How DecipherRisk CRQ turns estimates into a loss curve
The one-sentence version
You describe a risk as a set of ranges; the tool plays out thousands of simulated years using those ranges; the results are the spread of what those years cost.
Why ranges, not single numbers
Nobody can say "a breach will cost us exactly $1.2M." But most people can say "probably between $400K and $3M, most likely around $900K." DecipherRisk CRQ works in those ranges. Each estimate you enter is a probability distribution — a shape describing which values are likely and which are extreme. You shape it with a few plain inputs (a low, a most-likely, a high) and watch a live preview.
What "running" actually does
When you click Run, the tool simulates thousands of independent possible years (10,000+ by default). In each simulated year it:
- Draws one value from each of your estimates — this year's frequency, this year's cost per event.
- Combines them the way the FAIR model prescribes — how often events happen, times how much each costs.
- Records the total loss for that year.
After thousands of years you have thousands of possible annual losses. Sorted and charted, those become your loss exceedance curve and percentiles. Rare bad years show up as the tail of the distribution — which is exactly where cyber risk lives.
How events are counted: the event model
Real risks recur differently, so the tool offers four ways to model how losses accumulate in a year:
- Recurring (Poisson) — the default. Events can happen any number of times a year, independently. Honest about the variance of a genuinely recurring risk.
- Clustered (Negative-Binomial) — like recurring, but allows bad years to cluster (a campaign hits several times). Better fit when threats come in waves.
- At most once (One-shot) — for events that either happen or don't in the period, like a single catastrophic breach.
- Simplified — a quick frequency-times-cost estimate. Smoothest to read but understates how bad a bad year can get; use it for back-of-the-envelope comparisons, not for reserving capital.
You pick the model in the scenario editor; the default (Recurring) is the right choice for most scenarios.
Building up the picture: decomposition
You don't have to estimate everything at the top level. If you can't estimate "how often does a loss event happen?" directly, you can break it into "how often does a threat try?" and "how likely is a try to succeed?" — and break those down further still. The tool assembles the pieces back up automatically. Estimate at whatever level you have real knowledge; leave the rest aggregated. The glossary explains each factor.
Modeling defenses: controls
A control (a security measure — EDR, MFA, backups) reduces the factor it targets by a percentage you specify. Preventative controls reduce how often losses happen; mitigating controls reduce how much they cost. The tool shows the before-and-after so you can see — and cost-justify — each control's effect.
What the tool is careful about
- It shows its uncertainty. Simulation results are themselves estimates; the tool puts confidence intervals on the numbers and tells you when a tail figure needs more iterations to settle.
- It defaults to independence, and says so. Unless you tell it otherwise, it assumes your frequency and severity estimates don't move together. Real "bad years" often see both rise at once — an opt-in setting models that.
- It's honest about the tail. Because rare large events dominate cyber loss, the tool leads with tail figures (p95, p99, worst-5%-average) rather than the simple average, which understates the risk that matters.
Want the technical depth?
The full methodology — the FAIR-math fidelity claim, the exact formulas, and the validation evidence — lives in the DecipherRisk CRQ Modeling Methodology and Model Card pages. Ask your DecipherRisk contact for access.