Box 2 in the FAIR framework explains Loss Event Frequency and Threat Event Frequency.

Box 2 in the Factor Analysis of Information Risk (FAIR) framework is often where many folks like to pause and take a breath. It’s not about guessing what attackers will do next—it's about counting how often losses might show up and how often threats could trigger those losses in the first place. In plain terms: Box 2 is about two kinds of frequency. And understanding both is what lets you turn fuzzy risk into something you can manage.

Box 2 at a glance: two frequencies that fit together

• Threat Event Frequency (TEF): How often potential threat scenarios that could lead to a loss are expected to occur. Think of this as the number of times a threat could successfully strike, in a given period. It’s not that the threat will always lead to a loss, but it’s how often those threatening events are likely to arise.

• Loss Event Frequency (LEF): How often a loss actually happens, given those threats. This is the rate at which you experience real losses—data stolen, downtime, financial impact, or regulatory penalties—over a set timeframe.

Here’s the key connection you’ll see echoed in many FAIR discussions: LEF is TEF times vulnerability. In other words, even if threats appear often, losses only happen when a threat exploits a vulnerability. That vulnerability part sits a little downstream of Box 2, but it’s the bridge that links TEF to LEF. Box 2 lays out the two frequencies you need to map the landscape, while vulnerability (often discussed in Box 3) explains how likely it is that a given threat event becomes a real loss.

Let’s break down what that really means in practice

Two frequencies, two different but connected lenses

• TEF asks: How often could a threat scenario arise? It’s about exposure to threats. If you’re in a business with lots of online transactions, you’ll hear a lot about phishing attempts, credential stuffing, misconfigurations, and other threat patterns. TEF puts a clock on those patterns—how many times they might materialize in a year, a quarter, or a month.

• LEF asks: How often do those threat events actually turn into losses? This isn’t the same as counting past incidents. It’s about the probability that a given threat event will cause a loss, once you account for the defenses, controls, and protections you actually have. LEF sits closer to the bottom line—how often you’ll face a measurable impact from security incidents.

Why we separate the two—an intuitive nudge

• The threat landscape can be noisy. A lot of threat chatter and attempted breaches never become a problem because they’re blocked or thwarted.

• Loss events depend on more than just attackers; they hinge on vulnerabilities, timing, and the resilience of your controls.

• If you mix TEF with LEF, you risk overreacting to loud threats or underestimating the quiet ones. Box 2 helps you keep the signal clear: what could happen, and what actually happens.

A practical, human-friendly way to see the difference

Imagine your organization as a fort on a windy coast. TEF is the wind—the number of storm fronts that pass by and could hit the fort. LEF is the number of times the fort actually gets damaged in a year. If the fort has sturdy gates (low vulnerability) most storms blow by with little effect, so LEF stays low even though TEF is high. If the gates are weak (high vulnerability), even a few storms can cause multiple losses.

A concrete example to anchor the idea

Suppose a company maintains a large customer database. Here’s a simplified way to view Box 2:

• TEF: The company experiences several credible threat scenarios each year that could lead to a data loss. For instance, phishing attempts that could harvest credentials, misconfigurations that expose data to the internet, and malware campaigns aimed at exfiltration. Let’s say, in a given year, these threat scenarios are expected to occur 120 times in aggregate across all critical assets.

• LEF: How many of those threat events actually cause a loss? Not every phishing attempt leads to a breach, and not every misconfiguration results in data being exposed. After considering defenses, the team estimates that about 20 loss events occur per year as a result of those threats.

That’s LEF in action—20 loss events per year, arising from a TEF of 120 threat events. If you know TEF and you know how often a threat exploit translates into a loss (the vulnerability angle, which lives in Box 3), you can derive LEF and push risk into sharper focus.

Where Box 2 sits in the wider FAIR picture

FAIR isn’t just a one-box quiz; it’s a spectrum. Box 2 sits between threat dynamics and loss outcomes. You’ll usually see Box 1 outlining what you’re protecting (assets, value, and the loss magnitudes if things go wrong) and Box 3 addressing the vulnerabilities that let threats cause harm. Box 2 then translates the threat environment into concrete loss frequencies you can budget against.

In practice, professionals use TEF and LEF to quantify risk in meaningful ways. You might hear terms like “frequency-based risk” or “expected loss frequency.” The magic is not in guessing—it’s in documenting plausible threat event frequencies and then tying them to the real-world losses you want to avoid.

