Subject-matter experts provide quantitative estimates in the FAIR model, grounded in their expertise

Subject-matter experts are the secret sauce in a FAIR risk model. When people ask, “Where do the numbers come from?” the honest answer is: they come from people who know the work, the systems, and the real-world constraints inside an organization. In the FAIR framework, those folks supply the quantitative estimates that turn fuzzy intuition into concrete figures. And yes, that distinction—numbers grounded in expertise—changes how risk looks and how you act on it.

Who are these experts, anyway?

Let me explain with a quick image. Think of a library of specialized knowledge: IT security engineers who understand firewalls and malware trends; network architects who know how traffic actually flows; system admins who’ve walked the server floors during outages; legal and compliance folks who track regulatory risk; and business unit leaders who feel the cost of downtime in real dollars. In practice, you pull together a cross-disciplinary team, because risk isn’t a single-domain problem. Each expert adds a piece of the puzzle, and together they build a picture that’s much more credible than any one person’s guess.

What do they actually deliver?

In FAIR, the core job of subject-matter experts is to provide quantitative estimates based on their expertise. It’s not just “they know stuff”—it’s about translating deep knowledge into numbers you can model. Their input helps you estimate two big things:

• Loss Event Frequency (LEF): How often a particular threat could cause a loss in a given time frame, given current controls and vulnerabilities.

• Loss Magnitude (LM): How bad the loss could be if that threat event occurs, including financial impact, downtime, regulatory penalties, and downstream effects.

There’s a practical reason this matters. If you only talk in qualitative terms like “low,” “medium,” or “high,” you miss the nuance that executives care about when they decide where to invest. Numbers make it possible to compare options, run scenarios, and show how reducing one variable (say, patch velocity or MFA adoption) shifts overall risk. And that clarity is what turns risk talks into action.

How does that translation happen, in real life?

This is where the magic (and the method) show up. Here’s a straightforward flow you’ll often see in FAIR work:

• Define scope and assets. What are you protecting? How critical are they to business operations? The more precise you are, the better the numbers will land.

• Gather expert input using structured elicitation. Rather than asking for a single point guess, you’ll typically seek ranges, confidence, and best estimates. Many teams use three-point estimates (best, worst, most likely) to capture uncertainty.

• Map knowledge to the model’s elements. Subject-matter experts convert their insights into inputs like vulnerability factors, threat-frequency adjustments, control strengths, and asset values.

• Attach probability distributions. Rather than a single number, they describe a distribution (for example, a “roughly 1 in 20 chance” with a certain spread). This reflects real-world uncertainty.

• Validate against data when possible. If there are historical incidents, near-misses, or telemetry, those data points help calibrate the guesses without stripping away their context.

• Document assumptions and limitations. The goal is transparency, so others can follow the reasoning and adjust if new information appears.

Two big knobs, two kinds of expertise

• LEF knobs (frequency): Experts weigh how often a threat could materialize, given the environment, controls, and human factors. A malware campaign may recur with a certain cadence, but that cadence shifts if endpoint protection improves or staff become more vigilant.

• LM knobs (impact): Experts quantify potential costs—financial losses, customer churn, reputational hits, regulatory fines, and recovery time. This isn’t just a price tag; it’s the cascading effect on operations and strategy.

A practical metaphor

Think of a garden. Subject-matter experts are the gardeners who know which seeds will sprout in a given season, how fast they’ll grow, which pests might show up, and how much water and sun they’ll need. The FAIR model is the garden bed and the weather forecast. The gardeners don’t plant blindly; they plant with numbers in mind—how many plants, what yield to expect, and what risks could threaten the harvest. The result is a plot you can tend, defend, and use to plan for the next season.

Techniques that help experts speak the language of risk

• Structured elicitation. Rather than a free-form opinion, experts are guided through a process that captures ranges, probabilities, and dependencies.

• Three-point estimates. By asking for best, worst, and most likely values, you reveal uncertainty and avoid a false sense of precision.

• Scenario modeling. Experts sketch plausible threat scenarios and walk through how each would unfold, including who is affected and what the consequences look like.

