Skip to main content

Monte Carlo Simulation

Also known as: Monte Carlo Method

Computational technique that samples input variables from their probability distributions and aggregates the outcomes, producing a distribution of plausible results rather than a point estimate.

Written by Askara Solutions editorial team · Updated

Monte Carlo simulation is the engine that turns a FAIR analysis into a usable result. Each input factor (threat event frequency, vulnerability, primary loss, secondary loss) is supplied as a probability distribution rather than a single number. The simulation samples from each distribution, computes one possible outcome, and repeats the process tens of thousands of times. The output is the distribution of those outcomes.

Why bother? Because cyber risk is a domain where the worst plausible case matters more than the average. A scenario with a median annual loss of 200,000 euros but a 95th-percentile loss of 6 million is governed by its tail, not its centre. A point estimate hides the tail. A Monte Carlo run shows it.

The mechanics do not require a statistician. The Risk Investigation Agent runs the simulation in the background and presents the result as a curve and a few summary statistics (median, 90th percentile, expected value). The work that needs human judgment is upstream: the three-point estimates that define the input distributions. Get those right and the simulation does the rest.

Related terms

Where this connects.

  • FAIR

    Quantitative risk-analysis methodology that expresses cyber risk as financial loss exposure rather than ordinal severity scores, by decomposing it into loss event frequency and loss magnitude.

  • Annual Loss Expectancy

    The expected annual cost of a risk scenario in financial terms, calculated as Loss Event Frequency multiplied by Loss Magnitude, expressed as a probability distribution rather than a point estimate.

  • Threat Event Frequency

    The expected number of times per year that a threat actor will attempt the action that could lead to a loss event, before any consideration of whether the attempt succeeds.

  • Loss Event Frequency

    The expected number of times per year that a threat actor's action will succeed and produce a loss, calculated as Threat Event Frequency multiplied by Vulnerability (the probability of success).

Authoritative sources

Where to read more.

Back to Risk ManagementBack to glossary