Risk Quantification in Offensive Security: FAIR and Probabilistic Models

"All of these factors point to the need for leaders to quantify cyber risks and their economic impacts to align investments with core business objectives." — World Economic Forum, Global Cybersecurity Outlook 2025 [19]

Abstract

The security industry has spent two decades making consequential investment and remediation decisions with ordinal risk scales that carry no mathematical meaning, cannot be aggregated across scenarios, and cannot be compared against financial alternatives. The Factor Analysis of Information Risk (FAIR) model, standardized by The Open Group in 2013 and progressively extended through the FAIR-CAM, FAIR-MAM, and FAIR-AIR additions, provides a quantitative alternative grounded in probability theory and actuarial methodology. Its core operation is a Monte Carlo simulation over two probability distributions: Loss Event Frequency (LEF) and Loss Magnitude (LM), both expressed as PERT-distributed ranges elicited from subject matter experts or calibrated against historical data. Alongside FAIR, the offensive security practitioner now has access to two complementary probabilistic frameworks: Bayesian Attack Graphs (BAGs), which propagate conditional exploit probabilities through multi-hop network paths; and the Exploit Prediction Scoring System (EPSS), a machine-learned model that assigns each CVE a 30-day exploitation probability, evolved from logistic regression to gradient-boosted trees across four major versions. This article develops the mathematical foundations of all three, surveys the open-source tool ecosystem (pyfair, riskquant, MulVAL, evaluator), situates them in the 2025 commercial landscape where a Forrester Wave now exists for CRQ solutions, and identifies the open problems that matter most for practitioners operating under regulatory pressure from the SEC, DORA, and NIS2. The total addressable market for CRQ solutions reached approximately $4.8 billion in 2025 and is projected to double by 2031, driven by post-SolarWinds regulatory momentum and the codification of financial risk disclosure obligations for CISOs.

1. Introduction

"The move toward cyber risk quantification has been the single most important evolution, moving functions from 'guessing' to 'governing.'" — Sumeet Khokhani, GovInfoSecurity, March 2026 [31]

In October 2023, the U.S. Securities and Exchange Commission charged SolarWinds Corporation and its Chief Information Security Officer Timothy G. Brown with securities fraud, alleging that internal risk assessments documented the company's security posture as deeply inadequate while public disclosures to investors described it as robust [18]. Internal presentations cited in the SEC complaint described the organization's access and privilege controls as "inappropriate" and warned that a threat actor "can basically do what they want without us detecting it until it is too late." The charges were ultimately dismissed in November 2025 after settlement negotiations, but the legal proceedings accomplished something more durable than any individual enforcement outcome: they established that the gap between a practitioner's internal risk estimate and the narrative presented to investors is now a legal liability. For CISOs and security product leaders, informal red/amber/green assessments are no longer defensible artifacts; they need auditable, quantitative models whose inputs, methodology, and outputs can be reproduced under cross-examination.

This is not solely a legal problem. It is a resource allocation problem that the security industry has systematically refused to solve for thirty years. A 2024 Gartner survey of 155 security and risk management leaders found that 97% of organizations that had adopted formal cyber risk quantification (CRQ) methods reported tangible benefits, with 52% citing greater board confidence in the security function and 51% reporting improved cooperation from risk owners on remediation [20]. Yet adoption lags significantly behind intent: 45% of respondents cited scoping as their primary challenge, 42% identified integration complexity as a blocker, and 34% reported that their stakeholders distrusted the methodology even when outputs were expressed as financial figures. These adoption barriers are not fundamental limitations of the technology; they are symptoms of a field that still treats risk quantification as a finance function imported reluctantly into security, rather than as a native capability that any mature technical discipline should possess. The World Economic Forum's 2025 Global Cybersecurity Outlook found that 60% of CISOs now present risk to their boards in business-impact terms three to four times per year, a figure that would have been negligible a decade ago [19].

The offensive security practitioner occupies a particularly advantaged position for adopting quantitative risk methods, because penetration testers and red teamers generate precisely the empirical data those models need. A penetration test produces a ranked list of technical findings; a red team engagement produces a narrative of what an adversary with specific objectives could accomplish against a specific organization. Neither output, in its traditional form, answers the question that a CFO or board of directors actually needs to make a capital allocation decision: what is the expected annual financial loss if this attack path remains unremediated, expressed as a probability distribution over outcomes? FAIR translates finding severity into monetary risk ranges; EPSS translates CVE identifiers into 30-day exploitation probabilities; Bayesian Attack Graphs translate network topology into conditional attack path probabilities. Used together, these tools allow an offensive security team to deliver not just a findings report but a defensible financial exposure model grounded in probability distributions rather than practitioner intuition.

This article proceeds as follows. Section 2 diagnoses the failures of ordinal risk methods with mathematical precision, establishing why the move to quantitative models is not a stylistic preference. Section 3 develops the FAIR framework in depth, covering its ontology, decomposition hierarchy, and Monte Carlo simulation core. Section 4 formalizes the mathematical architecture of CVSS v3.1 and v4.0 and documents their limitations as risk signals. Section 5 develops Bayesian Attack Graphs as a mechanism for propagating vulnerability probabilities through multi-hop attack paths. Section 6 covers EPSS and its evolution from logistic regression to gradient-boosted trees, explaining how it complements CVSS. Section 7 presents practical tooling with a working Python implementation of a FAIR Monte Carlo simulator. Section 8 analyzes the commercial landscape, consolidation dynamics, and the regulatory tailwinds reshaping the market. The open problems enumerated in Sections 8 and 9 represent both the current limits of the field and its most productive research frontiers.

2. The Failure of Ordinal Risk: Why Color Scales Cannot Drive Financial Decisions

A qualitative risk rating assigns findings to discrete ordinal buckets: Critical, High, Medium, Low, and Informational, or their equivalent in traffic-light systems where red denotes immediate action and green denotes acceptable residual risk. The intuitive appeal of this scheme is evident: it requires no statistical literacy, produces immediately legible outputs, and maps naturally to the "act now / act later / monitor / accept" workflow that security teams and audit functions have operated for decades. The problem is that ordinal scales are not a simplified version of quantitative risk; they are a fundamentally different and mathematically incoherent representation. When a practitioner marks two vulnerabilities as "High," she is asserting only that both belong to the same ordinal class, not that they carry the same financial exposure, the same probability of exploitation, or the same remediation urgency. Those two findings may differ by three orders of magnitude in expected annual loss, yet the rating communicates identical priority for both.