• Distribution fitting. Teams translate expert judgments into statistical distributions (like triangular or beta distributions) to feed robust simulations.

• Calibration with data. When historical data exists, it’s used to tune the expert-driven inputs so the model reflects reality, not just theory.

What to watch out for—pitfalls and guardrails

No method is perfect, and even the sharpest SME can stumble into biases or gaps. Common hazards include:

• Overconfidence. A single expert might give a tight number because it feels safer, even when the true range is wide. Counter it with multiple voices and explicit uncertainty.

• Anchoring. If one prior estimate dominates, others may adjust toward it rather than offering fresh perspectives.

• Data scarcity. In niche domains, scarce data means estimates should lean more on qualitative judgment, clearly labeled as such.

• Misalignment of scope. If the asset or threat isn’t defined consistently across contributors, numbers won’t line up.

• Insufficient documentation. Without notes on assumptions, readers can’t interpret or challenge the inputs.

Guardrails include cross-functional review, explicit uncertainty ranges, and a living document that gets updated as new information surfaces. In short, make the method transparent, and make the inputs traceable.

A quick, real-world flavor

Picture a hospital and its patient-data systems. An SME in healthcare IT would weigh the likelihood of a data breach given current defense layers, staff training, and third-party access. They’d translate that into a frequency estimate—say, a plausible annual breach probability—and quantify the potential cost, including notification, fines, downtime, and reputational damage. Then, they’d model how adding MFA, improving patching, or tightening vendor controls reduces that frequency and/or the impact. The result isn’t a vague warning; it’s a tangible signal that the board can use to prioritize security investments.

Why SME-driven numbers matter for decisions

• They make risk portable. When you express risk in probability and cost terms, executives and technical teams share a common language.

• They enable comparison. You can evaluate different control options by how much they move the risk needle, not just by how they sound.

• They support accountability. If a control reduces risk by a certain amount, it’s easier to justify the expense and the effort.

• They encourage continuous improvement. With a quantitative baseline, you can measure progress over time and adjust tactics as environments shift.

Bringing it together in your organization

If you’re aiming to build a FAIR-informed view of risk, here are practical tips to engage subject-matter experts effectively:

• Start with clear scope. Define the assets, threats, and controls at the outset so everyone is speaking the same language.

• Use a structured elicitation approach. Provide templates, ranges, and example scenarios to guide experts.

• Balance experts with data. Where data exists, let it calibrate judgments; where it doesn’t, label the input as expert-based and keep it transparent.

• Foster collaboration. Have risk analysts and domain specialists review each other’s inputs to catch misspecifications and bias early.

• Document and socialize assumptions. It’s okay to be imperfect—just own the assumptions and revise them as the environment evolves.

A takeaway you can use tomorrow

Subject-matter experts aren’t just chatter in a risk meeting. They’re the bridge between deep, practical knowledge and the numbers that drive decisions. In FAIR, their core job is to deliver quantitative estimates based on their expertise. That translation—from lived experience to statistical input—gives risk managers a reliable map of where the danger lies, how quickly it could strike, and how much it would cost if it did. With that map, leadership can make informed choices now, not after a costly incident.

If you’re building or refining a risk program, prioritize the human element just as much as the math. Gather the right experts, create a respectful elicitation process, and treat uncertainty as a feature, not a bug. The numbers will follow, and the story they tell will be clearer, more credible, and far more actionable.

A few practical takeaways to keep handy:

• SMEs provide quantitative estimates for two core FAIR inputs: LEF (how often) and LM (how bad) a loss could be.

• Use structured elicitation and three-point estimates to capture uncertainty.

• Calibrate inputs with any available data, but don’t force precision where it isn’t warranted.

• Document assumptions and encourage cross-team validation to minimize bias.

• Treat risk as a moving target; update inputs as systems, processes, and threats evolve.

If you’re curious to see how this plays out in different sectors, you’ll notice the same pattern across industries: domain experts, a careful elicitation process, and numbers that tell a story about risk in a language every stakeholder can understand. That’s the heart of FAIR in action—the place where expert insight meets numerical clarity, and risk management becomes something you can plan around rather than fear.