Quantitative risk · simplified

Quantify security risk — information, people, and physical — on one comparable scale.

Dewfog distils rigorous risk quantification to its simplest usable form. A handful of calibrated estimates. Transparent arithmetic. A Monte Carlo engine that runs in your browser. The result: expected annual loss, value-at-risk, and a loss exceedance curve — with no proprietary tools, no consultants, no quarter-long engagement.

Open the model How it works
2inputs to a first estimate
3security domains, one model
100kMonte Carlo runs in-browser
Expected annual loss · Ransomware FY26
256.3kMSEK
VaR 95%
1.48M
VaR 99%
5.80M
P(loss)
0.1270
Loss exceedance curve≤ 5% chance > 1.8M
Protection vs threatT / (T + P) = 0.67
One framework, the whole estate

The same loss-event model covers all three security domains.

The loss-event logic applies whether the threat is a hacker, an insider, or a forced door. Quantify it all on one comparable scale.

01

Information security

Ransomware, intrusion, data breach, DDoS — the classic cyber loss events, modelled with telemetry or expert ranges.

02

People security

Insider threat, social engineering, fraud and coercion — human risk on the same probability-of-loss footing.

03

Physical security

Intrusion, theft, sabotage, and site disruption — protection strength versus threat capability, quantified.

How it works

From expert judgement to a defensible loss estimate.

Three steps, transparent arithmetic, results you can put in front of a board.

01

Estimate

Score threat frequency and capability, and how strong your protection is. Use telemetry where you have it, calibrated expert ranges where you don't.

02

Simulate

A Monte Carlo engine samples lognormal loss magnitudes across tens of thousands of simulated years, including conditional secondary losses.

03

Decide

Read expected annual loss, value-at-risk, and the exceedance curve. Compare scenarios, test controls, and prioritise spend.

What the model provides

Rigorous where it counts, simple everywhere else.

Bradley-Terry vulnerability

Threat capability and protection strength compete as paired strengths — a screening estimate from two numbers.

Telemetry or expert range

Laplace's Rule of Succession when you have history; Beta-PERT with tunable confidence when you don't.

Monte Carlo simulation

Lognormal loss distributions over 10k–100k iterations, producing a full annual loss distribution in the browser.

Loss exceedance curve

See the probability of exceeding any loss threshold, with VaR at the 90th, 95th and 99th percentiles.

Primary & secondary loss

Model fines, churn and reputational fallout as conditional secondary losses with their own distribution.

Export to Excel

Every run exports a summary sheet and a full per-iteration simulation table for offline analysis or audit.

Compare scenarios

Upload up to 10 exports to overlay loss exceedance curves side-by-side, consolidate all risks into an aggregate distribution, and overlay a risk appetite boundary.

Compare scenarios →
The core idea

Honest about what a screening model can — and can't — tell you.

  • ·
    Decompose every loss event into how often a threat is attempted and the chance your protection fails.
  • ·
    Count attempts, not incidents — the model is explicit about the bias that double-counts protection.
  • ·
    Built-in limitations are documented, not hidden — the model is a screening and prioritisation tool, not a substitute for rigorous probabilistic analysis.
Try it on a scenario →
Loss event probability
P(loss) = F × T/(T+P)
FFrequency — annual probability a threat event is attempted.
TThreat strength — capability of the adversary, 0 to 1.
PProtection strength — strength of your controls, 0 to 1.

Risk scenarios, ranked by expected annual loss. Not by colour.

Give every risk scenario a number you can defend, compare, and act on — in a browser, with no proprietary tools.

Open the model