Quantifying cyber risk with FAIR

: a case-study of Super Bock Bebidas, S.A.

Abstract

As cyber threats grow in frequency and impact, organisations must shift from reactive security measures to strategic risk governance. However, many continue to rely on qualitative risk assessments, leading to ambiguity and ineffective communication between technical teams and executive leadership. This dissertation addresses that gap by applying the Factor Analysis of Information Risk (FAIR) model to quantify the financial exposure of a ransomware scenario at Super Bock Bebidas, S.A., a leading Portuguese beverage company. Through a structured case study, this research decomposes a phishing-based ransomware attack targeting privileged users into measurable components. Using BetaPERT distributions and Monte Carlo simulation, the model estimates both Annualised Loss Exposure (ALE) and Cyber Value at Risk (Cy-VaR). Key results show an ALE of €45,307 and a Cy-VaR of €88,424, well below the organisation's €10 million risk appetite. The analysis also evaluates the risk-reducing impact of cyber insurance, quantifying a 74% reduction in ALE post-policy application. By translating risk into financial terms, the FAIR methodology enables more transparent, defensible, and governance-aligned decision-making. The findings support a broader shift toward data-driven cybersecurity governance, providing a replicable approach for other organisations seeking to embed cyber risk into enterprise risk management frameworks.

Date of Award	30 Oct 2025
Original language	English
Awarding Institution	Universidade Católica Portuguesa
Supervisor	Paulo Alves (Supervisor)