Monte Carlo simulation is the engine that turns a FAIR analysis into a usable result. Each input factor (threat event frequency, vulnerability, primary loss, secondary loss) is supplied as a probability distribution rather than a single number. The simulation samples from each distribution, computes one possible outcome, and repeats the process tens of thousands of times. The output is the distribution of those outcomes.
Why bother? Because cyber risk is a domain where the worst plausible case matters more than the average. A scenario with a median annual loss of 200,000 euros but a 95th-percentile loss of 6 million is governed by its tail, not its centre. A point estimate hides the tail. A Monte Carlo run shows it.
The mechanics do not require a statistician. The Risk Investigation Agent runs the simulation in the background and presents the result as a curve and a few summary statistics (median, 90th percentile, expected value). The work that needs human judgment is upstream: the three-point estimates that define the input distributions. Get those right and the simulation does the rest.