Cyber Risk Quantification

Governance & Riskv1.0.0

FAIR-based Monte Carlo risk quantification engine with loss exceedance curves, control effectiveness analysis, and industry-calibrated threat modelling

FAIR
model
10
simulations
7
threats

01Overview

Cyber Risk Quantification (CRQ) Engine translates technical cyber risk into the language boards actually fund against: money. It implements the FAIR (Factor Analysis of Information Risk) taxonomy end-to-end — Risk = Loss Event Frequency x Loss Magnitude — and runs Monte Carlo simulation over min/likely/max inputs to produce annualized loss expectancy (ALE) with full percentile distributions, loss exceedance curves, and per-control ROI. Instead of a red/amber/green heat square, a CISO gets 'this ransomware scenario carries a P90 annual loss of $X, which is Y% of revenue.'

Every uncertain input — threat contact frequency, probability of action, threat capability, resistance strength, and each loss component — is expressed as a three-point estimate and sampled through a PERT (modified beta) distribution, so the output honestly models uncertainty rather than pretending to a single false-precision number. Ten thousand iterations per scenario (configurable, seedable for reproducibility) yield the ALE mean, standard deviation, and a seven-point percentile band from P5 (best case) to P95 (worst case).

Beyond raw exposure, the engine analyzes security controls as investments: it computes each control's resistance-strength boost (with diminishing returns for overlapping controls), estimated ALE reduction across the scenarios it applies to, and a dollar ROI ranking so teams can prioritize spend. Results ship as a colored console executive summary, a fully structured JSON report for pipelines and dashboards, and a dark-themed HTML dashboard with inline SVG charts (risk-score donut gauge, likelihood x impact heatmap, aggregate loss exceedance curve, and control-effectiveness bars).

It is a single Python file with zero external dependencies — no pandas, no numpy, no pip install — making it trivial to drop into an air-gapped GRC environment or a CI job. Severity-based exit codes and the Phalanx Cyber scanner CLI convention (--json / --html / --severity / --seed / --verbose) make it as automatable as a vulnerability scanner, while the bundled sample models a realistic financial-services organization across eight threat scenarios.

02Key Capabilities

Full FAIR Taxonomy

Implements the complete FAIR decomposition — TEF (Contact Frequency x Probability of Action), Vulnerability from Threat Capability vs Resistance Strength, LEF, and primary/secondary Loss Magnitude — not just a top-line formula.

Monte Carlo Simulation

Runs 10,000 iterations per scenario by default (configurable via --simulations) to build a full probability distribution of annual loss rather than a single point estimate.

PERT Distribution Sampling

Every min/likely/max input is sampled through a modified-beta PERT distribution, capturing real-world uncertainty and weighting toward the most-likely value.

Loss Exceedance Curves

Computes the probability of exceeding any given loss threshold, per scenario and aggregated, so leaders can reason about tail risk instead of averages.

Control Effectiveness & ROI Analysis

Models each security control's resistance-strength boost with diminishing returns, estimates its ALE reduction, and ranks controls by dollar ROI for investment decisions.

Log-Scale Risk Scoring

Normalizes each scenario's P90 loss against organization revenue into a 0-100 risk score with CRITICAL/HIGH/MEDIUM/LOW severity bands.

Industry-Calibrated Threat Modeling

Applies per-industry loss multipliers (financial services, healthcare, energy, government and more) and seven pre-defined threat-community capability profiles.

Interactive HTML Dashboard

Generates a self-contained dark-themed dashboard with inline SVG risk gauge, likelihood x impact heatmap, loss exceedance curve, and control bars — no JS libraries or CDN.

Structured JSON Reporting

Emits a full machine-readable report (percentiles, loss breakdowns, exceedance points, control analysis) for ingestion into GRC platforms, SIEMs, or BI dashboards.

Reproducible & Deterministic

A --seed flag pins the RNG so a given scenario file yields identical numbers across runs — essential for audit trails and regression testing.

Zero Dependencies

Pure Python 3.10+ standard library in a single file — deployable in air-gapped or locked-down environments with no pip install.

Automation-Friendly CLI

Severity filtering plus exit codes (0 clean, 1 CRITICAL/HIGH found, 2 input error) let it gate CI pipelines just like a security scanner.

03Architecture

A single-file Python application layered into a pure-math FAIR engine and an orchestration/reporting engine. Data flows: JSON scenario file -> validation/load -> per-scenario Monte Carlo simulation (PERT sampling of FAIR factors) -> percentile/exceedance/risk-score computation -> control cost-effectiveness analysis -> render to console, JSON, and HTML/SVG. Typed dataclasses carry results between stages.