The incoherence compounds when ordinal ratings are aggregated. Security organizations routinely count the number of High findings across a system inventory to produce a composite "risk score," as if summing ordinal labels yields a meaningful quantity. This operation has no mathematical basis: the sum of two ordinal rankings is not itself an ordinal ranking, and it is certainly not a financial figure. The error is precisely analogous to computing the average Mohs hardness of a mineral collection and treating the result as a new hardness measurement; the arithmetic is syntactically valid but semantically empty. Practitioners throughout the industry are aware that this is wrong. The practice persists because every widely adopted governance framework, from ISO 27005 to NIST CSF to COSO to OCTAVE, provides qualitative risk matrices as their primary analytical tool, and organizational inertia around the familiar far outweighs the appeal of the rigorous alternative.

CVSS v3.1 attempts a more rigorous representation by assigning continuous base scores on the interval [0.0, 10.0] and rounding to two decimal places [10]. The formulas underlying the score, developed from categorical metric inputs including Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, and the three CIA impact dimensions, are deterministic and reproducible. The result is a numeric value that appears cardinal but is consumed by the overwhelming majority of practitioners as a new ordinal label: 9.0 and above is "Critical," 7.0 through 8.9 is "High," and so on. A 2023 empirical study found that more than 40% of CVEs received materially different CVSS base scores when re-evaluated after nine months by the same analyst, revealing scoring inconsistency that contradicts the precision the numeric representation implies [25]. The CVSS specification recommends that environmental and temporal modifiers be applied to each base score to adjust for deployment context and exploit availability, but in practice these modifiers are applied to fewer than 5% of CVE records in the National Vulnerability Database.

The practical consequence of this failure is a vulnerability management pipeline that has optimized for generating legible outputs (reports, scores, counts) rather than for answering the question that drives every security investment decision: what is the financial cost of this exposure remaining unremediated? Without a monetary expression of risk, a security leader cannot compare the cost of a remediation program against the financial exposure it eliminates. She cannot construct a security budget with the rigor a CFO applies to capital allocation decisions. She cannot explain to a board why a $5 million security investment is preferable to a \$2 million alternative in the language the board uses to evaluate every other strategic commitment. RAND's 2020 report on measuring cybersecurity and cyber resilience identified a related failure mode: most security measurement frameworks focus on defender countermeasures rather than on the attacker's estimated success probability, which is the variable that actually determines whether a financial loss occurs [29]. Quantitative risk models are the mechanism for correcting these failures, and the combination of FAIR, Bayesian Attack Graphs, and EPSS currently represents the most complete empirically grounded toolkit available.

3. FAIR: Ontology, Decomposition, and the Monte Carlo Core

The Factor Analysis of Information Risk was developed by Jack Jones beginning in the early 2000s and published as an open white paper in 2006, later contributed to The Open Group as the Risk Taxonomy Standard (O-RT) and Risk Analysis Standard (O-RA), collectively the Open FAIR Body of Knowledge [1]. Jones designed FAIR as a response to a specific failure mode he encountered as a CISO: the inability to answer a board director's question about the business impact of a proposed security investment in financial terms. His insight was that risk is correctly formalized as a probability distribution over future loss, not a point estimate or an ordinal label, and that the right mathematical object for representing a threat scenario is a distribution with an expected value, a variance, and a defined set of percentile outcomes against which business decisions can be calibrated.

FAIR decomposes risk through a hierarchical ontology. At the top level, Risk is the probable frequency and probable magnitude of future loss, expressed as the joint distribution of two primary factors. Loss Event Frequency (LEF) is the expected number of times a loss event occurs within a given time period (typically one year). Loss Magnitude (LM) is the financial impact of a single loss event. LEF decomposes further into Threat Event Frequency (TEF, how often a threat agent acts against the asset) multiplied by Vulnerability (the probability that a threat action results in a loss outcome, modeled as the functional relationship between the threat agent's capability and the organization's control strength). LM decomposes into Primary Loss (direct costs: productivity loss, response costs, replacement costs, investigation and legal notification costs) and Secondary Loss (reputational damage, regulatory fines, competitive harm), the latter estimated as the product of Secondary Loss Event Frequency and Secondary Loss Magnitude conditional on the primary loss event having occurred.

The analytical core of FAIR is a Monte Carlo simulation over the joint distribution of LEF and LM. For a scenario with $N$ simulation trials, the expected annual risk is:

$$R = \frac{1}{N} \sum_{i=1}^{N} lef_i \cdot lm_i \tag{1}$$

where each $lef_i$ is drawn from a distribution $F_{LEF}$ parameterized by the analyst's minimum, most-likely (mode), and maximum frequency estimates, and each $lm_i$ is drawn from a distribution $F_{LM}$ capturing the financial loss range for a single event. The output is not a single number but a distribution of annual loss outcomes; standard practice reports the 10th, 50th, and 90th percentile values alongside the mean to communicate both the central tendency and the tail risk [2]. The distinction between percentile reporting and mean reporting matters practically: an organization that budgets based only on the 50th percentile annual loss may be severely underprepared for the tail scenario that drives actual catastrophic outcomes.

The distribution most commonly used for FAIR inputs is the Beta-PERT distribution, a parameterization of the Beta distribution shaped by minimum $a$, mode $m$, and maximum $b$, with a shape parameter $\gamma$ (set to 4 by FAIR convention) that controls how strongly the mode anchors the mean. The mean and Beta shape parameters are:

$$\mu_{PERT} = \frac{a + \gamma m + b}{\gamma + 2}, \quad \alpha = \frac{(\mu - a)(2m - a - b)}{(m - \mu)(b - a)}, \quad \beta_{s} = \frac{\alpha(b - \mu)}{\mu - a} \tag{2}$$

The PERT distribution is preferred over the triangular distribution because its tails are smooth rather than abrupt, better representing expert uncertainty about extreme values. When $\gamma = 4$, the mode receives four times the combined weight of the endpoints in determining the mean, which matches common elicitation practice: analysts treat their best estimate as the primary anchor while acknowledging that reality can be significantly more or less severe. The resulting $\text{Beta}(\alpha, \beta_s, a, b)$ is then sampled $N$ times, with $N = 10{,}000$ to $N = 100{,}000$ being standard depending on required tail precision.

