A 12% chance of an encryption incident, a $2.4 million recovery price tag, and an Annual Loss Expectancy of $288,000. That math, drawn from a recent governance brief on manufacturing-sector ransomware exposure, looks tidy on a board slide. It is also almost certainly wrong — not because the inputs are bad, but because a single-point ALE hides everything that actually matters: the shape of the loss distribution, the fat tail where the firm goes bankrupt, the secondary losses that arrive months after restoration, and the correlation between threat frequency and severity that point estimates erase.
Cyber risk quantification has matured fast. IBM’s 2025 Cost of a Data Breach Report put the average total cost of a ransomware breach at $5.08 million per incident — making it the single most expensive initial attack vector tracked. Yet many security teams still defend budgets with heat maps and a multiplied-out ALE figure. This piece walks through how to model ransomware loss the way actuaries and FAIR analysts actually do it: with frequency–severity decomposition, calibrated ranges, Monte Carlo simulation, and an honest accounting of what the model can and cannot tell you.
Why Single-Point ALE Estimates Quietly Mislead
The classic textbook formula — ALE = ARO × SLE (Annual Rate of Occurrence times Single Loss Expectancy) — produces one number from two estimates. That collapse is the problem. Ransomware loss is not normally distributed; it is heavily right-skewed. Most incidents cluster around a manageable median, while a long tail contains the events that take companies out.
The 2025 numbers make this concrete. The median payment in practice is around $110,000–$115,000 (Verizon DBIR 2025, Coveware Q4 2024). But for those who face large, targeted attacks — typically enterprises — demands regularly exceed $10 million. The largest single ransomware payment on record: $75 million, paid to the Dark Angels group in 2024, documented by Mandiant M-Trends. A point-estimate ALE built from “average” inputs sits somewhere near the middle of that range and reports a number no real organization will ever experience. The true risk is the shape of the curve, not its mean.
There is also a definitional problem. The ransom is a small fraction of total loss. The average (mean) cost to recover from a ransomware attack (excluding any ransom payment) dropped by 44% over the last year, coming in at $1.53 million, down from $2.73 million in 2024. Recovery, downtime, legal response, regulatory exposure, and reputational damage typically dwarf the payment itself. Treating “ransomware cost” as a single SLE figure conflates loss categories that behave very differently — payment is bounded by the demand and negotiation, while business interruption scales with dwell time and the criticality of encrypted systems.
The FAIR Decomposition: Frequency Times Magnitude, With Layers
Factor Analysis of Information Risk (FAIR) is the dominant open standard for cyber risk quantification, maintained by the FAIR Institute and adopted across financial services, healthcare, and increasingly manufacturing. Any FAIR analysis — whether a DIY, free or commercial version — follows these four steps: Stage 1: Identify risk scenarios. Determine the asset at risk and the threat in question that could compromise it. Stage 2: Evaluate loss event frequency. Determine ranges of likely values for the threat event frequency and vulnerability variables, soliciting subject matter expert insight as needed. Stage 3 evaluates loss event magnitude across primary and secondary categories, and Stage 4 simulates.
The decomposition that matters for ransomware looks like this: Loss Event Frequency (LEF) is the product of Threat Event Frequency (TEF) — how often a credible attacker tries — and Vulnerability — the conditional probability the attempt succeeds given current controls. Loss Magnitude (LM) splits into Primary Loss (incurred directly by the organization) and Secondary Loss (arising from third-party reactions). Primary loss. Operational and financial costs directly caused by the threat actor or the organization’s response — e.g., asset repair and replacement, ransomware payments, lost productivity, incident response efforts, etc. Secondary loss. Operational and financial costs that arise as a result of third-party stakeholders’ experiences of and reactions to the negative event — e.g., regulatory fines, data exposure notifications, revenue loss due to reputational damage, etc.
The FAIR Institute’s 2025 taxonomy update pushed this further, introducing the Initial Attack Method (IAM) as a starting point for scenarios. An IAM is the starting point of a threat (or a loss) event. For example, an attacker may start with a phishing attack en route to a ransomware outcome. The taxonomy also expanded loss categories — for a modern double-extortion ransomware scenario, you might combine business interruption, cyber extortion, and information privacy loss as parallel loss effects rather than collapsing them into one SLE.
Calibrating the Inputs Without Lying to Yourself
The hardest part of cyber risk quantification is not the math. It is the elicitation. Subject matter experts are systematically overconfident about ranges, and the “garbage in” problem dominates everything downstream. Calibration is critical. Research consistently shows that experts are overconfident in their estimates: they set ranges that are too narrow. A useful calibration technique is to ask: “If we ran this project 100 times, would the actual value fall outside your range fewer than 10 times?” If the answer is no, the range needs to be wider.
