CYBER RISK CALCULATOR

How much risk do you have in Réais?

Estimate your annual expected loss (ALE), VaR P90, and exposure to LGPD fine with the FAIR methodology, calibrated by the IBM Cost of a Data Breach 2025 (Brazil). Each result comes compared to your sector's benchmark. No email gate, no registration.

Annualized loss expectancy (ALE)

R$ 0

How much, on average annually, we expect it to cost — combining probability × impact.

12-month probability

0%

Single loss expectancy (SLE)

R$ 0

Industry benchmark — IBM 2025

R$ 0

P90 VaR

R$ 0

P99 VaR

R$ 0

LGPD fine exposure

R$ 0

2% of revenue (max R$ 50M), adjusted by probability and sector sensitivity.

Estimate based on the IBM Cost of a Data Breach 2025 (Brazil) — R$ 7.19 million average — and sector-specific multipliers derived from the same report. Methodology FAIR adapted. For CSURFACE platform customers, the methodology incorporates additional proprietary data — fine-tuning probability based on observed business context, critical processes identified, and assets effectively mapped by the platform.

METODODOLOGY

How We Calculate It

What Each Number Means

  • ALE — Annualized Loss Expectancy (Expected Annual Loss): the average value expected to be lost per year due to cyber incidents, combining the probability of an incident with its cost (probability × impact). It is the "average" of the loss distribution — and alone hides the atypical years.
  • SLE — Single Loss Expectancy: the estimated cost of a single material incident if it occurs. ALE, in essence, is SLE weighted by the probability of the incident happening in the year.
  • 12-Month Probability: the estimated chance of at least one material incident in the next 12 months, given by the sector baseline, security maturity, and scale of exposed assets.
  • VaR P90 — Value at Risk (Percentile 90): the level of loss that is exceeded on average once every ten years — the "bad year." Cyber loss is asymmetric; VaR shows the tail of rare and severe events that the average (ALE) does not reveal.
  • VaR P99 (Percentile 99): the level of loss exceeded on average once every hundred years — the catastrophic scenario. It is the worst-case reading to size reserves and insurance coverage.
  • LGPD Fine Exposure: the portion of risk related to administrative sanctions under LGPD — up to 2% of revenue, with a ceiling of R$50 million — adjusted by the probability of an incident and the sensitivity of sector data.
  • Sector Benchmark: the average cost of a data breach in your sector, published by IBM Cost of a Data Breach 2025 (Brazil). It serves as a market reference to situate your unique cost estimate.

How the Calculation is Done

  • Base Breach Cost: R$ 7.19 million (IBM Cost of a Data Breach Report 2025 — Brazil average).
  • Sector Multiplier: ratio between the sector's average cost and national average (IBM 2025 Brazil — Health R$ 11.43 million, Finance R$ 8.92 million, Services R$ 8.51 million). Sectors without a specific cut are estimated by IBM's sectoral ranking.
  • Sector Benchmark: the average breach cost published by IBM 2025 for your sector, displayed alongside your estimate.
  • Probability: sector baseline × maturity (basic/intermediate/advanced) × asset scale. Saturates at 95%.
  • SLE: adjusted by revenue (fractional powers avoid naive linearity).
  • VaR P90/P99: lognormal approximation (1.85× and 3.6× of ALE).
  • LGPD Fine: 2% of revenue (cap R$ 50M) × probability × sector sensitivity.

Calibration for Platform Customers

The public calculator applies the parameters described above — derived from sector baseline and IBM benchmarking. For CSURFACE platform customers, the methodology incorporates additional proprietary data collected by the operation: calibrated probability based on observed exposure, business context inferred by the agentic layer, critical processes identified in external surfaces, and actual assets mapped out. The number delivered to the customer's board is calculated per asset and process — not estimated by sector.

⚠️ This is an executive guidance calculator — does not replace formal quantitative risk analysis conducted by actuaries or specialized consultants.