Financial exposure
Technical risk is converted into an estimate of expected loss, expressed in financial terms — the metric that the board uses to make decisions.
CYBER RISK QUANTIFICATION
CSURFACE Risk Quantification converts technical telemetry into an estimated expected loss with uncertainty ranges — to enable security conversations in the language of business. The board does not decide based on the number of vulnerabilities; they decide on financial exposure and return on investment. The methodology follows FAIR, calibrated by the IBM Cost of a Data Breach 2025 (Brazil), with VaR P90/P99 and LGPD exposure. For platform customers, the methodology incorporates additional proprietary data — adjusted probability by asset, critical process, and observed business context.
The public calculator uses sector-specific parameters derived from the IBM Cost of a Data Breach 2025 (Brazil) and the FAIR methodology — available in calculadora-de-risco.html. For clients of the CSURFACE platform, the methodology incorporates additional proprietary data: calibrated probability based on observed real exposure, business context inferred by the agentic layer, critical processes identified on the external surface, and inventory of assets effectively mapped.
THE CHALLENGE
The security team communicates risk in technical terms: vulnerabilities, severity, time to respond, control coverage. These indicators are essential for operations, but they do not answer the question that the board really asks: how much does this exposure cost the company and how much do we reduce with a certain investment?
Without this bridge, budget and prioritization decisions become arbitrary. Qualitative heat maps reflect opinion, and external ratings are only an approximate indicator. There is a lack of quantification that translates cyber risk into financial value with sufficient rigor to support a capital decision.
CAPABILITIES
Quantification starts from real platform data and delivers results that the board uses to make decisions.
Technical risk is converted into an estimate of expected loss, expressed in financial terms — the metric that the board uses to make decisions.
The result takes the form of a distribution — expected value and tail scenarios — to communicate uncertainty with rigor.
Simulations compare current risk with projected risk after a remediation action, making the return on investment explicit.
Quantification follows the FAIR model, a market-standard that decomposes risk into observable and auditable variables.
The estimate is continuous: when a critical exposure is addressed or a new threat emerges, the value is reassessed.
Each estimate exposes its input data and assumptions — ready for risk committees, audits, and cyber insurance processes.
METHODOLOGY
The CSURFACE adopts the FAIR (Factor Analysis of Information Risk) model, a recognized reference for quantitative risk analysis. Instead of treating risk as an opaque value, FAIR decomposes it into observable variables — the probable frequency of an event and the magnitude of its impact — each estimated as a range.
Based on these ranges, a probabilistic simulation produces a distribution of possible results: the expected value and less likely but more severe scenarios. The platform delivers this analysis supported by explicit input data that can be verified at every assumption.
Annual expected loss
R$ 21.6 million
▲ +0.7% per month
Value at Risk · VaR 99
R$ 302.4 million
1% chance per year
Event probability
34%
in group · 31% among peers
Projected mitigation
−48%
ALE with prioritized roadmap
Value at Risk by confidence level
Annual loss that is not expected to exceed, by confidence level.
Loss excess curve
Probability of exceeding each loss value in the year.
HOW IT WORKS
Quantification starts with real platform data — assets, exposures, and control posture — combined with the organization's business context.
The FAIR model and probabilistic simulation translate these data into financial exposure, with expected value and uncertainty ranges.
Results are presented in executive format, with investment scenarios, and are re-evaluated as the organization's risk changes.
WHAT YOU GAIN
With quantified risk, budget and priority decisions are based on analysis.
The board evaluates security investment based on financial exposure and projected return, rather than isolated technical metrics.
Attention and budget are directed towards exposures that most reduce the expected loss of the organization.
Estimates with recognized methodology and auditable trail support dialogue with risk committees, audit, and insurers.
FREQUENTLY ASKED QUESTIONS
It translates technical risk into an estimate of exposure in monetary terms. Instead of communicating the quantity of vulnerabilities, the organization communicates how much the exposure may cost — and how much it is reduced with a certain investment. At CSURFACE, risk quantification is available as a module of the platform.
No. The quantification follows the FAIR model, which decomposes risk into observable variables. Each estimate exposes its input data and assumptions in an audit trail suitable for risk committees and external audits.
Because risk is uncertainty. The probabilistic simulation delivers the expected value and also less likely but more severe scenarios. This allows communicating uncertainty with rigor and choosing the appropriate indicator for each conversation.
No. The quantification is fueled by real data from the platform. When a critical exposure is remediated or a new relevant threat emerges, the value is reassessed — reflecting the current risk of the organization.
Start with the public risk calculator using the FAIR methodology. Or provide your company's domain and receive an initial external exposure analysis — no card, no meeting.
Receive preliminary analysis