For each FAIR variable, you collect a three-point estimate — minimum, most likely, maximum — at a stated confidence level (typically 90%). Then you fit a distribution. Use the PERT distribution as your default. It requires only three data points that any subject matter expert can provide (optimistic, most likely, pessimistic), it naturally weights toward the most likely value, and it produces smoother, more realistic output than the triangular distribution. The PERT (Program Evaluation and Review Technique) distribution is a transformation of the beta distribution that concentrates probability around the modal estimate while preserving tail flexibility.
A reasonable distribution recipe for ransomware modeling:
- Threat Event Frequency — Poisson, parameterized from industry incident-rate data plus internal telemetry on intrusion attempts. Frequency: Poisson mean of 2.5 material incidents per year based on internal and industry data.
- Vulnerability — Beta distribution bounded on
[0,1], reflecting the conditional probability of compromise given an attempt. Calibrated against control effectiveness data. - Primary Loss components — Lognormal or PERT, never normal. Costs cannot go negative, and ransomware loss is right-skewed.
- Secondary Loss — PERT for legal/regulatory components with clear bounds; lognormal for reputational and churn impacts that can spike.
Anchor every range against external benchmarks. The 2025 reporting environment offers a wealth of data: Median ransom demands fell by 56% year-over-year, dropping to $1.20 million in 2025 from $2.75 million in 2024. Median ransom payments followed a similar downward trend, declining to $1 million compared with $1.26 million the previous year. Recovery costs also eased significantly, with the mean cost of remediation, excluding any ransom paid, falling to a three-year low of $1.84 million, down from $3.12 million in 2024. Industry-specific anchors matter — State and local government reported paying the highest median amount ($2.5 million), while healthcare reported the lowest ($150,000).
Running the Simulation: Monte Carlo Mechanics
Monte Carlo turns calibrated distributions into a loss distribution. The procedure is mechanical: for each iteration, draw a random sample from each input distribution, combine them according to the FAIR ontology, and record the total loss. Repeat thousands or millions of times.
Monte Carlo simulation is a mathematical technique that models complex systems by running massive numbers of trials. Each trial is based on input variables defined by probability distributions rather than fixed values. In the context of cyber risk, it is primarily used to combine the uncertainty in Loss Event Frequency (LEF) and Loss Magnitude (LM). The result is a single, comprehensive distribution of potential Annualized Loss Expectancy (ALE).
Iteration count matters. Running 100 or 500 iterations does not produce a stable output distribution. The minimum for most applications is 5,000 iterations; 10,000 is standard; complex models with tail-risk focus may need 50,000-100,000. For ransomware — where the tail is the whole point — err toward higher counts. The output is a Loss Exceedance Curve (LEC), which plots the cumulative probability that annual loss will exceed a given dollar threshold.
A worked enterprise example from a manufacturer modeling ransomware exposure: Frequency: Poisson mean of 2.5 material incidents per year based on internal and industry data. Severity: Lognormal severity with a heavy tail to capture ransomware spikes and business interruption losses. Dependencies: Correlation introduced between incident frequency and severity during heightened geopolitical risk scenarios. Results show an expected annual loss of $8.2M, 95% VaR of $28M, and CVaR of $42M. The expected loss number is informational. The 95th-percentile Value-at-Risk and Conditional VaR — the average loss in the worst 5% of outcomes — are what drive insurance limits, capital reserves, and control investment decisions.
What the 2025 Loss Data Should Tell Your Model
Rebaseline the model annually against current incident telemetry. Several 2025 shifts materially change input ranges.
Recovery times have compressed. Over half of victims (53%) were recovered within a week, a significant jump from the 35% reported in 2024. Downtime distributions should reflect this — but with a fatter tail for the unlucky 18% who still need over a month.
Encryption rates dropped. Data encryption in enterprise organizations is at its lowest reported rate in the five years of our survey, with under half (49%) of attacks resulting in data being encrypted down significantly from the 66% reported in 2024. The conditional probability of full encryption given an intrusion is materially lower than two years ago — a vulnerability factor adjustment.
Backup recovery is less reliable than the marketing implies. Halcyon reported that 84% of paying victims in Q4 2024 failed to fully recover their data after paying. Models that assume payment-equals-recovery are wrong, but so are models that assume backups always work — the use of backups dropped to a four-year low of 53%, down from 73% the previous year.
Initial access vectors shifted. Sophos State of Ransomware 2025 gives the cleanest breakdown by initial access vector: Exploited vulnerabilities: 32% of incidents — the most common technical entry point, up from prior years · Compromised credentials: 23% of incidents, down from 29% in 2024. If you map controls to IAMs in your scenarios, weight patch management and external attack surface management more heavily this cycle.
