Factor Analysis of Information Risk — the industry standard for translating threat frequency and impact magnitude into probabilistic dollar ranges.
Methodology
How the dollar number is built — and what we will not claim.
Valty translates source evidence into EBITDA impact using FAIR-style factor analysis and Monte Carlo simulation. Every number carries its method, confidence, and source coverage. This page shows the full arc — and the boundaries we apply before any output reaches a board.
Inspect the risk modelEach scenario runs thousands of trials across its input distributions to produce a P10 / base / P90 output range rather than a single fragile point estimate.
Exposure is expressed as EBITDA impact so PE operating partners, CFOs, and boards can evaluate it in the same unit as every other business decision.
Source evidence is collected with owner and freshness
Controls, findings, cloud signals, identity events, supplier assessments, and agent actions are normalized into evidence objects. Each object carries source system, collection timestamp, owner, and a staleness flag when the asset has not been refreshed within its defined window.
FAIR factors are derived from the evidence, not assumed
Threat Event Frequency (TEF), Vulnerability (V), Threat Capability (TCap), and Loss Magnitude (LM) sub-factors are populated from real telemetry where available. Where evidence is absent or stale, the confidence tier drops and the assumption is flagged — not silently filled with a market average.
Monte Carlo simulation produces a range, not a point
The FAIR factor set defines input distributions. The simulation engine runs thousands of trials across those distributions. Output is a loss exceedance curve from which P10 (conservative), base (median), and P90 (tail) values are extracted. The width of the band is itself information — a wide band means thin evidence.
The range maps to EBITDA bridge line items
Five scenario families translate loss ranges into EBITDA impact: ransomware / no-source-material (RNSM), data breach response cost (DBRC), compliance-driven value drag (CMPL), operational interruption (INTR), and insurance premium and retention change (INSR). Each line item carries the scenario family, the FAIR driver, and the evidence coverage that supports it.
Proof leaves the platform with its evidence chain visible
Board packs, IC briefs, and proof cards export the claim alongside its source coverage, confidence tier, freshness timestamp, and simulation parameters. A blocked-claim ledger surfaces any line item whose evidence is stale, missing, or below the publication threshold — so the board sees what is supported, not a cleaned-up summary.
Design partner
Illustrative output
The output is a range, not a point.
The card below shows the structure of a real financial output — P10 (10th percentile, conservative), base (median), and P90 (90th percentile, tail exposure). The values shown are illustrative inputs used for design validation; actual tenant outputs are workspace-bound.
Illustrative values only. Real outputs require your source evidence and are generated inside an authenticated Valty workspace.
- Range width reflects evidence confidence — a narrow band means strong coverage
- Each driver is traceable to a FAIR factor and a source evidence object
- Export is blocked if any line item falls below the publication confidence threshold
FinancialHeroCard pattern
Portfolio value at risk
Decision-support estimate. P10 is the conservative case; P90 is tail exposure. Method, confidence, and source coverage are visible before any number reaches a board or IC packet.
Method in the product
The math is visible inside the platform, not hidden behind a black box.
The FAIR Risk Engine surface shows input distributions, simulation parameters, and the output loss exceedance curve — so any number that reaches a board can be traced back to its assumptions and challenged.
The EBITDA Sensitivity surface maps each scenario family to its EBITDA impact with adjustable assumption levers, so operating partners and CFOs can stress-test the model before it becomes a board action.
- Distributions are shown, not hidden
- Sensitivity levers are accessible before export
- Blocked line items surface in the output, not after publication
FrameworkModeStack
Evidence-mode coverage
- Automated
- 62
- Assisted
- 24
- Manual
- 14
Coverage and confidence
Evidence mode determines how much of the model is inferred vs. real.
When more controls are covered by automated or API-verified evidence, the FAIR factor set is more tightly constrained and the Monte Carlo output range narrows. Gaps in coverage widen the band and drop affected line items to a lower confidence tier — keeping the model honest about what it knows.
The framework mode bar shows the split between automated evidence (Tier 1–2), assisted evidence (Tier 3), and manual attestation for a representative control domain. Actual coverage depends on the connectors active in a tenant workspace.
Coverage percentages above are design-partner illustrative defaults. Tenant coverage is shown inside the authenticated workspace after source connectors are configured.
Proof matrix
EBITDA bridge: scenario families, FAIR factors, and confidence
Each scenario family maps to a FAIR factor set, the telemetry that populates it, the confidence band it produces, and the freshness requirement before a line item can be published.
