Pre-Submission Data Requirements
A credible CRQ board submission starts with high-quality input data. Garbage-in, garbage-out applies acutely to probabilistic risk models — boards are increasingly sophisticated at spotting unsupported numbers.
Asset inventory with criticality ratings and business value estimates confirmed for all in-scope systems
Threat intelligence feeds ingested for the past 12 months: sector-specific incidents, CVE exploitation rates, threat actor profiles
Historical loss data compiled: past incidents (internal), industry benchmarks (external), cyber insurance loss data if available
Control effectiveness ratings obtained from most recent VAPT, pen-test, or control assessment
Business impact parameters validated with business unit owners: revenue-at-risk, operational downtime cost per hour, regulatory fine exposure
Cyber insurance policy details documented: coverage limits, sub-limits, exclusions, retentions, and coverage gaps
Data classification inventory available for estimating data breach scope and notification cost
Data Quality Gate
Before running any Monte Carlo simulation, validate that loss magnitude ranges are grounded in at least one of: historical internal incidents, published industry loss data, or actuary-derived ranges. Purely assumption-based ranges will not survive board scrutiny.
FAIR Model Configuration
The Factor Analysis of Information Risk (FAIR) ontology provides the quantitative backbone. Correct model configuration is essential for defensible output.
Risk scenarios defined with clear threat community, asset, and effect combinations (e.g., ransomware actor targeting core banking system causing operational downtime)
Threat Event Frequency (TEF) ranges set using contact frequency and probability of action, not arbitrary percentages
Vulnerability (V) estimated from control strength vs. threat capability — not from CVSS scores alone
Loss Event Frequency (LEF) derived correctly as TEF multiplied by V — model reviewed for arithmetic accuracy
Primary Loss Magnitude (PLM) components identified: productivity loss, response cost, replacement cost, competitive advantage loss
Secondary Loss Magnitude (SLM) components identified: regulatory fines, legal liability, reputational damage, notification costs
FAIR ontology hierarchy validated — no conflation of frequency and magnitude components
Model reviewed by a second qualified analyst or CRQ tool before board submission
Monte Carlo Simulation Settings
Monte Carlo simulation converts FAIR probability distributions into actionable ALE estimates. Simulation parameters directly affect output reliability.
| Parameter | Recommended Setting | Rationale |
|---|---|---|
| Simulation Iterations | 100,000 minimum | Sufficient convergence for stable percentiles |
| Distribution Type | PERT or Log-normal | Captures skewed loss distributions |
| Confidence Intervals | 10th / 50th / 90th | Shows range without false precision |
| Correlation Modelling | Address if scenarios share infrastructure | Avoids underestimating aggregate exposure |
Minimum 100,000 simulation iterations confirmed — results stable across multiple runs
PERT or log-normal distributions used for loss magnitude, not uniform distributions
Output reported at 10th, 50th, and 90th percentiles — single-point estimates avoided
Scenario correlations assessed: scenarios sharing the same infrastructure or threat actor correlated in the model
Sensitivity analysis run to identify which input variables drive the most output variance
Simulation reproducibility confirmed: seed values documented for audit trail
ALE Scenario Construction
Annual Loss Expectancy (ALE) scenarios must be structured to be meaningful to board members who are not cyber specialists. Each scenario should tell a complete business story.
Ransomware — Core Operations: Scenario narrative, affected systems, estimated downtime range, ALE range (10th/50th/90th), current control posture, residual risk after controls
Data Breach — Customer PII: Records at risk, notification cost model, regulatory fine estimate, reputational impact range, ALE output
Third-Party / Supply Chain Failure: Critical vendor dependencies identified, failure scenario, cascading impact quantified, ALE range
Insider Threat — Financial Fraud: Access abuse scenario, detection gap analysis, direct financial loss range, ALE output
Each scenario explicitly links to a named regulatory obligation (DPDP, IRDAI ICF, RBI, SEBI CSCRF as applicable)
Scenarios ranked by ALE 90th percentile for board prioritisation clarity
Year-over-year ALE comparison included where prior year data exists
Risk Appetite Alignment
CRQ output only drives board decisions when mapped against an explicitly stated risk appetite. Without this mapping, the board cannot assess whether current exposure is acceptable.
Board-approved cyber risk appetite statement confirmed as current (not more than 12 months old)
Risk appetite expressed in financial terms (e.g., maximum acceptable ALE of INR X crore) for direct comparison with CRQ output
Each scenario ALE 90th percentile compared against risk appetite threshold — RED/AMBER/GREEN status assigned
Scenarios exceeding risk appetite threshold have a proposed treatment plan (additional controls, risk transfer, risk acceptance) ready for board decision
Risk tolerance bands documented: scenarios within tolerance noted as managed, not ignored
Risk acceptance rationale documented for any scenario where treatment cost exceeds expected loss reduction
Cyber insurance coverage mapped against each scenario: what is covered, what is not, and the gap in financial terms
Board-Ready Visualisations
Board members process financial information visually. The presentation layer of the CRQ submission is as important as the model accuracy underneath it.
Loss Exceedance Curve: X-axis = loss magnitude (INR), Y-axis = probability of exceedance — one curve per major scenario
Risk Heat Map: Scenarios plotted on frequency vs. magnitude grid, colour-coded against risk appetite threshold
ALE Bar Chart: Side-by-side ALE 50th percentile bars for each scenario, sorted highest to lowest, with risk appetite line overlaid
Control Investment vs. Risk Reduction: Chart showing ALE reduction per rupee of proposed control investment (ROI of risk reduction)
Insurance Gap Waterfall: Total loss exposure, insurance coverage, and residual uninsured exposure shown in waterfall chart
All charts labelled in plain language — no unexplained acronyms on board-facing slides
Executive narrative (2 pages maximum) accompanies all charts with recommended board decisions highlighted
Supporting methodology appendix available for board members or auditors who want to review assumptions
RiskSage AI Capability
RiskSage AI by CreativeCyber automates CRQ model construction, FAIR ontology validation, Monte Carlo simulation, and board-ready report generation — reducing CRQ board submission preparation time from weeks to hours.
Open RiskSage AI →
Open RiskSage AI →