A quick guide to estimating TEF and LEF without drama

• Start with TEF:

• Gather threat intelligence: what kinds of threat events are plausible for your assets? Look at common attack patterns, past incidents in your industry, and intelligence feeds.

• Consider exposure: how visible is your surface to these threats? Public-facing services, third-party links, and employee behavior all influence TEF.

• Create scenarios: describe representative threat events that could lead to a loss, not every possible thing, but the ones with credible likelihood.

• Move to LEF:

• Assess control effectiveness: what defenses are already in place to prevent the threat from becoming a loss? Firewalls, IAM protections, monitoring, incident response readiness, etc.

• Estimate vulnerability (the bridge): for each threat event, what’s the probability that it will result in a loss given your controls? That’s your vulnerability factor.

• Multiply? Not exactly a single multiply for all cases, but conceptually LEF = TEF × average vulnerability across the threat scenarios you’ve modeled. You want to reflect the real mix of defenses and weaknesses you have.

A note on data and realism

No one expects perfect data, especially when you’re just starting to map out TEF and LEF. Use a mix of sources: historical incident counts, industry reports, penetration testing results, and expert judgment. Risk modeling is as much about credible reasoning as it is about precise numbers. It’s better to have a transparent, well-justified estimate than a slick number that hides uncertainty.

What this means for risk decisions

• If TEF is rising but LEF stays flat, you’re getting better at preventing losses even when threats exist. Your defenses are doing their job, and it’s time to keep investing in those protections.

• If TEF is low but LEF is high, you’re facing vulnerable assets. Your focus should be on reducing vulnerability—patching, hardening, and improving detection and response.

• If both TEF and LEF creep up, you’ve got a combined risk challenge. You’ll want a balanced plan: reduce threat exposure where possible and shore up defenses to lower the chance that a threat becomes a loss.

A handy analogy that sticks

Think of Box 2 like weather forecasting for your data. TEF is the forecast of storm fronts—the number of risky weather events you might encounter. LEF is the forecast of actual rain or hail that causes damage to your property. You don’t fix the weather; you fix the roof and gutters, and you decide when to evacuate or take precautions. In risk terms, you manage threat exposure and you harden your vulnerabilities to reduce losses.

Common misunderstandings—and how to avoid them

• Confusing TEF with LEF. TEF is about threats; LEF is about losses. They aren’t interchangeable, and mixing them up leads to misdirected controls.

• Treating LEF as a historical count only. It’s tempting to look at last year’s losses and call that LEF. Remember, LEF is the expected frequency given the threats you face and the vulnerabilities you have—historical data helps, but it’s not the whole story.

• Ignoring the horizon. TEF can shift with changes in threat intelligence and exposure. Box 2 isn’t a one-off snapshot; it’s a dynamic measure that benefits from ongoing updates.

Where to go from here (practical next steps)

• Start conversations with your team about TEF and LEF. Map a few critical assets and draft representative threat scenarios.

• Consider small workshops or threat modeling sessions that use real-world data from your environment. Use those to generate rough TEF estimates and to start a dialogue about vulnerability and LEF.

• If you have access to risk quantification tools or services, use them to simulate LEF under different defensive postures. Tools like RiskLens are designed with FAIR in mind and can help translate qualitative insights into numbers you can action.

A few closing thoughts to remember

• Box 2 brings two lenses into focus: how often threats could present themselves, and how often those threats translate into losses. It’s the bridge between what could happen and what actually happens.

• The goal isn’t to be perfect with numbers. It’s to be transparent, reasoned, and consistent about how you estimate frequencies and how you link them to controls.

• Good risk work turns into better decisions. When you quantify TEF and LEF with care, you get a clearer picture of where to invest, what to monitor, and how to prepare for the unexpected.

If you’re exploring FAIR with curiosity, Box 2 is a great place to start seeing how threat dynamics and loss realities intersect. TEF sets the stage—the clock on threat activity. LEF shows you the consequence—the rhythm of losses you’re aiming to reduce. By keeping these two frequencies in view, you can craft defenses that don’t just look good on paper but actually perform when things get rough.

In the end, it’s about making risk tangible. TEF and LEF aren’t abstract numbers; they’re the language you use to talk about your organization’s resilience. And when you can translate risk into concrete actions—tighter controls, smarter response plans, smarter budgeting—you’re not just managing risk, you’re steering it with intention. That’s the heart of what Box 2 promises: a clearer map of how threats translate into losses, so you can navigate confidently and protect what matters.