The Four CRQ Models

RiskSage's CRQ engine supports four quantification methodologies. Each model accepts different inputs and produces different output structures, but all share the same API pattern.

ModelEnum ValueOutputBest For
FAIR v3.0FAIR_V3Loss Exceedance Curve (LEC) + 6 loss formsBoard-level risk communication, insurance underwriting
FAIR-MAMFAIR_MAMMulti-Asset Model with correlated loss distributionsPortfolio-level risk across multiple assets
NIST SP 800-30 / ALENIST_ALEAnnualised Loss Expectancy (SLE × ARO)Compliance-driven risk registers, RBI IT framework
Probabilistic VaRPROB_VARValue at Risk at 95th and 99th percentileCFO/treasury risk reporting, cyber insurance pricing

Input Conventions

All monetary inputs use Indian conventions. The API enforces strict validation on these fields.

InputUnitRangeExample
Asset ValueINR crore (₹ Cr)0.01 – 99999150.00 = ₹150 crore
Threat Event Frequency (TEF)events / year0.001 – 3652.5 = 2.5 events per year
Vulnerability Levelprobability (0–1)0.01 – 0.990.65 = 65% probability of exploit
Response CostINR lakh (₹ L)0.01 – 9999945.00 = ₹45 lakh
Loss Magnitude (min/max/mode)INR crore (₹ Cr)0.01 – 99999PERT distribution inputs
Confidence Level (VaR)percentile0.90 – 0.9990.95 = 95th percentile
Currency Convention Asset Value is always in crore (₹ Cr) and Response Cost is always in lakh (₹ L). Do not convert to absolute INR values. The API will reject values outside the defined ranges with a 422 VALIDATION_ERROR.

Creating a CRQ Analysis

Use the POST /crq/analyses endpoint to create a new risk quantification analysis. The request body varies by model type.

POST /crq/analyses
Authorization: Bearer <token>
X-Tenant-Id: acme-bank
Content-Type: application/json

{
  "useCaseId":     "uc_ransomware_core_banking",
  "model":          "FAIR_V3",
  "inputs": {
    "assetValue":            150.00,         // ₹ 150 crore
    "tef":                   2.5,            // 2.5 events/year
    "vulnerabilityLevel":    0.65,           // 65% exploit probability
    "responseCost":          45.00,          // ₹ 45 lakh
    "lossMagnitude": {
      "min":  2.00,                         // ₹ 2 crore minimum loss
      "mode": 8.50,                         // ₹ 8.5 crore most likely
      "max":  35.00                          // ₹ 35 crore maximum loss
    },
    "simulationRuns":        10000           // Monte Carlo iterations
  }
}

The response contains the computed loss exceedance curve and summary statistics:

// Response 201
{
  "analysisId":   "crq_a1b2c3d4",
  "model":        "FAIR_V3",
  "status":       "COMPLETED",
  "results": {
    "aleMean":        13.72,         // ₹ 13.72 crore annualised
    "aleMedian":      11.40,
    "ale95th":        28.60,
    "ale99th":        33.15,
    "lossExceedance": [/* percentile-loss pairs */],
    "lossForms":      {/* 6 FAIR loss forms — see below */}
  }
}

The 6 FAIR Loss Forms

FAIR v3.0 decomposes loss into six distinct forms. RiskSage computes each form independently within the Monte Carlo simulation.

#Loss FormFieldDescription
1Productivity LossproductivityLossRevenue loss from operational disruption (downtime × throughput)
2Response CostresponseCostIncident response, forensics, legal, crisis communications
3Replacement CostreplacementCostCost to rebuild/replace compromised assets and data
4Competitive Advantage LosscompetitiveAdvantageLossIP theft, trade secret exposure, market position erosion
5Fines & JudgementsfinesAndJudgementsRegulatory penalties (RBI, IRDAI, SEBI, DPDP Act), litigation
6Reputation DamagereputationDamageCustomer churn, brand value erosion, stock impact
 
// lossForms object in response
"lossForms": {
  "productivityLoss":          { "mean": 3.20, "p95": 6.80 },
  "responseCost":              { "mean": 0.45, "p95": 0.92 },
  "replacementCost":           { "mean": 1.80, "p95": 4.10 },
  "competitiveAdvantageLoss":  { "mean": 2.50, "p95": 5.40 },
  "finesAndJudgements":        { "mean": 4.20, "p95": 8.50 },
  "reputationDamage":          { "mean": 1.57, "p95": 3.88 }
}

AI-Assisted Threat Intelligence Inputs

Estimating TEF, vulnerability level, and loss magnitude is the hardest part of CRQ. RiskSage provides an AI endpoint that suggests calibrated inputs based on your use case context, threat landscape data, and Indian BFSI sector benchmarks.

GET /crq/use-cases/:id/suggest-inputs
Authorization: Bearer <token>
X-Tenant-Id: acme-bank

// Response 200
{
  "useCaseId":    "uc_ransomware_core_banking",
  "suggestions": {
    "tef":                  { "low": 0.5, "mid": 2.5, "high": 8.0 },
    "vulnerabilityLevel":   { "low": 0.30, "mid": 0.65, "high": 0.85 },
    "lossMagnitude": {
      "min":  { "low": 0.50, "mid": 2.00, "high": 5.00 },
      "mode": { "low": 3.00, "mid": 8.50, "high": 18.00 },
      "max":  { "low": 10.00, "mid": 35.00, "high": 75.00 }
    }
  },
  "sources": [
    "CERT-In Annual Report 2025",
    "RBI Cyber Threat Landscape — Indian Banking Sector Q1 2026",
    "Verizon DBIR 2025 — Financial Services"
  ],
  "confidence":   "MEDIUM"
}
AI Suggestions Are Starting Points The suggested inputs are calibrated from sector threat data and should be reviewed by a risk analyst before submission. Each suggestion provides low/mid/high ranges to support expert calibration. The sources field lists the data sources used for the suggestion.

NIST SP 800-30 / ALE Model

For compliance-oriented risk registers, the NIST ALE model provides a simpler deterministic calculation:

POST /crq/analyses
Content-Type: application/json

{
  "useCaseId": "uc_data_breach_customer_pii",
  "model":     "NIST_ALE",
  "inputs": {
    "singleLossExpectancy":  12.00,     // ₹ 12 crore per event
    "annualisedRateOfOccurrence": 1.5 // 1.5 events/year
  }
}

// Response: ALE = SLE x ARO = 12.00 x 1.5 = ₹ 18.00 crore