The 2024 FAIR Institute white paper "Integrating FAIR Models for Cyber Risk Management" [2] situates the original two-factor model within a broader framework now comprising five distinct models. FAIR-CAM (Controls Analytics Model, 2021) extends the framework by modeling how individual and systemic controls affect LEF and LM: a specific firewall rule reduces TEF for a given attack class; a specific patch reduces Vulnerability for a given CVE; the model allows practitioners to calculate the marginal risk reduction attributable to each control investment. FAIR-MAM (Materiality Assessment Model) disaggregates LM into 26 loss categories across 10 modules, providing the granularity needed to satisfy SEC materiality disclosure requirements and to produce the line-item financial impact estimates that CFOs and cyber insurers require. FAIR-TAM (Third Party Assessment Model) applies the FAIR ontology to supply chain partner risk prioritization. The 2025 academic validation of FAIR in a Scandinavian logistics company by Seid, Satheesh, Popov, and Blix [3] and the machine-learning extension by Nwafor, Nwafor, Brahma, and Acharyya that pairs FAIR Monte Carlo with XGBoost and SHAP explainability [4] both confirm that the framework is empirically productive beyond its practitioner origins.

4. CVSS: Mathematical Architecture, the v4.0 MacroVector Reformulation, and the Limits of Severity Scoring

The Common Vulnerability Scoring System version 3.1 computes a base score from two independent subscores: Impact and Exploitability [10]. The Impact calculation begins with the Impact Scope Component ($ISC_{Base}$), which combines the three CIA impact dimensions multiplicatively to ensure that a vulnerability affecting only one dimension scores lower than one affecting all three:

$$ISC_{Base} = 1 - (1 - I_C)(1 - I_I)(1 - I_A) \tag{3}$$

where $I_C$, $I_I$, $I_A$ take values from the set $\{0.00, 0.22, 0.56\}$ corresponding to None, Low, and High impact respectively. The full Impact subscore depends on Scope. When Scope is Unchanged, $I_{SU} = 6.42 \cdot ISC_{Base}$; when Scope is Changed, a non-linear transformation amplifies high-impact scores and suppresses low-impact ones:

$$I_{SC} = 7.52 \cdot (ISC_{Base} - 0.029) - 3.25 \cdot (ISC_{Base} - 0.02)^{15} \tag{4}$$

The $x^{15}$ exponent in Equation (4) is deliberately extreme: it ensures that only vulnerabilities with $ISC_{Base}$ close to 1.0 benefit meaningfully from the Scope Changed multiplier, preventing scope-changing vulnerabilities with low individual impact from being artificially inflated. The Exploitability subscore is a product of four categorical metrics drawn from lookup tables:

$$E = 8.22 \cdot AV \cdot AC \cdot PR \cdot UI \tag{5}$$

where Attack Vector takes values in $\{0.85, 0.62, 0.55, 0.20\}$ for Network, Adjacent, Local, and Physical respectively. The Base Score is then:

$$BS = \text{Roundup}\!\left(\min(I + E,\ 10)\right) \tag{6}$$

with the sum multiplied by 1.08 when Scope is Changed. The Roundup function maps the result to the nearest first decimal place value above the computed sum. The Temporal Score applies a multiplicative cascade of modifiers for Exploit Code Maturity ($ECM$), Remediation Level ($RL$), and Report Confidence ($RC$), each defaulting to 1.00 when not specified by the scoring analyst:

$$TS = \text{Roundup}(BS \cdot ECM \cdot RL \cdot RC) \tag{7}$$

Since fewer than 5% of NVD entries carry temporal scores, Equation (7) effectively reduces to $TS = BS$ for nearly all public vulnerability data, leaving the most risk-relevant modifiers (exploit availability, patch status) unused.

CVSS v4.0, released by FIRST in November 2023, abandons the closed-form algebraic formula entirely [11]. The approximately 15 million possible metric combination vectors are clustered algorithmically into 270 MacroVectors using a six-dimensional dimensionality reduction. Each MacroVector receives a base score assigned by consensus from a 50-person expert panel that ordered the clusters by severity. For a specific metric vector $\mathbf{v}$ within a MacroVector $MV$, the score is computed by interpolation between the MacroVector's assigned score and the scores of the next-lower MacroVectors $\mathcal{L}_{MV}$:

$$s(\mathbf{v}) = s_{MV} - \bar{d}(\mathbf{v},\ \mathcal{L}_{MV}) \tag{8}$$

where $\bar{d}$ is the mean proportional distance from vector $\mathbf{v}$ to the lower-ranked MacroVector boundaries. The reference implementation is the JavaScript function cvss_lookup.js in the FIRST GitHub calculator repository; Red Hat's open-source cvss Python library supports CVSSv4 through its cvss4.py module [30]. The MacroVector design eliminates the discontinuous jumps in v3.x where a single metric flip could change a score by 2.0 points, but it replaces transparent algebra with an opaque lookup table that practitioners cannot reproduce without access to the reference implementation.

The limitations of CVSS as a risk proxy are structural, not incidental. A 2023 study found over 40% scoring inconsistency when the same analyst re-evaluated CVEs after nine months [25]. A 2025 study presented at ACM CCS demonstrated systematic disagreement between CVSS, EPSS, SSVC, and CVSS-B scoring systems for identical vulnerabilities, finding that the four systems frequently recommend contradictory prioritization decisions for the same CVE [26]. Most fundamentally, CVSS measures the intrinsic severity of a vulnerability in isolation; it does not estimate the probability of exploitation in a specific deployment, the attacker's motivation to target a given environment, or the financial exposure of the organization at risk. NIST addressed the first gap in 2024 with Cybersecurity White Paper 41 [16], which introduced the Likely Exploited Vulnerability (LEV) metric, derived from CISA Known Exploited Vulnerabilities (KEV) data and EPSS scores, as a probabilistic complement to CVSS severity. LEV represents NIST's formal acknowledgment that severity scores alone are insufficient for triage and that organizational remediation pipelines must incorporate exploitation probability as a co-equal input.

5. Bayesian Attack Graphs: Connecting Network Topology to Path Probability

An attack graph is a directed graph $G = (V, E)$ where each node $v \in V$ represents a system state or exploit condition reachable by an attacker, and each edge $(u, v) \in E$ represents the transition between states via a specific exploit or lateral movement action. Attack graphs were first formalized by Sheyner, Haines, Jha, Lippmann, and Wing in 2002 using symbolic model checking: the target network is encoded as a Kripke structure, a safety property is specified (the attacker must not reach the target), and the counterexample traces produced by the model checker enumerate all attack paths [6]. The NP-hardness of general attack graph existence queries was established in the companion paper by Jha, Sheyner, and Wing the same year [7], placing computational limits on exact analysis of large enterprise networks and motivating the heuristic and approximate algorithms that dominate practical tools. The MulVAL framework, developed originally at Kansas State University, implements a Datalog-based attack graph generator that scales to realistic enterprise topologies by encoding network rules and vulnerability preconditions as logic facts [24].

