Avoidance controls lower threat event frequency by reducing contact with assets in FAIR analysis.

Why avoidance controls matter for how often threats can strike (in FAIR)

If you’ve spent time with the Factor Analysis of Information Risk (FAIR) model, you’ve probably seen risk as a dance between how often a threat could act and how bad the impact would be when it does. It’s tempting to focus on the damage part—the Loss Magnitude—because big losses feel memorable. But here’s the key twist: the things you put in place to avoid an incident can actually shrink the number of times a threat could even touch your assets. In FAIR terms, that’s about Contact Frequency.

Let me lay out the idea in plain language and then connect it back to the taxonomy.

A quick refresher on the FAIR pieces

FAIR breaks risk down into a few moving parts. Four big ones matter most when we’re thinking about how often a threat can pounce:

• Contact Frequency: How often a threat could engage with an asset. Think of it as “how often is a door left unlocked or a path left unguarded?”

• Vulnerability: The weaknesses that could be exploited once a threat has an opportunity. This is the broken lock on the door, the open window the thief notices.

• Probability of Action: The chance that a threat actor will actually take advantage of a weakness if they see an opportunity.

• Loss Magnitude: The potential impact if a threat event actually happens.

You can see how these pieces fit together. If you want to reduce risk quickly, nudging Contact Frequency downward can be an effective lever, because it tackles the entry points and opportunities a threat actor has.

Avoidance controls: the direct route to fewer contact opportunities

Avoidance controls are measures that aim to remove or sidestep risk altogether. They’re not just “making the risk smaller later”; they’re about preventing risk from appearing in the first place. In the FAIR framework, that’s exactly what reducing Contact Frequency is all about.

• Imagine removing a risky technology from your stack. If a certain server type or software module is unnecessary, taking it offline or decommissioning it eliminates the route a threat could use to contact your assets. The threat either never sees the target, or it sees a much narrower, less tempting target.

• Change a process to close a recurring vulnerability in daily operations. If a process repeatedly creates exposure—say, an insecure data export routine—that process can be redesigned or retired. Fewer steps mean fewer chances for a threat to slip through.

• Enforce stricter access controls and authentication. By requiring multi-factor authentication, device-bound access, or tighter session controls, you shrink the number of legitimate touchpoints an attacker can exploit. Fewer touchpoints = fewer opportunities to engage.

• Segment networks and limit exposure. When you isolate sensitive systems behind segmented networks, an attacker who gains a foothold in one area is less likely to reach the asset you care about. That’s your hedge against careless scanning turning into actual contact.

• Remove or harden high-risk channels. If email, web portals, or API endpoints are high-risk attack paths, you can disable or reshape them, add additional verification, or route communications through safer channels. Each change reduces the chance an attacker can reach the asset through that channel.

A practical way to see the logic

Think of a small online service with a public-facing login. If someone tries to break in, they first contact the system by initiating a login attempt. Every login attempt is a potential contact point. If you remove the public login entirely, the obvious contact frequency drops toward zero: attackers don’t have a route to try. If you keep the login but require MFA, monitor and block unusual login patterns, and enforce robust password hygiene, you’ve still decreased the likelihood that a given contact results in a successful hold-up.

That’s the essence of the “Contact Frequency” lever: each avoidance control reduces the doors, doors that are possible points of entry, and the number of times a threat actor can initiate contact.

What about the other taxonomy components?

It’s not that the other factors aren’t important. They’re just different kinds of levers.

• Loss Magnitude: This governs what happens after contact occurs. It’s about the consequences—data that’s exposed, downtime, regulatory penalties. You can reduce Loss Magnitude by, for example, backing up data, implementing strong incident response, and having cyber insurance. But note that these steps don’t directly reduce how often an attacker can contact your asset; they reduce the pain if contact happens.

• Vulnerability: Here we’re talking about weaknesses an attacker could exploit once they’re talking to the system. Patching, secure development practices, and configuration hardening shrink the pool of exploitable gaps. These actions make it harder for an attacker to turn a contact into a real problem, but they don’t necessarily cut the number of times contact can occur in the first place.

• Probability of Action: This is about attacker intent and capability. Even with a potential vulnerability, an attacker may not decide to act. This is where threat intelligence, monitoring, and deterrence play a role. You can reduce the odds of action, but again, that’s more about how often an attacker will decide to act after contact is established rather than how frequently contact opportunities arise.

