FAIR Monte Carlo Risk Calculator — NAXS Labs

NAXS Labs — Risk Quantification

FAIR Monte Carlo
Risk Calculator

Enter a minimum, most likely, and maximum for each input. The calculator runs a Monte Carlo simulation using PERT distributions — the same statistical approach used in professional FAIR analyses — and returns a probability distribution of annualized loss exposure rather than a single point estimate.

Loss Event Frequency inputs

Threat Event Frequency (TEF)
Contact frequency (attempts/year)365
min: 100most likelymax: 1000
Probability of action (%)20%
min: 5%most likelymax: 40%
Susceptibility (TCap vs Resistance)
Threat capability score (1–10)8
min: 6most likelymax: 10
Resistance strength — current (1–10)3
min: 1most likelymax: 5

Loss Magnitude inputs (per event)

Primary Loss — direct costs
Downtime / productivity loss ($)$300k
min: $50kmost likelymax: $800k
Ransom demand ($)$750k
min: $100kmost likelymax: $2M
Incident response / forensics ($)$150k
min: $50kmost likelymax: $400k
Revenue / operational loss ($)$200k
min: $50kmost likelymax: $600k
Secondary Loss — downstream costs
Regulatory fine — OCR / FTC ($)$500k
min: $0most likelymax: $1.9M
Legal / breach notification ($)$100k
min: $25kmost likelymax: $300k
Reputational / customer impact ($)$250k
min: $0most likelymax: $750k
Insurance deductible ($)$50k
min: $10kmost likelymax: $150k

Control investment (optional)

Post-control scenario
Annual control cost ($)$80k
min: $40kmost likelymax: $150k
Resistance strength after controls (1–10)7
min: 5most likelymax: 9

Simulation results

Median threat events/yr
TEF
Median susceptibility
TCap ÷ (TCap + RS)
Median loss events/yr
LEF = TEF × Susc
Median primary loss/event
Median secondary loss/event
Median loss magnitude/event
PL + SL
Annualized Loss Exposure — Monte Carlo Distribution
10th percentile
90% of outcomes exceed this
Median (50th percentile)
Most likely single-year outcome
90th percentile
Tail risk — 1-in-10 year scenario
Annualized loss distribution — simulation output
Monte Carlo simulation results histogram.
Control ROI — median scenario
Median ALE after controls
Median risk reduction
Net benefit (reduction − cost)

How this calculator works

Each input uses a PERT distribution (Program Evaluation and Review Technique), which is the standard distribution for FAIR analyses. PERT is a modified Beta distribution that weights the most likely value four times more heavily than the min or max, producing realistic skewed distributions that reflect how cyber losses actually behave — most events cluster near the mode, with a long tail toward catastrophic outcomes.

The simulation draws random samples from each PERT distribution simultaneously, computes a full loss scenario for each iteration, and aggregates the results into a probability distribution. At 10,000 iterations the output is statistically stable — percentile values will vary by less than 1–2% between runs.

Susceptibility is modeled as TCap ÷ (TCap + RS) per the FAIR standard, producing a value between 0 and 1 that represents the probability a threat event results in a loss. Loss Event Frequency is TEF × Susceptibility. Annualized Loss Exposure is LEF × Loss Magnitude per event.

The ROI section computes a post-control scenario by re-running susceptibility with the improved resistance strength and comparing median ALE values. Net benefit is median risk reduction minus median control cost.

This calculator implements PERT-based Monte Carlo simulation consistent with the FAIR methodology. Results depend entirely on the accuracy of your inputs. For formal risk reporting, inputs should be calibrated against organizational data, threat intelligence feeds, and industry loss databases such as the FAIR Institute’s Open FAIR Loss Tables. This tool is provided for educational and estimation purposes by NAXS Labs LLC.
NAXS Labs
Logo