Cyber Risk Quantification — Methodology Guide
Testify v1.9 | Cyber Flag
What Are These Numbers?
Testify estimates the Annualized Loss Expectancy (ALE) for each portfolio company — the expected annual financial loss from cyber incidents. This translates maturity scores into dollar values that investment committees, LPs, and M&A due diligence teams can act on.
ALE is displayed as a range: Low / Likely / High. The Likely value is the headline number. Low is half of Likely; High is double.
How It Works — From Onboarding to ALE
Financial risk estimates build automatically as data flows into Testify. No separate data entry is required.
Stage 1: Day Zero — Estimated (immediate, zero input)
The moment a portfolio company exists in Testify with an industry and CME tier, it gets an ALE estimate from lookup tables. No questionnaire, no data entry. This is a directional signal based on published breach cost benchmarks for companies of that type and risk tier.
Stage 2: Onboarding — Calibrated (automatic from questionnaire)
When the portco completes the Critical Asset Profile questionnaire during campaign onboarding, the ALE automatically upgrades to a calibrated estimate. The questionnaire captures:
- Annual revenue → used directly in the FAIR-lite formula
- Regulated data volume (minimal / moderate / large / massive) → mapped to an estimated sensitive record count:
| Questionnaire Answer | Estimated Record Count |
|---|---|
| Minimal — under 10K records | 5,000 |
| Moderate — 10K–100K records | 50,000 |
| Large — 100K–1M records | 500,000 |
| Massive — over 1M records | 5,000,000 |
The label changes from “Estimated” to “Calibrated” on all displays. No one needs to visit a separate screen or enter numbers twice.
Stage 3: Refinement — Manual Override (optional)
A Portfolio Principal can override the auto-populated values via the Risk API or Company Profile if they have more precise data (e.g., exact record count from a data inventory, or revenue updated after a quarterly filing). This tightens the estimate further but is not required for the system to produce useful numbers.
The Math
Estimated Mode (lookup table)
Estimated ALE = Base ALE × Maturity FactorStep 1 — Look up Base ALE from the company’s CME tier and industry:
| CME Tier | Healthcare | Financial Svc | Technology | Manufacturing | Retail | Energy | Other |
|---|---|---|---|---|---|---|---|
| 1 — Foundational | $4.5M | $5.2M | $3.8M | $2.1M | $2.4M | $2.8M | $1.8M |
| 2 — Structured | $3.2M | $3.8M | $2.7M | $1.5M | $1.7M | $2.0M | $1.3M |
| 3 — Managed | $2.1M | $2.5M | $1.8M | $1.0M | $1.1M | $1.3M | $0.9M |
| 4 — Enterprise | $1.4M | $1.6M | $1.2M | $0.7M | $0.8M | $0.9M | $0.6M |
Source attribution: — Per-breach magnitude baseline: IBM Cost of a Data Breach Report 2025 (Ponemon Institute) — per-breach industry averages, with Cyber Flag’s CME-tier maturity scaling layered on top. — Frequency baseline: Verizon DBIR 2025 — frequency observations and breach-type / attack-vector trends. — Per-record fines anchor (used in the calibrated mode below): jurisdictional fine schedules (GDPR, HIPAA, CCPA, state breach-notification statutes).
Values represent authored calibration at baseline maturity (2.5/5.0); the per-industry ordering reflects PE-portfolio composition assumptions and is tunable per firm policy.
