Writing

Inside FORLAS CRQ: a tour of quantified cyber risk

I've written about why "high, medium, low" fails a board. This is the other half of the story: what it looks like to do it properly. Here is a walk through FORLAS CRQ, using its built-in demo scenarios, so you can see the depth for yourself. Every figure below comes from the tool as it ships, running entirely offline on a laptop.

Every scenario, simulated 100,000 times

A single risk scenario in FORLAS is not one number. It is a full probability distribution, built by running the FAIR model a hundred thousand times and recording the annual loss each time. Instead of a point estimate that pretends to a precision it doesn't have, you get the whole shape of the outcome.

The result is expressed the way finance already thinks. An average annual loss, yes, but also the percentiles that actually matter for decisions: the P90, the P95, the P99, and the tail mean beyond the 95th percentile, which is the number that answers "when it goes badly, how badly". You read the loss distribution and the loss exceedance curve side by side, and every reference line, P50, P95, your tolerance, an insurance retention or limit, a capital reserve, can be laid over both charts at once.

FORLAS CRQ scenario analysis: percentile tiles showing mean A$1.3M, P95 A$7.1M and P99 A$18.1M, a loss distribution histogram and loss exceedance curve from 100,000 iterations, a sensitivity chart, and tolerance metrics
One scenario, simulated 100,000 times: the loss distribution and exceedance curve, the inputs driving the result, and how it sits against tolerance. Click to enlarge.

Know what is actually driving the loss

This is the part most people don't expect from a free tool. FORLAS runs a sensitivity analysis on every scenario, ranking the FAIR inputs by how much they drive the total loss. In the scenario above, Primary Loss Magnitude correlates with the outcome at 0.99 and Secondary Loss at 0.80, while Threat Event Frequency and Vulnerability barely move the needle.

That ranking is a to-do list. It tells you where a better estimate would actually change the answer, and it tells your stakeholders which assumption to argue about. If the whole result hinges on primary loss magnitude, then that is the number to defend, and the debate about threat frequency is a distraction. Directing effort to the inputs that matter is the difference between analysis and theatre.

Measure against your risk tolerance

A loss number in isolation doesn't tell you whether to act. FORLAS measures each scenario against the tolerance you set and turns it into plain language: the probability of exceeding tolerance, how much of your tolerance the mean loss consumes, the headroom left in dollars, a confidence interval on the mean, and how often the simulation produced no loss at all. In the example, there is a 12.4% chance of breaching a A$3M tolerance, mean utilisation sits at 43%, and the scenario earns a "within tolerance" badge.

This is the language that turns a model into a decision. Not "the risk is amber", but "there is a one in eight chance we exceed the line we drew, and we have A$1.7M of headroom before we do".

Roll it up to a portfolio

Individual scenarios are useful. A portfolio view is what a CISO actually presents. FORLAS aggregates every scenario into a single annual loss picture for the whole organisation, correctly combining the distributions rather than naively adding worst cases, and ranks each scenario by its contribution.

At a glance you see the portfolio's expected annual loss, its tail, and the handful of scenarios responsible for most of it. In the demo portfolio, a A$16.1M expected annual loss resolves into a clear pecking order: ransomware on the production ERP and a web application breach together account for nearly three quarters of it. That is a budget conversation with an obvious first move. You can set a risk appetite line and read the portfolio loss exceedance curve straight off, then capture the whole board-ready snapshot in a click.

FORLAS CRQ portfolio dashboard: A$16.1M portfolio ALE with P95 A$42.8M and tail mean A$70.6M, a top loss drivers table ranking six scenarios by contribution, and a portfolio loss exceedance curve
The portfolio view: six scenarios aggregated into one annual loss picture, ranked by contribution, with a portfolio exceedance curve. Click to enlarge.

Make it yours

FORLAS ships with a light and a dark theme, and every card on the dashboard and in the workspace can be dragged into the order that suits how you work, then saved. Small thing, but it means the view you present is the view you chose, not a layout someone else decided was best for you.

FORLAS CRQ portfolio dashboard in dark theme, showing the same aggregated metrics and top drivers with cards arranged in a custom order
Dark theme, and every card draggable into the order you want. Click to enlarge.

Show your working

A number no one can defend is worse than no number at all. Alongside every scenario, FORLAS keeps an Analysis and Evidence record: the narrative and confidence behind the estimate, the data you relied on, the assumptions you made, the gaps you know about, and a short rationale for each individual FAIR input. When someone asks where a number came from, the answer sits right beside it, and it is captured in the audit log.

FORLAS CRQ Analysis and Evidence screen: fields for an analysis narrative, overall confidence, data relied upon, assumptions, gaps and limitations, and a per-input rationale panel for each FAIR factor
Analysis and Evidence: the reasoning captured beside every number, down to a rationale for each FAIR input. Click to enlarge.

And it runs on your machine

Everything above happens locally. FORLAS CRQ is one desktop application with one database file that you own. No cloud, no accounts, no SaaS, no telemetry, no external services. The most sensitive risk analysis your organisation holds never leaves the building, because there is nowhere for it to go.

The established platforms that do this kind of work start in the five figures a year. FORLAS is free, open source, and in open beta: github.com/RiskByDesign/forlas-crq. Download it, point it at your own scenarios, and see what your risk looks like in numbers. If you do, I'd genuinely like to hear how you get on; the contact links are on the home page.