ClaimSourceConfidenceFreshness
RNSM — Ransomware / no-source-materialEndpoint coverage, backup verification, IR-plan test date, EDR signal freshnessHigh when EDR + backup evidence is current; degrades to "inferred" when endpoint blind-spots existRequires re-run when coverage changes by >10% or after any IR plan revision
DBRC — Data breach response costData classification coverage, DLP signal, access-control evidence, incident-response cost benchmarks (Ponemon 2023 baseline, illustrative)Moderate — cost benchmarks are sector-adjusted illustrative inputs; actual cost depends on data volume and regulatory exposureBenchmark refreshed annually; tenant inputs refreshed on classification or access-control change
CMPL — Compliance-driven value dragGRC framework coverage, control-gap ledger, regulatory-deadline calendar, deal-pipeline exposureDesign-partner calibrated; confidence scales with GRC evidence freshness and completeness of the control ledgerRe-run on each framework update, control-gap change, or deal-stage transition
INTR — Operational interruptionCritical-asset dependency map, RTO/RPO evidence, availability telemetry, supplier-chain exposureDepends heavily on asset-inventory completeness; gaps are flagged rather than gap-filledRequires fresh availability telemetry; stale dependency maps degrade to lower-confidence tier
INSR — Insurance premium and retention changeCurrent policy limits, retention, renewal date, control evidence required by underwriter questionnaireDirectional — premium impact is modelled from coverage posture, not from underwriter commitmentRefreshed at each renewal cycle or when material control evidence changes
Proof matrix
Evidence confidence tiers: how input quality flows into output confidence
FAIR factor inputs inherit the confidence tier of the evidence that populates them. Lower-tier inputs widen the simulation band and lower the publication readiness of the affected line item.
ClaimSourceConfidenceFreshness
Tier 1 — Hardware / agent attestedDirect agent telemetry, hardware-rooted signal, or API-verified control stateHighest — used as primary input to FAIR factors without adjustmentFlagged stale after defined window (typically 24 h for agent signals)
Tier 2 — Software / API verifiedConnector-pulled API state, cloud-config evidence, or scanner outputStrong — carries source timestamp; confidence may degrade if scanner cadence lapsesFlagged stale after defined window (typically 48 – 96 h depending on source cadence)
Tier 3 — Assisted / assessedQuestionnaire response, control assertion, or analyst-reviewed artifactModerate — human-in-the-loop evidence; confidence band widens in simulationRequires re-attestation on schedule or on material product / process change
Tier 4 — Inferred / benchmarkSector benchmark, FAIR default distribution, or gap-fill where tenant evidence is absentLow — inferred inputs are flagged in output; publication of line items at this tier requires reviewer sign-offBenchmarks reviewed annually; any inferred input is superseded as soon as real evidence arrives
Artifact anatomy
Each output carries source, confidence, freshness, and a publication gate.
Scenario output
- Source
- FAIR simulation — inputs traceable to tenant evidence objects
- Confidence
- Tier determined by weakest input in the factor set
- Freshness
- Re-run required after any material evidence change
EBITDA bridge line item
- Source
- Scenario family + FAIR driver + EBITDA impact range
- Confidence
- Confidence tier carried from the underlying scenario
- Freshness
- Blocked for export if source evidence is stale
Board pack claim
- Source
- Approved line items only — blocked claims excluded automatically
- Confidence
- Reviewer sign-off required before publication
- Freshness
- Freshness timestamp visible in every exported artifact
Blocked claim
- Source
- Evidence below threshold, stale, or inferred without sign-off
- Confidence
- Not publishable in current state
- Freshness
- Requires owner action on source evidence before export
Claim boundary
What Valty does not claim.
Every method carries a boundary. These are ours — stated plainly because trust is built by making the limits visible, not by omitting them.
Not a warranty
Financial outputs are decision-support estimates, not contractual guarantees.
EBITDA impact ranges are model outputs derived from available evidence. They reflect the method, confidence, and limitations of the inputs — not a financial commitment or an insurance valuation. The number should be challenged, not blindly approved.
Not complete without your evidence
The model is only as good as the evidence that feeds it.
Valty does not substitute market averages for missing tenant evidence. Where a FAIR factor cannot be populated from real source coverage, the confidence tier drops and the affected line items are flagged. A wide confidence band or a blocked claim is the correct output — not a polished point estimate.
Not a scanner replacement
Valty does not produce findings. It translates findings you already have.
Source systems — EDR, SIEM, GRC, cloud security posture, identity, scanners — remain the authoritative record for controls and findings. Valty reads and normalises that evidence into financial language. It does not replace your enforcement or detection layer.
Not a regulatory opinion
Compliance line items are exposure estimates, not legal or regulatory advice.
The CMPL scenario family models value drag from compliance gaps based on control evidence and regulatory timelines. It is not a legal opinion, audit assertion, or regulatory safe harbour. Organisations should apply qualified legal and compliance counsel to regulatory obligations.
Not fabricated proof
No illustrative customers, invented case study numbers, or mock logos.
Valty is in a design-partner stage. The financial exhibits on this page use illustrative inputs labelled as such. Real tenant outputs are workspace-bound. No customer reference, testimonial, or case-study number appears on a public page without explicit design-partner review and approval.
Next step
Inspect the method, then decide whether the proof is ready for your board.
The financial risk review is scoped to your source systems. You bring the evidence; Valty shows how the model populates and where the confidence gaps are.