Cyber Risk Modeling Language

Project Showcase
1

Open-source declarative language for cyber risk modeling. Build Bayesian risk models like QBER, FAIR Monte Carlo engines, and enterprise risk quantification platforms

2

CRML is an open, declarative, engine-agnostic and Control / Attack framework–agnostic Cyber Risk Modeling Language. It provides a YAML/JSON format for describing cyber risk models, telemetry mappings, simulation pipelines, dependencies, and output requirements — without forcing you into a specific quantification method, simulation engine, or security-control / threat catalog.

CRML enables RaC (Risk as Code): risk and compliance assumptions become versioned, reviewable artifacts that can be validated and executed consistently across teams and tools.

Problem statement (what CRML is solving)

Cyber security, compliance, and risk management professionals often face the same practical problems:

  • Risk models are locked in spreadsheets, slide decks, or proprietary tools, making them hard to review, audit, reproduce, and automate.
  • Control effectiveness and “defense in depth” assumptions are documented inconsistently, so results vary by analyst and by quarter.
  • Threat and control frameworks (e.g., ATT&CK, CIS, NIST, ISO, SCF, internal catalogs) change over time; do not provide a consistent machine readable format; mappings are brittle and rarely versioned.
  • Quantification engines differ (FAIR-style Monte Carlo, Bayesian/QBER, actuarial models, internal platforms), causing costly rewrites and re-interpretation.
  • Audit-ready evidence is fragmented: “what was modeled, with which parameters, using which data, and producing which outputs” is hard to prove.

CRML addresses this by standardizing the description of cyber risk models and their inputs/outputs, so different engines and organizations can exchange and execute the same model with clear validation and traceability.

Why qualitative assessments aren’t enough

Qualitative methods (red/amber/green, “high/medium/low”, maturity scores) are useful for communication and prioritization, but they tend to break down when you need to:

  • Justify security spend (or a new security product) by comparing expected risk with vs. without the investment
  • Compare risk consistently across business units, vendors, or time periods
  • Show measured risk reduction from controls (not just “improved posture”)
  • Connect cyber risk to enterprise risk, insurance, and financial planning
  • Produce repeatable, audit-ready evidence of “how we calculated this number”

The next evolution is quantified risk management: treating cyber risk as an estimable distribution of outcomes, grounded in explicit assumptions and data, and computed by repeatable methods. But quantified approaches only scale when models are standardized — so they can be validated, reviewed, reused, and executed across tools and teams.

CRML’s goal is to be this standard: it makes the model portable, the assumptions explicit, and the results reproducible.

Key features

  • Control effectiveness modeling — quantify how controls reduce risk (including defense-in-depth)
  • Median-based parameterization — specify medians directly for lognormal distributions
  • Multi-currency support — model across currencies with automatic conversion
  • Auto-calibration — calibrate distributions from loss data
  • Strict validation — JSON Schema validation catches errors before simulation
  • Implementation-agnostic — works with any compliant simulation engine
  • Human-readable YAML — easy to read, review, and audit

Vision (a world where CRML is the standard)

Imagine a near-future where CRML is as normal to risk work as IaC is to infrastructure:

  • A security architect proposes a new control program by updating CRML documents; the change is peer-reviewed in Git with clear diffs.
  • GRC and audit teams can trace every metric back to a validated, versioned model (inputs, assumptions, mappings, outputs).
  • Different quant engines (vendor platforms, internal FAIR Monte Carlo, Bayesian QBER, insurance actuarial models) all consume the same CRML documents.
  • Framework changes are handled by updating catalogs/mappings (also versioned), rather than rewriting the model logic.
  • Organizations can exchange models with partners, insurers, and regulators without sending spreadsheets or screenshots.
  • A cyber security authority can publish its yearly threat landscape report in CRML — encoding richer nuance than narrative PDFs (assumptions, distributions, dependencies, control baselines, and mappings) — and in turn benefit from more standardized, machine-readable data submissions from industry.

In that world, cyber risk becomes reproducible, comparable, and automatable across teams — while still allowing methodological diversity.

CRML Github

1 Like
3

Cyber risk modeling → now as code

CRML just launched on PH Open YAML/JSON format → https://www.producthunt.com/products/crml

#InfoSec #CyberRisk