What is a Fermi estimate?
Fermi estimation is a structured way to estimate hard questions using simple parts.
Break the big number into smaller numbers you can reason about, then combine them.
We care about the order of magnitude, not a false sense of precision.
Transfer Examples
Use the same breakdown logic in these situations:
- Insider threat volume: 3,000 employees × 0.2% likely attempts per year = ~6 potential exfil attempts.
- Vulnerable asset count: 120 apps × 30% internet-facing × 15% unpatched = ~5-6 high-risk assets.
Tutorial: Chicago Piano Tuners
This tutorial is interactive. Change a number to see the estimate move.
Your decomposition
Start with a few parts. Add or remove as needed.
Required field
Problem 1: Phishing Volume
Estimate how many phishing emails a company of 2,000 employees receives per year.
Keep it simple, then check the range.
Your decomposition
Build the estimate and adjust each component.
Required field
Reference approach
One path: employees x workdays x emails per day x phishing rate.
Problem 2: Ransomware Recovery Cost
Estimate the annual ransomware recovery cost for a 5-hospital health system.
This is a larger estimate. Use structure to stay on track.
Your decomposition
Split the cost into clear, defensible parts.
Required field
Reference approach
One path: incidents per year x (downtime cost + recovery labor + ransom).
Results
Review your estimates and compare ranges.
Problem 1
Problem 2
Learning Debrief
What You Just Learned
- Break unknowns into measurable components you can defend.
- Use ranges to show uncertainty instead of false precision.
- Focus on the few inputs that drive most of the estimate.
- Communicate the order of magnitude with confidence.
Applying This to Cyber Risk
Fermi estimates help you make decisions when the data is incomplete.
Insider Incident Volume
Estimate potential insider incidents with a simple chain: employee count × attempt rate × detection probability.
Exposure Surface Sizing
Estimate high-risk assets by combining asset inventory × internet exposure × patch gap.