For risk quantification, the critical extension is probabilistic. A Bayesian Attack Graph (BAG) assigns conditional exploit probabilities to the edges of the attack graph, transforming it from a reachability structure into a Bayesian network over which probabilistic inference can be performed [12]. Each node $v_i$ carries an associated exploit success probability $p_i$ conditioned on its parent set $\text{Pa}(v_i)$, representing the preconditions an attacker must satisfy before attempting $v_i$. For an AND-node (requiring all preconditions), the joint probability that an attacker traverses a specific path $\pi = (v_0, v_1, \ldots, v_k)$ is the product of individual exploit probabilities:

$$P(\pi) = \prod_{i=0}^{k} P(v_i\ \text{exploited} \mid \text{Pa}(v_i)) \tag{9}$$

The probability that an attacker reaches target node $t$ from source $s$ via any available path combines over all paths in the path set $\Pi(s, t)$:

$$P(s \rightsquigarrow t) = 1 - \prod_{\pi \in \Pi(s,t)} \bigl(1 - P(\pi)\bigr) \tag{10}$$

Equation (10) assumes path independence; when paths share intermediate nodes, exact inference requires Bayesian network variable elimination or loopy belief propagation over the full network structure. The Minimum Attack Path problem, which asks for the path $\pi^*$ maximizing $P(\pi)$, reduces to a shortest-path problem on the graph weighted by $-\log P(\pi)$, solvable in polynomial time via Dijkstra's algorithm. Wang, Islam, Long, Singhal, and Jajodia formalized a practical mapping from CVSS scores to BAG node probabilities in 2008 and 2010 [14, 17]: the exploit probability for a node is $p_i = E_i / 10$ where $E_i$ is the node's CVSS Exploitability subscore normalized to [0, 1]. This mapping allows any standard vulnerability scanner output to automatically seed a quantitative attack graph without requiring per-node expert elicitation. NIST IR 7788 by Singhal and Ou [15] formalized this pipeline: scanner output feeds NVD lookups, which populate CVSS-derived node probabilities, which seed a probabilistic attack graph producing network-level risk metrics.

A 2026 paper by Vitale, Guarino, Perone, Rak, and Mazzocca extends the static BAG model with process mining to produce dynamic risk assessments [12]. Rather than treating the conditional probability tables as static inputs calibrated once at assessment time, their approach feeds live network traffic logs into a process mining engine that extracts probabilistic evidence of attacker activity in progress. When new evidence arrives, such as a suspicious lateral movement pattern in telemetry, the BAG's posterior probabilities update via Bayes' rule:

$$P(A_t \mid O_{1:t}) = \frac{P(O_t \mid A_t) \cdot P(A_t \mid O_{1:t-1})}{P(O_t \mid O_{1:t-1})} \tag{11}$$

where $A_t$ is the inferred attacker state at time $t$ and $O_{1:t}$ is the cumulative observation sequence. This Bayesian update converts the attack graph from an assessment-time snapshot into a real-time risk sensor. The gap between the static, periodic risk model and the dynamic threat environment of a live network is one of the most operationally significant limitations of current CRQ practice; the BAG-plus-process-mining architecture points toward a resolution, though the engineering challenge of constructing a reliable observation model $P(O_t \mid A_t)$ that correctly interprets SIEM events as evidence about attacker state remains largely unsolved at production scale.

6. EPSS: Machine-Learned Exploitation Probability and Its Integration with FAIR

The Exploit Prediction Scoring System (EPSS) emerged from the empirical observation that CVSS severity scores and observed exploitation activity in the wild are only loosely correlated. Jacobs, Romanosky, Edwards, Roytman, and Adjerid published the foundational model in the ACM journal Digital Threats: Research and Practice in 2021 [8], drawing on a dataset of CVE attributes and in-the-wild exploitation observations collected from a network of enterprise sensor deployments. The original model is a logistic regression over approximately 1,100 binary and continuous features derived from NVD metadata, Exploit-DB and Metasploit availability signals, scanner tool coverage indicators, and social media mention frequency. For a feature vector $\mathbf{x}$ describing a given CVE, the model predicts the 30-day exploitation probability as:

$$P(\text{exploited within 30 days} \mid \mathbf{x}) = \sigma\!\left(\beta_0 + \boldsymbol{\beta}^T \mathbf{x}\right) = \frac{1}{1 + e^{-(\beta_0 + \boldsymbol{\beta}^T \mathbf{x})}} \tag{12}$$

The original model achieved a ROC AUC of 0.838, substantially outperforming CVSS severity sorting as a predictor of which vulnerabilities would be exploited. In March 2023, EPSS v3 replaced the logistic regression with an XGBoost gradient-boosted tree ensemble, reporting approximately 82% performance improvement over v2 in cross-validated evaluation [9]. This upgrade was motivated by the non-linear interaction effects between features (for example, a CVE with an available Metasploit module and active social media discussion is disproportionately more likely to be exploited than either feature predicts alone), which gradient boosting captures naturally while logistic regression cannot without extensive manual feature engineering. Version 4, released in March 2025, incorporated community-contributed threat intelligence feeds as additional input features, improving calibration especially for recently published CVEs where historical exploitation data is sparse [8a].

The key operational insight is that the CVSS severity distribution and the EPSS exploitation probability distribution are nearly statistically independent. Approximately 20% of CVSS-Critical CVEs carry an EPSS score above 0.10 (indicating at least 10% 30-day exploitation probability), meaning the vast majority of Critical-rated vulnerabilities are not being actively exploited in the wild at any given time [16]. Conversely, some CVSS-Medium vulnerabilities carry EPSS scores above 0.50, indicating active exploitation at high rates despite modest theoretical severity. This orthogonality means that a practitioner can use CVSS and EPSS as two independent risk axes: severity captures the damage potential if exploitation succeeds; EPSS captures the likelihood that exploitation will be attempted at all. FIRST's January 2026 Consumer Implementation Guide now formally recommends combining EPSS probability scores with CVSS Threat and Environmental metrics as the baseline for vulnerability triage, endorsing a joint framework over either metric in isolation.

The Stakeholder-Specific Vulnerability Categorization (SSVC) developed at Carnegie Mellon's CERT/CC by Spring, Hatleback, Householder, Manion, and Shick represents an important alternative paradigm [24]. SSVC replaces numeric scores entirely with a decision tree whose branches address Exploitation status (none, proof-of-concept, active), Technical impact, and Mission and wellbeing impact, terminating in actionable outcomes: Track, Track*, Attend, and Act. SSVC explicitly rejects the premise that a single numeric score can encode the information needed for a remediation decision, arguing that the semantically correct question is not "how severe is this CVE?" but "what should I do about it and when, given my specific operational context?" CISA has adopted SSVC for its own vulnerability advisory program, and for practitioners who find that even EPSS-augmented CVSS triage still produces a remediation backlog too large to action, SSVC provides a principled mechanism for further reducing the action set to only those vulnerabilities requiring immediate response.

