A new article from Risk.net says that "more than a decade after it was first applied to modeling cyber risk, the most commonly used approach to quantifying cyber threats among banks remains the Factor Analysis of Information Risk (FAIR) model."
The Risk.net article by Tom Osborn catalogues the list of tough problems for bank operational risk managers who want to model cyber risk:
Large number of threats but wide range in frequency; phishing attempts daily but ransomware rarely, for instance.
Loss magnitude for fines, loss of reputation and data breach compensation for customers is "difficult if not impossible to quantify".
Osborn writes that financial institutions turn to FAIR because "the approach provides a straightforward map of risk factors and their interrelationships, with its outputs then used to inform a quantitative analysis, such as Monte Carlo simulations or a sensitivities-based analysis."