Kuro Risk Calculator

🌐

FAIR Analysis

Factor Analysis of Information Risk (OpenFAIR™)

Scenario

Reference Template

Reference Data Loaded

Please adjust values based on your organization's industry, size, and existing security controls.

1. Beta-PERT Distribution

Min/Most Likely/Max inputs create a smooth probability curve (Lambda=4) to account for uncertainty.

2. Event-Driven Logic

Risk = Frequency × Magnitude. Uses Poisson Distribution for frequency modeling.

3. FAIR Formula

LEF = TEF × Vuln

LM = Prim + (Sec × Prob)

AAL = Σ(LEF × LM) / Runs

4. ROSI Calculation

Vuln' = Vuln × (1 - Eff%)

ROSI = (ΔRisk - Cost) / Cost

5. Monte Carlo Runs

1K: Quick preview 10K: Recommended 50K: Formal reports

Level 2 Driver

Loss Event Frequency

How often do bad things happen?

Threat Event Frequency (TEF)

Level 3

Frequency of threat attempts per year.

Simple Mode Advanced Mode

Min Most Likely Max

💡 Industry benchmarks: Ransomware 0.5-2/yr, Data Breach 1-5/yr, DDoS 2-10/yr

TEF = Contact Frequency × Probability of Action. This decomposition allows more precise modeling of threat behavior.

Contact Frequency (CF)

How often threat actors contact/interact with the asset per year.

Min Most Likely Max

Probability of Action (PoA) %

Probability that threat actor takes action upon contact (0-100%).

Min % Likely % Max %

Calculated TEF (CF × PoA) Auto-calculated

Min

0.5

Likely

5

Max

20

Vulnerability (Vuln)

Level 3

Probability (%) that threat overwhelms defense.

Simple Mode Advanced Mode

Min % Likely % Max %

💡 Industry benchmarks: Well-protected 10-30%, Average 30-60%, Weak defenses 60-90%

Vulnerability = Susceptibility × (1 - Control Effectiveness). Susceptibility is derived from Threat Capability vs Resistance Strength comparison.

Threat Capability (TC)

Threat actor's capability level on a 1-10 scale.

Min Most Likely Max

Resistance Strength (RS)

Organization's defense capability level on a 1-10 scale.

Min Most Likely Max

Calculated Vulnerability Auto-calculated

Min %

25

Likely %

60

Max %

85

Note: Control Effectiveness from Mitigating Controls section will be applied during simulation.

Level 2 Driver

Loss Magnitude

Select Currency: USD

Primary Loss

Level 3

Direct financial impact (Incident Response, Fines, etc).

Min (USD) Likely (USD) Max (USD)

💡 Industry benchmarks: SMB $50K-$500K, Enterprise $500K-$5M (IBM Cost of Data Breach 2024)

Simple Mode Category Breakdown

Secondary Loss Event Frequency (SLEF) %

Probability that secondary loss occurs GIVEN a primary loss event (0-100%).

Secondary Loss Magnitude (SLM)

Total secondary loss amount when it occurs.

Min (USD) Likely (USD) Max (USD)

Break down secondary losses by category. Each category has its own probability and magnitude. Total secondary loss = sum of (probability × magnitude) for each enabled category.

Reputation Loss (Brand damage, customer churn)

Probability %

Min (USD)

Likely (USD)

Max (USD)

Legal Loss (Lawsuits, settlements, legal fees)

Probability %

Min (USD)

Likely (USD)

Max (USD)

Regulatory Loss (Fines, penalties, compliance costs)

Probability %

Min (USD)

Likely (USD)

Max (USD)

Competitive Advantage Loss (IP theft, market share loss)

Probability %

Min (USD)

Likely (USD)

Max (USD)

Aggregated Secondary Loss Auto-calculated

Sum of (probability × magnitude) for each enabled category.

Min

$0

Likely

$0

Max

$0

Annual Control Cost

Annualized cost of the security control.

USD

Control Effectiveness (%)

How much vulnerability is reduced.

Note: ROSI = (Risk Reduction - Control Cost) / Control Cost. Control reduces Vulnerability by the specified percentage.

Monte Carlo simulation runs. More runs = more stable results. 1K for quick preview, 10K recommended, 50K for formal reports.

Simulation Runs:

Analyst Report

AAL (Mean Risk)

-

VaR (90%)

-

10% chance to lose more

Max Loss

-

Min Loss

-

AAL Std Error

-

-

VaR 90% Std Error

-

-

Status

-

Runs

-

-

Standard error indicates estimation precision. Lower is better. Results converge when relative error < 5%.