For the offensive security practitioner, EPSS provides a principled, data-driven answer to the question of which findings to elevate in a penetration test report. A finding with CVSS 7.5 and EPSS 0.003 represents a qualitatively different risk than a finding with CVSS 7.5 and EPSS 0.68: the first has a 0.3% exploitation probability over 30 days; the second has a 68% probability. Both appear as "High" in a traditional qualitative report, yet they warrant entirely different remediation urgency. Integrating EPSS into FAIR scenarios replaces the analyst's subjective elicitation of the Vulnerability factor in the LEF decomposition with an empirically calibrated prediction from a model trained on millions of CVE observations across real enterprise environments, substantially reducing model subjectivity for well-characterized CVEs.

7. Tooling and Implementation: PyFAIR, riskquant, and MulVAL in Practice

7.1 Open-Source Ecosystem Overview

The open-source ecosystem for quantitative risk modeling has matured substantially since 2019. The primary Python implementation of FAIR is pyfair, maintained by Hive Systems [23], which accepts LEF and LM distributions as parameterized inputs, samples them jointly via Monte Carlo simulation, and produces HTML reports and matplotlib visualizations. The library supports PERT, Normal, and constant distributions and handles both the simplified two-factor model (LEF + LM) and the full decomposition into TEF, Vulnerability, Primary Loss, and Secondary Loss components. Netflix's riskquant library [22] takes a complementary approach: it models annual loss as the product of a Poisson-distributed event count and a lognormal magnitude distribution and outputs Loss Exceedance Curves (LECs), which show the probability that annual loss exceeds a given dollar threshold. LECs are the standard actuarial risk communication format used by cyber insurers, making riskquant the most natural tool for practitioners who need their outputs to integrate with insurance underwriting workflows. The R package evaluator, built on the OpenFAIR ontology, adds Shiny-based interactive dashboards and a companion collector package for structured expert elicitation interviews guided by calibration techniques for measuring intangibles.

For attack graph generation, MulVAL remains the most widely deployed academic framework, using Datalog-based reasoning to enumerate multi-hop attack paths from network topology descriptions and vulnerability scanner outputs. The open-source GraphKer tool provides a Neo4j-based graph database that ingests the full NVD, CWE, CAPEC, and CPE datasets, enabling complex graph queries across vulnerability, weakness, attack pattern, and platform relationships. Red Hat's cvss Python library supports CVSSv2, v3, and v4, providing the computational foundation for translating scanner output into CVSS-derived node probabilities for BAG construction [30]. Carnegie Mellon SEI's 2023 ECI & RA framework (Express Control Impact and Risk Analysis) [29a] adds a practitioner-accessible risk analysis workflow that produces loss exceedance curves and recommends a prioritized NIST control set, borrowing simulation techniques from the IMF and the Netflix Risk Quant Project. Rapid7's Active Risk score, launched in 2023 as a 0-to-1,000 scale that multiplies CVSS severity by threat intelligence from AttackerKB, Metasploit, ExploitDB, and CISA KEV, claims to reduce the prioritized vulnerability backlog by up to 85% compared to raw CVSS sorting.

7.2 Python Implementation: FAIR Monte Carlo with Loss Exceedance Curve

The following implementation provides a complete FAIR-style Monte Carlo simulation with PERT-distributed inputs, Poisson-realized event counts, lognormal loss magnitudes, and a Loss Exceedance Curve output. The scenario models ransomware targeting a manufacturing-sector ERP system, with input parameters derived from Verizon DBIR sector frequency data and cyber insurance claims distributions:

"""
fair_monte_carlo.py  --  FAIR-style probabilistic risk quantification.

Implements a two-stage annual loss model:
  Stage 1: Beta-PERT over analyst frequency range  ->  Poisson event count
  Stage 2: Lognormal per-event loss magnitude
  Output: percentile summary table + Loss Exceedance Curve

This two-stage model separates epistemic uncertainty (rate estimation) from
aleatoric uncertainty (realized count in a specific year), producing
heavier-tailed distributions that better match actuarial cyber loss data.
"""

import numpy as np
import scipy.stats as stats
import matplotlib.pyplot as plt
from dataclasses import dataclass
from typing import Tuple


# ---------------------------------------------------------------------------
# Data model
# ---------------------------------------------------------------------------

@dataclass
class FAIRScenario:
    name:      str
    lef_low:   float   # min annual loss event frequency (analyst estimate)
    lef_mode:  float   # most-likely annual loss event frequency
    lef_high:  float   # max annual loss event frequency
    lm_mu:     float   # mean of ln(loss USD)  -- shapes lognormal magnitude
    lm_sigma:  float   # std dev of ln(loss USD)


# ---------------------------------------------------------------------------
# Beta-PERT distribution helpers
# ---------------------------------------------------------------------------

def pert_to_beta(
    low: float, mode: float, high: float, gamma: float = 4.0
) -> Tuple[float, float, float, float]:
    """
    Map PERT(low, mode, high) onto scipy Beta(a, b, loc, scale).

    gamma=4 is the FAIR convention: mode contributes 4x vs endpoints.
    Returns (alpha, beta_param, loc, scale) for scipy.stats.beta.rvs.
    """
    mean = (low + gamma * mode + high) / (gamma + 2.0)
    if abs(mode - mean) < 1e-9:          # degenerate: mode == mean
        return 1.0, 1.0, low, high - low
    alpha = (mean - low) * (2.0 * mode - low - high) / (
        (mode - mean) * (high - low)
    )
    beta_p = alpha * (high - mean) / (mean - low)
    return max(alpha, 1e-6), max(beta_p, 1e-6), low, high - low


def sample_pert(s: FAIRScenario, n: int,
                rng: np.random.Generator) -> np.ndarray:
    """Draw n continuous frequency samples from the scenario's PERT."""
    a, b, loc, scale = pert_to_beta(s.lef_low, s.lef_mode, s.lef_high)
    return stats.beta.rvs(a, b, loc=loc, scale=scale, size=n,
                          random_state=rng)


# ---------------------------------------------------------------------------
# Core simulation
# ---------------------------------------------------------------------------

def run_fair(scenario: FAIRScenario, n: int = 100_000,
             seed: int = 42) -> np.ndarray:
    """
    Execute FAIR Monte Carlo; return array of n annual loss estimates (USD).

