Cyber risk quantification evidence loop
feed CRQ from the live engagement record instead of from a parallel spreadsheet

The scenario binds to a queryable asset set on the workspace rather than to an abstract estate description. Asset criticality scoring records the in-scope production estate, the regulated payment service, the customer-data tier, the privileged-identity perimeter, and the third-party-data flow per scenario so the next refresh reads against the asset set the operators run on rather than against a separate sheet.

Examples: Production estate by asset tier, regulated payment service per environment, customer-data services by data classification, privileged-identity perimeter by role, third-party data flows by vendor.

The FAIR vulnerability input regenerates from findings management: open critical and high findings on the in-scope assets, aged finding count against the published SLA, exception count by severity, EPSS-enriched exploit likelihood on CVE-bound findings, and scan coverage gaps. The vulnerability number in the scenario reflects the queue the operators run on, not the wishful number on the slide.

Examples: Open criticals over 30 days on the in-scope asset set, aged highs by SLA tier, exception count by severity and expiry, EPSS-enriched exploit likelihood per CVE-bound finding.

Control coverage by framework comes from the compliance tracking layer: scan cadence on the in-scope estate, MFA enforcement on privileged accounts, encrypted-credential coverage on authenticated scan jobs, framework mapping (NIST CSF 2.0, CIS Controls v8, ISO 27001, SOC 2, PCI DSS) by scenario. Control efficacy is the modifier the FAIR model applies between threat capability and the scenario landing.

Examples: NIST CSF 2.0 sub-category coverage per scenario, CIS v8 IG1 baseline coverage, ISO 27001 A.8.8 vulnerability management coverage, MFA enforcement state on privileged accounts.

Loss event frequency anchors against the operating record: declared incidents on the engagement, vulnerability disclosure programme volume against regulated services, third-party advisory activity in the policy period, breach-notification events recorded against the regulator-readiness workflow, and the post-incident retest evidence. The frequency input reconciles to the timeline the security team and the legal team have already lived through.

Examples: Declared incident count per scenario over the policy period, VDP submission rate per regulated service, third-party advisory activity, breach-notification cycles.

Primary loss (response, replacement, productivity, fines and judgements) and secondary loss (legal, regulatory, customer churn, market response) tiers are recorded as engagement metadata per scenario. The regulatory-fine band reads against the framework references compliance tracking carries (GDPR Article 83, NIS2 Article 34, DORA Article 50, SEC cybersecurity disclosure). The tiers are dated, attested, and reviewed.

Examples: Response cost band per scenario, regulatory fine band per applicable regulation, customer-loss band per asset tier, reputation impact band.

The CRQ refresh draws on the timestamped state changes on findings, engagements, scans, comments, documents, and team membership across the period. The CSV export covers 30, 90, or 365 days by plan with user attribution, timestamp, and event type per row. The activity-log trail is the artefact the audit committee, the internal auditor, and the regulator read against the CRQ output.

Examples: Activity log CSV across the policy period, scan execution history, finding state-change history, exception register lifecycle history.

A CRQ programme that maintains FAIR inputs in a parallel sheet and refreshes once a year is a programme that drifts from the live record. The vulnerability number in the scenario does not match the open backlog. The frequency input does not match the declared incident count. The control efficacy does not match the compliance coverage. The defensible practice is to derive the inputs from the workspace so the CRQ refresh reads the same record the operators run on.

Pulling LEF from an industry breach report and applying it to a single scenario without an internal anchor produces output that does not reconcile to the operating year. The audit committee reads it as a guess. The defensible LEF cites the declared incidents on the engagement, the VDP submission volume, the breach-notification cycles, and the post-incident retest evidence as the internal anchor; the literature estimate is a sanity check, not a substitute.

A CRQ refresh that claims a control is operating without the compliance-tracking coverage, the scan history, the MFA enforcement state, or the encrypted-credential evidence behind the claim is asserting efficacy rather than measuring it. The activity-log trail is the auditable record of the operating control, and it is the input the FAIR model applies to threat capability.

A CRQ scenario that uses only the count of open criticals ignores the half-life of the backlog, the exception count by severity, and the compensating-control inventory. Aged criticals over the published SLA are a different vulnerability input from fresh criticals. Exceptions with documented compensating controls modify the vulnerability differently from undocumented residual risk. The findings management queue and the exception register are the two queryable inputs the model reads.