AAL (After Control)

-

Risk Reduction

-

Control Cost

-

ROSI

-

Return on Security Investment

Loss Exceedance Curve

Before Control After Control

📊 How to Read This Chart

• Red line = Risk distribution WITHOUT the control investment
• Green line = Risk distribution WITH the control investment
• The gap between lines = Potential loss avoided by investing

Sensitivity Analysis

Identify which parameters have the greatest impact on risk

Tornado Chart - Parameter Impact on AAL

-20% +20%

🎯 Key Risk Drivers

💡 Recommendations

Average Annual Loss

-

VaR (90%)

-

Quick Start Guide

1

Choose Scenario

Select a template (Ransomware, Data Breach, etc.) or create a custom scenario name.

Tip: Templates auto-fill industry reference values

2

Enter Threat Frequency (TEF)

Estimate how many threat events may occur per year.

Min: Best-case scenario
Most Likely: Based on experience
Max: Worst-case scenario

Tip: Not sure? Start with template values and adjust later

3

Enter Vulnerability

Probability of actual loss when a threat event occurs (0-100%).

Tip: Consider your existing security controls' effectiveness

4

Enter Loss Amounts

Estimate financial impact in your selected currency.

Primary Loss: Direct costs (recovery, downtime, ransom, etc.)
Secondary Loss: Indirect costs (reputation, legal, customer churn)

5

Run Simulation

Choose simulation iterations and click "Run Simulation".

1K: Quick preview (~1 sec)
10K: Recommended for most cases
50K+: For formal reports, more stable results

6

Interpret Results

Review the key metrics from your simulation.

AAL: Average Annual Loss - expected yearly loss
VaR 90%: 90% confidence the loss won't exceed this amount
Max Loss: Worst-case single loss in simulation

Tip: Download PDF report to share with stakeholders

Want to learn FAIR methodology? Expand "Methodology Guide" on the page.

Built by

CISSP CCSP CISA CISM CRISC CDPSE

Built with ❤️ by

OpenFAIR™ is a trademark of The Open Group.

This tool implements the Factor Analysis of Information Risk (FAIR™) methodology for educational and risk assessment purposes.

OpenFAIR™, O-RA (Open Risk Analysis), and O-RT (Open Risk Taxonomy) are trademarks of The Open Group. This tool is not affiliated with, endorsed by, or certified by The Open Group.

For official FAIR standards and certification, visit The Open Group OpenFAIR Certification.

This software is released under the MIT License. Source code available on GitHub.

Third-party libraries: Chart.js (MIT), jsPDF (MIT), html2canvas (MIT), Tailwind CSS (MIT).

關於 Kuro

Cyber & Cloud Security Architect | GRC Professional

Scuba Diver · AWS Community Builder · ISC2 TPE Director

深耕資訊安全領域多年，從學生時期熱衷參與資安社群活動，並經營部落格「Kuro 的資安學習手記」，分享個人學習與實務經驗。

曾於高科技製造業、金融業及四大會計師事務所任職，負責資安架構設計、雲端安全架構設計、GenAI 安全審查、產品安全設計審查、資安檢測、ISO 17025 實驗室維運、檢測實驗室報告簽署人、資安合規評估、資安稽核、資安成熟度與資安策略規劃等工作，具備甲乙雙方的多元視角與實戰經驗，在資安領域累積豐富的專案經歷。

此外，Kuro 多次擔任公開演講者及受邀擔任企業專業訓練講師，致力於業界推動資訊安全、雲端安全與人才培育，期望提升台灣資安從業者的專業能力。

Kuro 為 AWS Community Builder - Security 組的貢獻者，ISACA 2021年四張證照前 Top3，EC-Council CEH Master Leaderboard 第一名，並持有 CISSP、CCSP、AWS SAA、AWS AIF、GCP ACE、CISM、CISA、CGEIT、CDPSE、CRISC、CEH Master 等超過 40 張專業國際認證，經驗與資格橫跨資安技術、資安治理、資訊管理、資料保護、網路技術安全、駭客攻防、資安事故回應、產品安全、威脅情資、資安稽核、雲端安全、人工智慧安全等領域。

IT Governance, Risk and Compliance

CISSP CCSP CC CISA CISM CRISC CGEIT CDPSE ISO 27001 LA ISO 27001 IA ISO 9001 IA ACCISO ISO 17025

Security Analysis

CEH CEH Practical CEH Master ECSA CPSA TCSE iPAS

Cloud Computing & AI

AWS SAA AWS AIF AWS CCP GCP ACE AZ-900

Incident Handling

CTIA CSA ECIH

Network Security

CCNP Security NSPA

Network Infrastructure

CCNP Enterprise CCNA R&S VCP-NV

體適能健身C級 PADI Divemaster PADI Rescue SSI React Right IANTD Deep SDI Advanced ADS OpenWater ADS EAN

更多作者介紹 Contact