Industry matters more than averages. Recovery cost varies sharply. Smaller firms reported lower costs ($638,000 for companies with 100–250 employees), while larger organizations plateaued around $1.8 million. A healthcare model anchored to a manufacturing benchmark will understate secondary loss; a small-firm model anchored to enterprise data will overstate primary loss.
Modeling Control Investments and ROI
The point of all this is decision support. Once a baseline distribution exists, you can model proposed controls by adjusting the relevant input distributions and re-running the simulation. The delta between the current and proposed loss exceedance curves is the quantified risk reduction.
A worked healthcare example from Drata’s FAIR-based analysis: In this case, the analysis estimates an expected loss of $2.8M, which can be mitigated to $600K through targeted investments in backups and encryption controls. The same logic supports cyber insurance decisions — In this case, analysis shows that Policy A covers up to $5M with a $300K premium. Compared to the organization’s annualized loss exposure of $4.3M, this policy delivers the strongest value.
The FAIR Controls Analytics Model (FAIR-CAM) adds a layer worth respecting: The FAIR™ Controls Analytics Model (FAIR™-CAM) uses the terms ‘intended performance’ vs ‘operational performance’, which speak for themselves. The risk scenarios you think are mitigated thanks to your controls, may cause more harm than what you anticipated. A model without an operational feedback loop makes only limited sense. A control that exists on paper is not a control. Calibrate operational performance against incident telemetry and tabletop results, not vendor data sheets.
Common Modeling Mistakes That Quietly Wreck the Output
Most failures are not mathematical. They are procedural.
Using the wrong distribution for cost variables. Normal distributions on cost produce negative ransom payments in some iterations, which is incoherent. Lognormal or PERT are correct.
Too few iterations. Tail metrics require sample sizes the model can support. A P99 estimate from 1,000 iterations has wide confidence bounds that are themselves uncertain.
Ignoring correlation. Enterprise risk rarely moves in isolation. Cyber events may spike during geopolitical tensions; vendor disruptions may combine with logistics bottlenecks. Model dependencies to avoid underestimating aggregate risk. Frequency and severity often correlate — a busy threat year is also a year when defenders are stretched thin and individual incidents land harder.
Modeling the model instead of the risk. Spending weeks perfecting the Excel model while using poorly calibrated inputs. The model structure matters less than the quality of the input distributions. Invest time in expert elicitation, not model complexity.
Reporting the mean. Executives nod at expected loss figures and miss the tail. Lead with the loss exceedance curve and the P95 or P99 — that is the number that determines insurance limits and survival.
Not updating annually. Threat actor activity shifts. Qilin is currently the most prolific group by victim count, having expanded 578% in 2025. LockBit 5.0 re-emerged in September 2025 and remains active. DragonForce absorbed former RansomHub affiliates and operates a franchise-style RaaS model. Models built on 2023 threat profiles miss the current ecosystem entirely.
Frequently Asked Questions
Should we use FAIR or build a bespoke model? Use FAIR. The taxonomy is the value — it standardizes vocabulary, forces decomposition into measurable variables, and makes results auditable. Bespoke models tend to embed assumptions in code where reviewers cannot find them.
What confidence interval should we report to the board? Report P50 (median), P90, and P95 at minimum, plus the loss exceedance curve. A single point is insufficient; ten points are noise. Three percentiles plus a curve gives the board a real picture of the distribution.
How often should models be rerun? Annually at minimum, and after any material change — new business unit, major control deployment, significant threat landscape shift, or a near-miss incident. The 2025 data shifts alone justify a refresh for any model older than nine months.
Is Monte Carlo overkill for smaller organizations? No, but the calibration burden is real. A spreadsheet with PERT distributions on 5–7 key variables and 10,000 iterations runs in standard Excel and produces a defensible answer. The barrier is not tooling; it is the discipline of calibrated estimation.
What Good Looks Like
A defensible ransomware risk model produces a loss exceedance curve, names its assumptions, cites its data sources, gets re-run when those sources update, and feeds directly into specific decisions — control investment, insurance limits, capital reserves, board reporting. It does not produce a single number. It does not pretend the tail is normal. It does not assume backups always work or that payment guarantees recovery.
If your current process is ARO × SLE on a slide, the upgrade path is straightforward: decompose into FAIR variables, calibrate ranges with a real elicitation protocol, fit appropriate distributions, run 10,000+ Monte Carlo iterations, and report the curve. The math is freshman statistics. The discipline is what most programs lack.