Step 2 — Apply Maturity Factor based on the company’s average maturity score (0–5 scale):
| Maturity Score | Factor | Effect |
|---|---|---|
| 0 – 1.0 | 1.5× | Weak controls amplify exposure by 50% |
| 1.0 – 2.0 | 1.2× | Below baseline, 20% above base |
| 2.0 – 3.0 | 1.0× | Baseline — no adjustment |
| 3.0 – 4.0 | 0.7× | Good controls reduce exposure by 30% |
| 4.0 – 5.0 | 0.4× | Strong controls reduce exposure by 60% |
Example: A CME-2 Healthcare company with maturity score 3.5:
- Base ALE = $3,200,000 (CME-2, Healthcare)
- Maturity Factor = 0.7 (score 3.5 falls in 3.0–4.0 range)
- Estimated ALE = $3,200,000 × 0.7 = $2,240,000
- Range: $1,120,000 (low) / $2,240,000 (likely) / $4,480,000 (high)
Calibrated Mode (FAIR-lite formula)
Activated automatically when revenue and record count are available (from onboarding questionnaire or manual entry):
Calibrated ALE = (Breach Probability × Breach Impact) + Operational LossBreach Probability:
Breach Probability = 25% × Maturity FactorAt maturity 0: ~37.5% annual probability. At maturity 5: ~10%.
Breach Impact:
Breach Impact = Sensitive Record Count × Per-Record Cost| Industry | Per-Record Cost |
|---|---|
| Healthcare | $415 |
| Financial Services | $350 |
| Technology | $290 |
| Energy | $240 |
| Manufacturing | $220 |
| Retail | $175 |
| Other | $165 |
Source attribution: The per-industry per-record cost table is authored calibration, not directly extracted from IBM 2025. IBM’s 2025 report publishes per-record cost by data type (PII, PHI, etc.), not by industry; per-record at scale is explicitly disclaimed in the report itself. The per-industry granularity reflects PE-portfolio composition assumptions and the Modified GICS Framework anchor; values are anchored against jurisdictional fine schedules (GDPR, HIPAA, CCPA, state breach-notification statutes) and IBM 2025 / Ponemon directional ranges. Values are starting calibration; tunable per firm policy.*
Operational Loss:
Operational Loss = Annual Revenue × 0.5% × Maturity FactorRepresents business disruption, incident response, and recovery costs as a fraction of revenue, scaled by control strength.
Example: A Technology company with maturity 3.5, $80M revenue, 200,000 sensitive records:
- Breach Probability = 25% × 0.7 = 17.5%
- Breach Impact = 200,000 × $290 = $58,000,000
- Operational Loss = $80,000,000 × 0.5% × 0.7 = $280,000
- Calibrated ALE = (17.5% × $58M) + $280,000 = $10,430,000
- Range: $5,215,000 (low) / $10,430,000 (likely) / $20,860,000 (high)
Derived Metrics
Risk Reduction Value
Risk Reduction = ALE at Maturity 0 − ALE at Current MaturityShows the dollar value of maturity improvements. “Your security program has reduced estimated annual exposure by $X.”
ALE as % of Revenue (calibrated only)
ALE Revenue % = (Likely ALE ÷ Annual Revenue) × 100Contextualizes exposure relative to company size. Typical range: 1–5% for mid-market companies.
Insurance Efficiency Ratio
Efficiency = Annual Cyber Insurance Premium ÷ Likely ALE- < 0.3 — potentially underinsured
- 0.3 – 1.0 — reasonable coverage
- > 1.0 — overpaying relative to estimated exposure
Premium data is pulled automatically from Insurance Premium Records when available.
Important Disclaimers
- These are directional estimates, not actuarial predictions. They are designed to inform investment committee discussions, not replace professional risk quantification.
- Estimated mode uses industry benchmarks and may not reflect company-specific factors (unique threat landscape, contractual obligations, regulatory exposure).
- Calibrated mode provides a tighter range but still uses simplified assumptions. For actuarial-grade quantification, engage a CRQ specialist.
- Base ALE values are updated annually from published breach cost research. Contact your Cyber Flag representative for the current data vintage.
- The model improves with data. As more assessments, validations, and incidents flow through Testify, the maturity score becomes more accurate, and the ALE estimate becomes more reliable.
Methodology based on the FAIR (Factor Analysis of Information Risk) framework, simplified for PE portfolio-level decision making.
© 2026 Cyber Flag | cyberflag.ai | Confidential