Deterrent Controls in FAIR: Reducing Loss Event Frequency by Lowering the Probability of Action

Outline we’ll follow

• Hook and quick context: why deterrent controls matter in FAIR’s view of risk.

• Quick primer: what Loss Event Frequency is, and where “Probability of Action” sits in the taxonomy.

• The core idea: deterrent controls reduce the likelihood that a threat actor takes an action, not the damage once action starts.

• Concrete examples: cameras, access controls, penalties, and visible defense measures.

• How to think about measuring impact in the FAIR framework.

• Common confusions: how deterrents relate to vulnerability and contact frequency.

• A practical takeaway: designing controls with action probability in mind.

• Short, memorable wrap-up: ask yourself how deterrence changes your risk picture.

Deterrence in the FAIR lens: why it matters

Let’s start with a simple image. Imagine a dark hallway with a few cameras blinking, a door that requires a badge, and a loud alarm that would trigger if someone tries to force it. You don’t know exactly what happens next, but you know you’ve raised the cost of doing something risky. In risk language, these deterrent measures affect the likelihood that a threat actor will even start an action that could lead to a loss. That’s the core idea behind the Probability of Action in the FAIR taxonomy.

What is Loss Event Frequency, again?

FAIR helps us break down risk into manageable pieces. Loss Event Frequency (LEF) is essentially how often a loss could occur within a given period. It’s not just about how bad a loss could be (that’s Loss Magnitude); it’s about how often a loss could happen in the first place.

Inside LEF, there are factors that describe how likely it is that an attacker will do something that could lead to a loss. One of those factors is the Probability of Action—the chance that a threat actor will initiate a harmful action. If you can push that probability down, you push LEF down, too. And that’s where deterrent controls come in.

Deterrent controls: the “don’t even bother” nudge

Deterrent controls are all about psychology and perception as much as they are about hardware or policies. They say, in effect: “This route isn’t worth the risk.” They don’t erase the possibility of a breach, but they make it less likely that someone will attempt the breach in the first place.

Here are a few concrete examples:

• Visible security measures: cameras, lighting, security guards, and clear signage. The message is simple: someone is watching, and there will be consequences.

• Access controls: badge-protected doors, multi-factor authentication, and lockout policies. These raise the implied cost of unauthorized entry.

• Deterrent policies: strong penalties for trespass, obvious disciplinary procedures, and publicized incident statistics. When the threat of punishment is tangible, some would-be wrongdoers walk away.

• Situational deterrence: busy lobbies, frequent patrols, and random security sweeps. The unpredictability itself can dissuade actions.

• Community and culture: a security-conscious environment where colleagues report suspicious activity. Social deterrence often works quietly but effectively.

Notice how these different examples share a thread: they aim to influence the decision point before the action begins. They’re not about repairing a vulnerability after the fact, and they’re not about absorbing the impact once something happens. They’re about lowering the odds that someone starts the action.

Deterrents vs. other control types in the taxonomy

In the FAIR framework, it helps to keep straight how deterrents fit alongside other factors:

• Vulnerability: this is about how susceptible you are to a given threat once an attack begins. Deterrents don’t directly change vulnerability; they change the actor’s decision to act in the first place.

• Contact Frequency: this tracks how often you come into contact with threat agents or risky situations. Deterrents can indirectly affect this by making certain interactions less attractive or more costly, but the core mechanism is still about the probability of action.

• Loss Magnitude: the size of the loss if an incident occurs. Deterrents don’t typically change the amount of damage once an action starts; they aim to reduce how often such actions are started.

• Probability of Action: here’s the star. This is where deterrent controls do their highest-value work—the likelihood that an attacker will take a harmful action. That’s the lever deterrents pull.

A tidy way to see it: deterrents push the fork in the road from “try something risky” to “let it go.” They don’t rebuild a wall after a breach; they discourage the attempt in the first place.

A real-world vignette

Suppose a company worries about someone trying to access a data center. The plan includes cameras (deterrent), badge access (deterrent and control), and a visible guard presence (deterrent). Before, a casual intruder might think, “I can slip in quickly.” After these measures, the intruder faces a higher chance of being detected or stopped, and the perceived cost of the attempt goes up. The result? A lower Probability of Action. Fewer attempted intrusions mean fewer chances for a breach to occur, which translates into a lower LEF.

If you’re curious about numbers, you can picture it like this: in a rough, qualitative sense, deterrent controls shift the likelihood from a higher band (say, “possible”) to a lower band (say, “unlikely”). In some models, that translates into a reduced action probability that, when plugged into the LEF calculation, lowers the expected number of loss events over a period. It’s not magic; it’s risk math played out in daylight.

Why this distinction matters in risk conversations

Understanding that deterrents reduce the Probability of Action helps teams communicate clearly about risk reduction. It answers the “how does this actually help?” question with a crisp, measurable answer. It also clarifies where to invest resources. If your goal is to cut the frequency of loss events, deterrent controls are a direct line to that objective—especially in environments where threat actors are weighing the relative cost of breaking in, rather than the potential impact once they’re inside.

A practical mindset for planners

If you’re evaluating controls through the lens of FAIR, you can ask:

• Which controls most directly influence the Probability of Action for our top threats?

• Do we have a mix of deterrents that create uncertainty and raise the cost of acting?

• Are there gaps where an attacker might still decide to take action because deterrents aren’t visible or credible enough?

Answering these questions helps you map controls to the right line item in LEF. And yes, it’s okay if the answer isn’t always “the biggest hammer always wins.” Often, a smart blend of deterrence, detective measures, and preventive controls yields the best balance between risk reduction and cost.

Common missteps to avoid

• Thinking deterrents erase risk: They don’t erase risk entirely. They lower the chance of an action, but if a breach occurs, the loss magnitude might still be significant.

• Confusing deterrence with vulnerability reduction: Deterrence deters the action, not necessarily the vulnerability itself. A door could still be fragile, but the threat of a failed attempt remains high enough to discourage people from trying.

• Treating all deterrents the same: Some work better in certain contexts than others. A badge system may deter some attackers effectively, while others might rely on social cues or routine patrols.

Bringing it back to the core idea

Here’s the succinct takeaway: deterrent controls are about influencing human decisions before any action begins. In the FAIR framework, that translates most directly into reductions in the Probability of Action. By nudge and notice—through cameras, access controls, penalties, and visible vigilance—these controls make risk actors think twice. Fewer initiated actions means fewer chances for a loss event to occur, even if the potential damage remains unchanged.

A closing thought

If you’re mapping a risk landscape, start with deterrents as a quick win for the action side of the equation. Then layer in stronger preventive and detective measures to cover the rest of the spectrum. You’ll end up with a more resilient security posture that’s not just about “preventing everything” but about making the cost of wrong moves unappealing enough to change behavior.

So, when you’re assessing how to reduce frequency, ask yourself: how does this control shift the Probability of Action? If the answer points to a real, observable shift, you’re moving in the right direction.

Would you like a brief, practical checklist to apply this lens to a specific environment—physical security, IT infrastructure, or hybrid operations? I can tailor a simple, actionable guide that keeps the focus on Probability of Action and LEF, while staying concise and easy to digest.