Primary and secondary loss tiers that float in the spreadsheet without a date or named attester are tiers the audit committee discounts. The defensible practice is to record each tier on the engagement as dated, named-author metadata with a documented review cadence so the magnitude input is an artefact rather than an opinion.

A CRQ output that produces a loss exposure band without binding the treatment decision (accept, reduce, transfer, avoid) to a remediation engagement, an exception register entry, a cyber insurance evidence pack, or a contractual indemnity is a number in a slide rather than a decision. The defensible practice is to bind every CRQ output to the operational record that implements the treatment so the next refresh reads against the action the team took.

A small set of named scenarios (between four and twelve) recorded on the workspace with the bound asset set, the FAIR input map, the loss magnitude tiers, the named accountable executive, and the review cadence. The register is the contract between the CRQ model and the live record so each refresh regenerates from the named scenarios rather than from a free-form sheet.

Each FAIR input (LEF, TEF, V, TCap, RS, PLM, SLEF, SLM) is mapped to a queryable anchor on the workspace: the engagement filter, the findings query, the compliance coverage view, the exception register filter, the activity-log filter, or the framework reference. The anchor keeps the CRQ refresh reproducible across analysts and across cycles.

A documented refresh cadence (quarterly minimum) plus a list of triggers that cause an off-cycle refresh: a material control change, a declared incident, a major scan-coverage gap closure, a regulated dataset change, an MFA enforcement change, a new framework adoption. The cadence and trigger policy is the audit-readable governance behind the CRQ programme.

Each scenario carries the residual loss exposure band, the treatment decision (accept, reduce, transfer, avoid), the named accountable executive, and the linked operational record that implements the decision (remediation engagement, exception register entry, cyber insurance evidence pack, indemnity reference). The record is the bridge between the CRQ output and the operating workflow.

A documented cadence for board, audit-committee, and risk-committee narratives: the headline residual exposure band, the trend versus the prior period, the named drivers (backlog movement, exception movement, control coverage movement, incident movement), and the linked evidence anchor on the workspace. The narrative is regenerated from the live record rather than rewritten.

A documented activity-log retention window (30, 90, or 365 days by plan) plus a documented evidence-preservation policy for the CRQ inputs across the period. The CSV export covers user attribution, timestamp, and event type per row so the audit committee, the internal auditor, and the regulator read the same trail the security team operates on.

The CRQ evidence loop reads from vulnerability SLA management (the SLA breach component of vulnerability), asset criticality scoring (the in-scope asset set per scenario), threat intelligence driven prioritisation (the KEV and EPSS inputs behind threat event frequency), and security debt portfolio management (the structural-risk view that complements the per-scenario view).

CRQ output rolls up into security leadership reporting (the board cadence reads the residual exposure register), cyber insurance security evidence (the carrier-facing read of the same workspace inputs), compliance audits (the auditor reads the input anchor map), and audit evidence retention and disposal (the retention policy behind the activity-log trail).

• Holds the named scenario register against the in-scope asset set.
• Anchors each FAIR input to a queryable workspace artefact.
• Captures the dated, attested loss magnitude tiers as scenario metadata.
• Records the residual band and the treatment decision on the engagement.
• Provides the activity-log audit trail behind every refresh.
• Regenerates the board narrative through AI-assisted reports.

• Run the FAIR Monte Carlo simulation that produces the loss exposure distribution.
• Provide actuarial loss tables, industry loss databases, or breach-cost benchmarks.
• Auto-calibrate the threat capability or resistance strength values.
• Sync directly with FAIR-CAM, Open FAIR, RiskLens, ServiceNow GRC, or Archer.
• Compute insurance premium attribution or capital-allocation models.
• Replace the dedicated CRQ analyst or the calibrated estimation discipline.

Every FAIR input regenerates from a queryable workspace anchor. The vulnerability number matches the open backlog. The control efficacy matches the compliance coverage. The frequency anchor matches the declared incident log.

The quarterly refresh regenerates the residual exposure register from the same record the operators run on. The trend versus prior period is operating-effectiveness evidence rather than a narrative.

Reduce decisions become remediation engagements. Accept decisions become exception register entries with the eight-field decision. Transfer decisions become cyber insurance evidence packs. Avoid decisions retire the in-scope asset.

The activity-log CSV across the refresh period plus the per-scenario input anchor map reconstructs every CRQ output for the audit committee, the internal auditor, and the regulator review.