1
FAIREngine (core math)
Implements FAIR formulas and Monte Carlo: PERT/beta sampling, vulnerability = clamp((TC-RS+50)/100), TEF/LEF/LM computation, percentiles, loss exceedance curves, control resistance-strength boost, and log-scale risk scoring.
2
CRQEngine (orchestration & reporting)
Loads and validates scenario JSON, resolves which controls apply to each scenario, runs all simulations, performs control ROI analysis, applies severity filtering, and renders console/JSON/HTML outputs.
3
Typed data model
Dataclasses PERTParams, SimulationResult, ControlAnalysis, and Finding carry three-point inputs and simulation outputs (distributions, percentiles, breakdowns, ROI) through the pipeline.
4
Reporting & SVG rendering
Console renderer (ANSI colors, text gauges, ROI tables) plus HTML dashboard builder that hand-generates inline SVG for the risk donut gauge, 5x5 heatmap, loss exceedance curve, and control bar charts.
5
CLI driver
argparse front-end (main) handling scenario path, --json/--html/--severity/--simulations/--seed/--verbose/--version, input validation, and severity-based process exit codes.

04Project Structure

crq_engine.pyThe entire engine (~1,521 LOC): FAIREngine, CRQEngine, dataclasses, SVG chart builders, and the CLI.
sample_scenarios.jsonReference input modeling Acme Financial Corp ($500M revenue) with 8 threat scenarios, 8 assets, and 12 controls.
README.mdOverview, FAIR model diagram, quick-start commands, CLI options, JSON schema, and the sample-scenario table.
CLAUDE.mdArchitecture notes: component table, FAIR formulas, key constants, severity thresholds, and conventions.
crq_report.jsonSample generated JSON report showing the full structured output shape.
crq_report.htmlSample generated HTML dashboard demonstrating the SVG chart output.
banner.svgProject banner with dashboard-style visualization.
LICENSEMIT license.

05Security Controls

FAIR risk decomposition
Quantifies each scenario through the full FAIR chain: Threat Event Frequency = Contact Frequency x Probability of Action; Vulnerability = clamp((Threat Capability - Resistance Strength + 50)/100, 0, 1); LEF = TEF x Vulnerability; Loss Magnitude = (primary + secondary) x industry multiplier.
Primary vs secondary loss modeling
Separates primary loss (productivity, response, replacement) from secondary loss (regulatory fines, reputation, competitive advantage), each as a three-point PERT-sampled estimate.
Threat-community calibration
Seven built-in threat actor profiles (nation_state, organized_crime, hacktivist, malicious/accidental insider, script_kiddie, competitor) with base capability ranges and persistence levels.
Severity classification
Assigns CRITICAL/HIGH/MEDIUM/LOW by P90 ALE as a percentage of revenue (>=5% CRITICAL, >=2% HIGH, >=0.5% MEDIUM, else LOW) and a 0-100 log-scale risk score.
Control effectiveness & diminishing returns
Each control boosts Resistance Strength up to ~15 points, with combined boost modeling overlap and capped at 40 points, then estimates ALE reduction (capped at 30%) and dollar ROI = (ALE reduction - annual cost) / annual cost.
Loss exceedance / tail-risk analysis
Builds exceedance curves over 20 loss thresholds per scenario plus an aggregate curve, quantifying the probability of exceeding any loss level.
Uncertainty quantification
PERT (modified beta) sampling across 10,000 iterations yields ALE mean, standard deviation, and a P5-P95 percentile band instead of false-precision point estimates.
Industry loss multipliers
Eight sector calibrations (financial_services 1.3, healthcare 1.25, energy 1.2, government 1.15, technology 1.1, retail 1.0, manufacturing 0.95, education 0.85) plus a default, scaling loss magnitude to sector context.

06Technology Stack

Language
Python 3.10+ (uses PEP 604 union syntax)
Dependencies
None — Python standard library only (argparse, json, math, random, dataclasses)
Risk model
FAIR (Factor Analysis of Information Risk); PERT/beta Monte Carlo sampling
Reporting
ANSI console, structured JSON, self-contained HTML with hand-built inline SVG charts
Testing
No test suite; reproducibility via --seed and bundled sample_scenarios.json
CI/CD
None configured in repo
Distribution
Single-file CLI script; MIT licensed

07Quick Start

$ python crq_engine.py sample_scenarios.json
$ python crq_engine.py sample_scenarios.json --json report.json --html dashboard.html
$ python crq_engine.py sample_scenarios.json --severity HIGH
$ python crq_engine.py sample_scenarios.json --simulations 50000 --seed 42
$ python crq_engine.py sample_scenarios.json -v

08Compliance & Frameworks

FAIR (Factor Analysis of Information Risk)
Implements the FAIR taxonomy end-to-end (TEF -> Vulnerability -> LEF x Loss Magnitude) as promoted by the FAIR Institute.
Quantitative risk / ALE reporting
Produces annualized loss expectancy in financial terms with percentile bands, suitable for board and financial-materiality risk reporting.

09Integrations & Outputs

JSON scenario input (organization, assets, controls, scenarios with min/likely/max three-point estimates)Structured JSON report export (--json) for GRC/dashboard/SIEM ingestionSelf-contained HTML dashboard export (--html) with inline SVG chartsANSI colored console executive summarySeverity-based process exit codes (0/1/2) for CI/CD gating

Explore Cyber Risk Quantification

Full source, documentation, and deployment guides live on GitHub.