Risk

FY2026FAIR modelACME Corp
Prove it holds up →
  1. Stand
  2. Diagnose
  3. Act
  4. Prove
Step 3 · Act
What do I do — and what does it buy us?

Loss modeled in dollars, then a ranked plan. Open a scenario for the FAIR breakdown, or an action for the step-by-step and the score it buys.

Annual loss expectancy
$4.2M
▼ $0.6M vs last quarter
Materiality threshold
$2.5M
Material cyber risk exceeds threshold
Loss removed by plan
$2.9M
Remediation ROI
3.4×
loss avoided per dollar spent

FAIR loss scenarios

Back to gaps →
ScenarioDriverALEConfidenceTop controlStatus
RansomwareEndpoint encryption / extortion$1.8MHighPCI R5Open
Cloud data exfiltrationExternal — APT$1.1MMediumNIST PR.DSMitigating
PHI breach (legacy store)Unencrypted data at rest$640KHighHIPAA §164.312Open
Insider misusePrivileged insider$420KMediumSOC 2 CC6Open
Third-party breachSupply chain$310KLowNIST ID.SCMonitoring

Ranked action plan

Closes 3 gaps
1
Enforce phishing-resistant MFA on all privileged + cloud-admin roles
Closes: MFA not enforced for privileged cloud access
Satisfies PCI-DSSFedRAMPNIST CSF · ~1 week · Cloud Platform
2
Encrypt the legacy datastore at rest and rotate keys to the managed KMS
Closes: Unencrypted patient data in a legacy datastore
Satisfies HIPAAGDPRNIST CSF · ~2 weeks · Data Engineering
3
Run the overdue access review and put it on an automated quarterly cadence
Closes: Quarterly access reviews are 9 months overdue
Satisfies SOC 2PCI-DSSFedRAMP · ~3 days · IT / GRC
Close these three → posture 71 → 89 across all six frameworks, one quarter of work.
Next
Prove it holds up
Continue →