RiskLens is great because it allows you to do cyber risk quantification in dollars-and-cents terms.

To make things better, the work flow is easy:- Scope the risk scenario
- Identify the asset(s) at risk, threat community, threat effect(s) and loss

- Answer the questions generated by the RiskLens application
- Click the “Run Analysis” button

The RiskLens computational engine uses Monte Carlo simulation to calculate the annualized loss exposure (ALE), in financial terms, of the modeled risk scenarios. And, voilà - you have reports like the one below, that CEOs and boards are used to seeing in other risk domains:

Really, it’s a beautiful report – in terms of the mathematics – and the important numbers are listed for you. But you might not have a math degree and it’s been awhile since your last statistics course…so what are all the numbers that are listed in the chart again?

## Monte Carlo Simulation Numbers Explained

Let’s set the stage for the report above: RiskLens ran 10,000 simulations of a risk scenario.

The **minimum** is the __one__ simulation which resulted with the lowest ALE - $31.3M(illion).

The **maximum** is just the opposite of the minimum, it is the __one__ simulation which resulted with the highest ALE - $1.3B(illion).

The **average** is summing up the 10,000 ALE’s, and dividing it by 10,000 giving us $228.5M.

Here's where we get to the fun stats numbers!

The **10 ^{th} percentile** is the ALE where 10% of the simulations run are less than or equal to that value. In our example above, that is $112.9M. Out of the 10,000 simulations run, 1,000 of the ALE values were less than $112.9M. Why 1,000? Well…. 1,000/10,000 = 0.1 or 10%.

The **90 ^{th} percentile** is just the one ALE where 90% of the simulations run are less than or equal to that value. In our example above that is $405.3M. Another way to think about this is 10% of the simulations run are greater than or equal to $405.3M – which means out of the 10,000 simulations run, the 1,000 ALEs that are reported to be larger than $405.3M (on the right side of the 90

^{th}percentile line on the chart).

## How to Use the Risk Simulation Chart

Great - now we understand technically what the numbers are but how can decision-makers use the report?

Say your company has defined a risk appetite (RA) - which is $130.0M. You can compare your RA to where it falls on the bell curve. For instance:

**Compare RA to the average**. The average number can*sometimes*be helpful but it doesn’t always give us the full story. Let's pretend that we had many more simulations which resulted in a higher ALE (closer to $1.0B). That would mean the average would be much higher than $228.5M. Now back to the report presented above, our RA is $98.5K smaller than the average.**See how RA falls between the 10th and the 90th percentiles**(where 80% of the simulations fell). The RA falls closer to the 10th percentile in this case. A more risk tolerant company may be comfortable with that. But if a company is more risk adverse, it may choose to manage against the 80^{th}to 90^{th}percentiles - meaning that the RA would need to be much higher for the example above - between $380.0M and $405.3M.

Either way, you gave executives some solid numbers to make a decision (and possibly gave yourself justification to ask for more budget to reduce risk).