Risk management without “Risk Analysis” is like driving in the dark without lights. It is like a person who has the knowledge and skill to drive a car but without direction and visibility to the danger along the way. Similarly, organizations often headstrong into implementing cyber risk management programs without clear visibility into their risks landscape. Oftentimes, Risk Analysis is done based on the subjectivity of the IT and cybersecurity professionals, which can vary from person to person and limit to the technology component. Furthermore, to make risk management even more difficult, as cybersecurity is a young industry, there is no agreement on the definition of risk, i.e. vulnerabilities, threat agents, CVE, or IOC. Therefore, risk analysis is inconsistent, risk decisions are misled, and risk appetite is misaligned. FAIR is a Risk Analysis methodology, an add-on component, to address consistency and repeatability in the Risk Management and ISMS processes.