    For each trial i:
      lef_i  ~ Beta-PERT(lef_low, lef_mode, lef_high)
      count_i ~ Poisson(lef_i)         # events realized this year
      loss_j  ~ LogNormal(lm_mu, lm_sigma)  for j in 1..count_i
      annual_loss_i = sum of loss_j
    """
    rng = np.random.default_rng(seed)
    lef_samples = sample_pert(scenario, n, rng)
    event_counts = rng.poisson(lef_samples)       # integer event count / year

    total_events = int(event_counts.sum())
    # Vectorised lognormal draw for all events across all trials at once
    all_magnitudes = np.exp(
        scenario.lm_mu + scenario.lm_sigma * rng.standard_normal(total_events)
    )

    annual_loss = np.zeros(n, dtype=np.float64)
    cursor = 0
    for i, count in enumerate(event_counts):
        if count > 0:
            annual_loss[i] = all_magnitudes[cursor: cursor + count].sum()
        cursor += count
    return annual_loss


# ---------------------------------------------------------------------------
# Reporting helpers
# ---------------------------------------------------------------------------

def loss_exceedance_curve(
    losses: np.ndarray, n_points: int = 500
) -> Tuple[np.ndarray, np.ndarray]:
    """Return (loss_values, exceedance_probs) for the empirical LEC."""
    pcts = np.linspace(0.0, 99.9, n_points)
    return np.percentile(losses, pcts), 1.0 - pcts / 100.0


def print_summary(scenario: FAIRScenario, losses: np.ndarray) -> None:
    print(f"\nScenario : {scenario.name}")
    print(f"  Mean annual loss   : ${np.mean(losses):>14,.0f}")
    for p in (10, 50, 90, 95, 99):
        print(f"  {p:2d}th percentile   : ${np.percentile(losses, p):>14,.0f}")


def plot_lec(scenario: FAIRScenario, losses: np.ndarray,
             outfile: str = "fair_lec.png") -> None:
    lv, ep = loss_exceedance_curve(losses)
    fig, ax = plt.subplots(figsize=(9, 5))
    ax.semilogy(lv / 1e6, ep, lw=2.0, color="steelblue")
    ax.axvline(np.mean(losses) / 1e6, color="crimson", ls="--", lw=1.5,
               label=f"Mean = ${np.mean(losses)/1e6:.1f}M")
    ax.set_xlabel("Annual Loss (USD millions)")
    ax.set_ylabel("Exceedance Probability")
    ax.set_title(scenario.name)
    ax.grid(True, which="both", ls="--", alpha=0.4)
    ax.legend()
    fig.tight_layout()
    fig.savefig(outfile, dpi=150)


# ---------------------------------------------------------------------------
# Entry point
# ---------------------------------------------------------------------------

if __name__ == "__main__":
    scenario = FAIRScenario(
        name="Ransomware: manufacturing-sector ERP (VDBIR-calibrated)",
        lef_low=0.10,   # ~once per decade at minimum
        lef_mode=0.50,  # ~once every two years as best estimate
        lef_high=2.00,  # ~twice per year in an adverse year
        lm_mu=14.51,    # exp(14.51) ~ $2M median per-event loss
        lm_sigma=1.20,  # wide tail; ~$13M at 90th pct per event
    )
    losses = run_fair(scenario, n=100_000)
    print_summary(scenario, losses)
    plot_lec(scenario, losses)

The critical design choice is the two-stage Poisson-over-PERT model rather than treating the PERT sample directly as the annual event count. The PERT distribution captures epistemic uncertainty: the analyst's uncertainty about the true long-run rate of loss events. The Poisson draw over that rate captures aleatoric uncertainty: the stochastic realization of how many events actually occur in a specific year given that rate. Collapsing these two into a single PERT draw systematically underestimates tail risk because it ignores the additional variance contributed by the Poisson dispersion. For the 90th and 95th percentile outcomes that drive cyber insurance pricing, this distinction is material: the two-stage model typically produces tail losses 15 to 30% higher than the single-stage approximation, and it is the tail that determines whether an organization is adequately insured.

7.3 From Scanner Output to FAIR Inputs

The practical integration of EPSS and CVSS data into FAIR scenarios follows a three-step pipeline. First, the analyst identifies the primary exploit in the attack chain demonstrated during a red team engagement or penetration test and retrieves its EPSS score from the FIRST API. Second, the EPSS score directly informs the Vulnerability factor in the LEF decomposition: an EPSS score of 0.12 (12% exploitation probability over 30 days) implies an annualized threat event success rate of approximately $-12 \ln(1 - 0.12) \approx 1.53$ events per year for a continuously internet-exposed service, which becomes the lef_mode parameter. Third, the Loss Magnitude parameters are calibrated from sector-specific breach cost data in the Verizon DBIR or from the FAIR Institute's Loss Magnitude Reference Data, rather than from CVSS Impact subscores, which measure theoretical damage potential rather than realized financial loss. This pipeline converts a penetration test finding into a set of FAIR inputs with an explicit, traceable methodology, replacing the ad-hoc expert estimation step with a chain of data-driven lookups.

8. The CRQ Product Landscape: Regulatory Catalysts, Consolidation, and Open Problems

8.1 Market Structure and Competitive Dynamics

The commercial cyber risk quantification market was valued at approximately \$4.8 billion in 2025, with analyst projections converging on approximately \$9.6 billion by 2031 at a compound annual growth rate of 12 to 15% [20]. Three regulatory catalysts are responsible for the majority of this growth trajectory. The SEC's cybersecurity disclosure rules, effective for large accelerated filers in late 2023, require public companies to disclose material cybersecurity incidents within four business days and to describe their risk management programs in annual 10-K filings; the SolarWinds case made clear that overstating security posture in those disclosures carries personal liability for the CISO and potential securities fraud charges for the company [18]. The EU's Digital Operational Resilience Act (DORA), effective January 2025, mandates quantitative ICT risk management for financial institutions, including tolerance thresholds for disruption scenarios expressed in financial terms. NIS2 extended similar obligations to a broader set of critical infrastructure operators across the EU, and each regulation creates a formal demand for defensible, reproducible quantitative risk outputs in board reports and regulatory filings.

