet

Sometimes both factors sit in the middle. The risk is a steady drumbeat, not a carnival of spikes. In those cases, you balance prevention and response, trimming both how often events sneak in and how badly they bite when they do.

This isn’t about sensational headlines; it’s a practical lens for prioritization

The beauty of combining Box 2 and Box 7 is that it moves decision-making away from guesswork and toward a structured view. You’re not just asking, “What’s the worst that could happen?” You’re asking, “How often could it happen, and how severe would it be?” That clarity is what helps security, risk, and business teams speak the same language.

A tangible way to use this in practice

If you’re mapping out your organization’s risk landscape, a straightforward approach helps.

• Step 1: Estimate Box 2 (loss event frequency)

• Look at threat activity in your environment: how often are attacks attempted, how often do vulnerabilities exist, and how often could a failing control lead to a loss?

• Consider time windows that make sense for your business. A monthly view might be enough for some assets; a quarterly view for others could be more realistic.

• Don’t overcomplicate. Start with a reasonable, defensible estimate and be prepared to adjust as you learn.

• Step 2: Estimate Box 7 (probable loss magnitude)

• Identify what a loss would cost you if a threat event succeeds: data loss costs, downtime delays, remediation expenses, regulatory penalties, reputational harm.

• Include both direct costs (paying experts, restoring systems) and indirect costs (customer churn, brand impact).

• Think in ranges rather than a single number. It’s healthier to capture “moderate” vs. “severe” scenarios and their likelihoods.

• Step 3: Compute risk and translate it into action

• Multiply your frequency and magnitude estimates to get a risk figure you can compare across assets or processes.

• Use that ranking to prioritize where to invest next. Do you shore up defenses to reduce frequency? Or do you strengthen incident response and recovery to reduce magnitude? Sometimes you’ll do a mix.

• Step 4: Iterate as conditions change

• Threat landscapes aren’t static. What’s low risk this quarter might surge next quarter. Keep Box 2 and Box 7 under regular review, and adjust your controls accordingly.

• Involve stakeholders from IT, security, risk, and business units. The best outcomes come from shared understanding, not a single department’s stealthy focus.

Why this matters beyond the numbers

Let me explain with a quick analogy. Think of Box 2 as weather frequency—how often storms roll in. Box 7 is storm intensity—the gusts, hail, and flooding if a storm hits. The risk you face is the weather forecast you act on. If storms are frequent but mild, you still need sturdy roofs and drainage. If storms are rare but ferocious, you need contingency plans and rapid repairs. If storms come often and hit hard, you’re looking at a comprehensive strategy—harden the structure, speed up response, and maybe rethink the location of your most precious assets.

A few reminders that keep this approach grounded

• It’s about balance, not perfection. Reducing frequency often comes with the costs of controls and monitoring. Reducing magnitude often means tougher recovery capabilities and backups. The best approach blends both, tailored to what actually matters to your organization.

• The numbers aren’t magic. Box 2 and Box 7 are tools for thinking, not crystal balls. Use them as inputs to a broader risk dialogue, not as the final verdict on every decision.

• Real-world drivers matter. Threat actors evolve, new regulations emerge, and technology changes. Your estimates should reflect that dynamic reality, not a static snapshot.

A few real-world pockets where this framing shines

• Cloud adoption and third-party risk. You’ll want to know how often third-party services could fail or be compromised, and how severe the impact would be if a provider outage or data breach occurred. That helps you decide where to implement vendor risk controls and where to add extra backups.

• Data privacy compliance. If a breach happens, what’s the magnitude? How many records could be exposed? The combination of frequency and magnitude helps you gauge overall exposure and guide investment in encryption, access controls, and monitoring.

• Incident response planning. If an incident happens, how quickly can you detect and recover? The magnitude is tied to downtime and cost of restoration, while frequency ties to how often you expect to see incidents flare up.

A gentle nudge toward practical wisdom

If you’re studying FAIR with an eye toward applying it in real life, remember this: the two boxes don’t operate in isolation. They rely on context—what you’re protecting, who could be affected, what controls you have in place, and how quickly you can recover. When you think about risk as a product of frequency and magnitude, you gain a natural rhythm for prioritization. It’s less about chasing the biggest number and more about balancing the most influential factors.

Closing thought: keep the conversation human

At the end of the day, risk is a story about choices under uncertainty. Box 2 asks, “How often could something go wrong?” Box 7 asks, “If it goes wrong, how badly would it hurt?” Together, they tell you where to put your focus. They help you translate a jumble of data into a plan that makes sense to stakeholders, from security engineers to executives.

If you’re wrestling with a particular scenario—say, a new cloud service, an IoT deployment, or a data-sharing arrangement—try mapping it through Box 2 and Box 7. Talk it through with teammates, sketch the numbers, and see how the risk picture shifts when you tighten a control, change a policy, or upgrade a recovery capability. You’ll often find that small adjustments in frequency or magnitude can tilt the balance more than you’d expect.

In the end, the combination of Box 2 and Box 7 is a simple, powerful lens. It reframes risk from a fog of concerns into a two-axis map that guides what to fix first and how hard to push on each fix. And that clarity—more than anything else—helps teams move forward with confidence, even when the next surprise is just around the corner.