So the neat distinction: avoidance controls reduce how often contact can happen (Contact Frequency) by removing or insulating the attack surface, while vulnerability management and action probability changes adjust what happens after contact or how likely an attacker is to act.

A few concrete examples you’ll recognize

• Decommissioning unused systems: If you shut down an old API that people still poke at, you remove a channel. Fewer channels means fewer chances for a threat to reach an asset.

• Tightening access controls: Requiring MFA and device verification makes it harder for a bad actor to use a valid account, which reduces successful contacts and, in turn, the frequency of events that could occur.

• Network segmentation: Separating front-end services from critical databases creates a barrier. An attacker who gets a foothold on the edge may find the path blocked, reducing contact opportunities to the target asset.

• Changing business processes: If a risky data export routine creates frequent exposure, rewriting that workflow can eliminate a class of contact points entirely.

• Removing risky technology: If you stop using an old, vulnerable technology, you cut out a whole set of potential contact paths. It’s like closing a back alley—the threat can’t use it if it’s not there.

Where this matters in real risk conversations

People who work in information security and risk management know that “risk” can feel like a moving target. It helps to anchor conversations in concrete terms. When you frame risk as a product of contact opportunities and what happens if someone takes the opportunity, it’s easier to justify certain controls to leadership.

• If a board asks where to invest for the biggest bang, you can point to Contact Frequency. Reducing the number of touchpoints often costs less than trying to fix every vulnerability after the fact.

• In a budget trade-off, you might show how a single strong access-control improvement can dramatically drop contact opportunities, compared with many smaller patches that only partially reduce risk.

• In a risk workshop, you can map each control to the part of the model it influences. That helps teams see why some controls are premium investments even if they don’t seem to “fix” a vulnerability on the surface.

A gentle nudge toward practical thinking

Let’s switch to a more intuitive metaphor. Picture your organization as a busy museum at night. The guards (your controls) stand at doors and corridors. If a door is left ajar or a window is unmonitored, a thief could slip in. Avoidance controls are the equivalent of locking doors, closing windows, and turning off unused hallways. They shrink the number of entry points. The more doors you shut, the fewer chances a mischief-maker has to even begin a visit.

Meanwhile, if someone does slip inside, your vulnerability patches and monitoring systems are the alarms and cameras that reduce the chance they get away with something. They limit the damage, not the number of opportunities to steal in the first place.

A few guiding tips as you think through your own setup

• Start with a surface scan for contact points. Where could an attacker realistically engage with your asset? List the channels, protocols, and interfaces that are exposed.

• Prioritize avoidance by impact, but not only by cost. Ask which changes reduce contact frequency the most with reasonable effort.

• Use a simple map. Tie each control to whether it primarily reduces Contact Frequency, Vulnerability, or Probability of Action. This clarity helps with debates and decision-making.

• Don’t forget the people and processes. Technical controls matter, but so do training, awareness, and governance. A process change can remove a whole class of contact opportunities without heavy tech spend.

• Measure over time. Track changes in contact opportunities after you implement a control. Confirm that the intended effect—fewer potential contacts—shows up in your risk estimates.

A little more nuance, if you’re curious

You’ll hear some people say that controls should always be about reducing risk to zero. That’s a nice aim, but not always realistic. The FAIR framework helps you be realistic about what each control can actually do. Some measures may primarily protect the asset after contact begins; others may deter contact altogether. The art is in layering them so that contact opportunities shrink while the system stays usable and affordable.

To tie back to the central idea: when we talk about where avoidance controls fit in the taxonomy, the answer is clear. They play a direct and powerful role in lowering Threat Event Frequency by reducing Contact Frequency. They’re the first line of defense that blocks the door, not just the alarm that sounds after someone’s inside.

If you’re mapping a risk scenario and you’re unsure where a control sits, ask this simple question: Does this control prevent an attacker from even contacting the asset, or does it only make it harder for them to succeed after contact? If it’s the former, you’re looking at an avoidance control that moves the needle on Contact Frequency.

Final takeaway

In the FAIR view of risk, prevention isn’t just about patching vulnerabilities or guessing whether a threat actor will act. It’s about shaping the opportunities themselves. By focusing on avoidance controls that reduce Contact Frequency, you lower the number of opportunities attackers have to reach your assets. It’s a practical, sometimes underappreciated way to bend the risk curve—one strategic change at a time. And that, in its own quiet way, is how you build a more resilient information environment without turning every knob at once.