"SAFE, Axio, and KPMG CRI emerged as the three Leaders in the inaugural Forrester Wave: Cyber Risk Quantification Solutions, Q2 2025. Axio was the only solution to maintain a Leader position from a prior Forrester evaluation, signaling maturity in its core FAIR methodology implementation." — Forrester Research, June 2025 [21]

The vendor landscape has consolidated aggressively. In July 2023, SAFE Security acquired RiskLens, the original commercially deployed FAIR-native platform founded by Jack Jones [27]. SAFE then raised a \$70 million Series C in July 2025, marketing an integrated "CyberAGI" platform combining autonomous risk assessment with attack surface management. In November 2025, SAFE completed the acquisition of Balbix, which had previously raised \$100 million over three rounds, creating a unified continuous threat exposure management (CTEM) and CRQ platform. On the independent side, Axio retained its position as the only consistent Leader across Forrester's consecutive CRQ evaluations, positioning itself as the practitioner's preferred tool for FAIR-native analysis without enterprise platform overhead. SecurityScorecard, valued at \$1 billion following its 2021 Series E and rating more than 12 million entities globally, occupies a distinct position in the market: its ratings represent a probabilistic supply-chain and third-party risk signal rather than a full FAIR-based financial quantification. The appearance of KPMG's Cyber Risk Intelligence service as a Forrester Leader signals that major professional services firms have productized CRQ sufficiently to compete with specialized vendors, creating pricing pressure on the analysis and advisory layer while preserving differentiation at the platform and automation layer.

8.2 What Security Leaders Should Do Differently

Security teams that have not yet adopted quantitative risk models face a sequenced implementation challenge rather than a binary choice between comprehensive deployment and the status quo. The highest-leverage entry point is not deploying a full FAIR model for the entire organization; it is identifying the three to five threat scenarios that consume the largest share of the security budget and re-expressing them in FAIR terms using pyfair or a spreadsheet-based PERT simulation. This exercise consistently reveals two patterns: some budget allocations are well-supported by quantitative exposure analysis, and others are maintained by compliance checkbox-checking or historical inertia with no corresponding financial risk reduction. The second high-leverage step is integrating EPSS scores into the vulnerability management workflow, replacing CVSS-severity-only triage with a combined severity-plus-probability ranking consistent with NIST CSWP 41 [16].

For offensive security teams, the highest-impact change is to accompany engagement findings with an expected annual loss estimate for each critical attack path demonstrated. This requires three inputs drawn from verifiable sources: a FAIR scenario parameterized around the demonstrated attack path; an EPSS score (or expert-elicited exploit probability for novel attack techniques) for the primary vulnerability in that path; and a loss magnitude estimate from sector-specific breach cost data rather than from CVSS impact labels. The transformation this produces is significant: a red team that can tell a CxO that a specific attack chain carries an expected annual loss of \$4.2 million at the 50th percentile and \$18 million at the 90th percentile changes the remediation prioritization conversation fundamentally compared to a report that lists "Critical: Unauthenticated Remote Code Execution on internet-facing application server." The financial framing creates the commensurability that allows the security investment to compete with every other capital allocation on a fair basis.

8.3 Open Problems

Four open problems in quantitative cyber risk modeling are both practically significant and technically tractable, representing productive directions for researchers and product teams alike. The most pressing is the data calibration problem: FAIR models require LEF estimates calibrated against empirical loss event data, but no comprehensive, sector-neutral public cyber loss database comparable to the actuarial tables used in property and casualty insurance exists. The Verizon DBIR provides frequency data aggregated broadly across industries; the FAIR Institute maintains proprietary reference datasets; cyber insurers hold proprietary claims data. None of these are accessible to practitioners in a form that enables systematic PERT parameter calibration for specific industries, company sizes, and threat categories. A public, peer-reviewed cyber loss database with ISO 31000-compatible schema would transform FAIR model reliability at scale, in the same way that ISO-standard actuarial loss tables transformed property insurance pricing.

The second open problem is dynamic risk quantification. Both FAIR and Bayesian Attack Graphs are calibrated at assessment time and updated infrequently, typically at each annual review or penetration test cycle. The 2026 BAG-plus-process-mining architecture of Vitale et al. [12] points toward continuous-update risk models, but the practical integration of live SIEM telemetry, topology changes from cloud provisioning events, and daily NVD CVE publications into a self-updating financial risk model has not been achieved in a production-deployable general form. The theoretical Bayesian update machinery in Equation (11) is sound; the engineering challenge is constructing an observation model that correctly interprets heterogeneous security telemetry as evidence about attacker state with low false-positive rates. The third open problem is compositional risk and loss correlation: FAIR models individual threat scenarios independently and aggregates them by summing expected losses, which assumes statistical independence between scenarios. In practice, a single ransomware event triggering primary operational loss will simultaneously trigger correlated secondary losses (regulatory fines, legal liability, customer churn) that share stochastic drivers. Zhang, Xu, and Zhao's 2025 actuarial work on cyber insurance pricing via BAGs [28] represents the most technically advanced published treatment of this problem, applying copula methods from property insurance to capture dependence structure.

The fourth open problem is adversarial stability: EPSS scores, CVSS ratings, and SSVC decision trees are all published and known to attackers. A sophisticated threat actor who understands that security teams systematically deprioritize CVSS-Medium vulnerabilities with low EPSS scores may deliberately select those vulnerabilities as entry vectors, exploiting the defenders' reduced monitoring and remediation investment in the low-priority tier. No current scoring model accounts for this adversarial response to the scoring system itself; the equilibrium between defender prioritization strategies and attacker target selection is a game-theoretic problem that EPSS, CVSS, and FAIR all treat as fixed rather than dynamic. Addressing it requires explicitly modeling the attacker as a rational agent who observes and responds to the defender's risk model, a direction with roots in adversarial risk analysis [15] but no mature operational implementation.

9. Conclusion and Open Problems

Quantitative cyber risk modeling has moved in a single decade from a niche academic interest to a regulatory requirement, a board-level expectation, and a formally evaluated commercial product category. The FAIR framework, Bayesian Attack Graphs, and EPSS together provide a mathematically coherent toolkit for expressing security risk in the language that governs every other business decision: probability distributions over financial outcomes. The practitioner who can translate a penetration test finding into an expected annual loss distribution using pyfair, calibrate the exploit probability component from EPSS v4 data, propagate the attack path probability through a MulVAL-generated graph, and report the result as a Loss Exceedance Curve is delivering a reproducible, defensible quantitative argument rather than an expert opinion. The SolarWinds case demonstrated that the gap between internal risk assessment and external disclosure is a legal surface; rigorous quantitative models with auditable inputs and reproducible outputs are the mechanism for closing it.

The four open problems enumerated in Section 8 are not peripheral refinements awaiting incremental progress. The absence of a public cyber loss database means FAIR models are built on estimated inputs with uncertainty bounds wide enough to encompass multiple orders of magnitude in the tail scenarios that matter most for insurance and board-level decisions. The lack of dynamic update mechanisms means risk posture assessments lag the threat environment by months. The absence of compositional correlation models means enterprise-level risk aggregation treats statistically dependent losses as if they were independent events, systematically underestimating correlated scenarios. The adversarial stability problem means that any scoring system that becomes widely adopted creates a new attack surface in the form of predictable defender blind spots. Solving these problems requires collaboration between academic researchers with the statistical methodology, practitioners who hold the empirical data, and regulators who have the authority to mandate the disclosure standards that would generate the calibration datasets the field needs. The mathematical foundations are sound and the tooling is increasingly accessible; what remains are institutional barriers that the regulatory environment is already beginning to dissolve.

References

[1] J. Freund and J. Jones, Measuring and Managing Information Risk: A FAIR Approach, 2nd ed., Elsevier Butterworth-Heinemann, 2024.

[2] FAIR Institute, "Integrating FAIR Models: A Unified Framework for Cyber Risk Management," FAIR Institute White Paper, December 2024.

[3] E. Seid, S. Satheesh, O. Popov, and F. Blix, "FAIR: Cyber Security Risk Quantification in Logistics Sector," Procedia Computer Science, vol. 232, pp. 1109-1118, 2024.

[4] C. N. Nwafor, O. Nwafor, S. Brahma, and M. Acharyya, "A hybrid FAIR and XGBoost framework for cyber-risk intelligence and expected loss prediction," Expert Systems with Applications, vol. 299, article 129920, 2025.

[5] A. Rana, S. Gupta, and B. Gupta, "A comprehensive framework for quantitative risk assessment of organizational networks using FAIR-modified attack trees," Frontiers in Computer Science, 2024, doi: 10.3389/fcomp.2024.1304288.

[6] O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing, "Automated generation and analysis of attack graphs," in Proc. IEEE Symposium on Security and Privacy, 2002, pp. 273-284.

[7] S. Jha, O. Sheyner, and J. M. Wing, "Two formal analyses of attack graphs," in Proc. 15th IEEE Computer Security Foundations Workshop, 2002, pp. 49-63.

[8] J. Jacobs, S. Romanosky, B. Edwards, M. Roytman, and I. Adjerid, "Exploit prediction scoring system (EPSS)," ACM Digital Threats: Research and Practice, vol. 2, no. 3, 2021, doi: 10.1145/3436242.

[8a] FIRST EPSS SIG, "EPSS Version 4," first.org/epss, March 2025.

[9] J. Jacobs, S. Romanosky, O. Suciu, B. Edwards, and A. Sarabi, "Enhancing vulnerability prioritization: data-driven exploit predictions with community-driven insights," in Proc. IEEE EuroS&PW / Workshop on the Economics of Information Security, 2023.

[10] FIRST, "Common Vulnerability Scoring System Version 3.1 Specification Document," first.org/cvss/v3-1/specification-document, 2019.

[11] FIRST, "Common Vulnerability Scoring System Version 4.0 Specification Document," first.org/cvss/v4-0/cvss-v40-specification.pdf, November 2023.

[12] F. Vitale, S. Guarino, S. Perone, M. Rak, and N. Mazzocca, "Dynamic risk assessment by Bayesian attack graphs and process mining," arXiv:2604.18080, April 2026.

[13] S. Jajodia and S. Noel, "Topological vulnerability analysis," in Cyber Situational Awareness: Issues and Research, A. Jajodia et al., Eds., Springer, 2010, ch. 7.

[14] L. Wang, T. Islam, T. Long, A. Singhal, and S. Jajodia, "An attack graph-based probabilistic security metric," in Proc. IFIP DBSec, LNCS vol. 5094, Springer, 2008, pp. 283-296.

[15] A. Singhal and X. Ou, "Security risk analysis of enterprise networks using probabilistic attack graphs," NIST Interagency Report 7788, 2011.

[16] NIST, "Likely Exploited Vulnerabilities (LEV)," NIST Cybersecurity White Paper 41, nvlpubs.nist.gov/nistpubs/cswp/nist.cswp.41.pdf, 2024.

[17] L. Wang, S. Noel, and S. Jajodia, "Measuring security risk of networks using attack graphs," International Journal of Next-Generation Computing, vol. 1, no. 1, pp. 113-123, 2010.

[18] U.S. Securities and Exchange Commission, "SEC charges SolarWinds and CISO Timothy G. Brown," SEC Press Release 2023-227, October 2023.

[19] World Economic Forum, "Global Cybersecurity Outlook 2025," WEF White Paper, 2025.

[20] Gartner, "Survey finds widespread planning and adoption of cyber risk quantification," Gartner Research Note, 2024.

[21] Forrester Research, "The Forrester Wave: Cyber Risk Quantification Solutions, Q2 2025," Report RES182917, June 2025.

[22] Netflix-Skunkworks, riskquant: A Library for Quantifying Risk, github.com/Netflix-Skunkworks/riskquant, 2021.

[23] Hive-Systems, pyfair: Python FAIR Risk Quantification, github.com/Hive-Systems/pyfair, 2023.

[24] J. Spring, E. Hatleback, A. Householder, A. Manion, and D. Shick, "Prioritizing vulnerability response: a stakeholder-specific vulnerability categorization (SSVC) version 2.0," CMU SEI/CERT Technical Report, April 2021.

[25] (Authors anonymized per preprint), "Shedding light on CVSS scoring inconsistencies: a user-centric study," arXiv:2308.15259, 2023.

[26] (Authors anonymized per preprint), "Conflicting scores, confusing signals: an empirical study of vulnerability scoring systems," arXiv:2508.13644, ACM CCS 2025.

[27] SAFE Security, "SAFE Security Acquires RiskLens," Press Release, safe.security, July 2023.

[28] X. Zhang, M. Xu, and P. Zhao, "Pricing cyber risks over modern networks via Bayesian attack graphs," Variance, Casualty Actuarial Society, vol. 18, 2025.

[29] D. Snyder, L. A. Mayer, G. Weichenberg et al., "Measuring Cybersecurity and Cyber Resiliency," RAND Report RR2703, RAND Corporation, 2020.

[29a] CMU SEI, "Managing Cyber Risks: Express Control Impact and Risk Analysis (ECI & RA)," sei.cmu.edu, November 2023.

[30] Red Hat Product Security, cvss: Python CVSS Library, github.com/RedHatProductSecurity/cvss, 2024.

[31] S. Khokhani, "Beyond the Heat Map: Mastering Cyber Risk Quantification," GovInfoSecurity, March 2026.

Word count: approximately 9,100 words.

Sanch Sharma