Frequently Asked Questions

QRM (Quantified Risk Model) is our proprietary methodology that combines NIST 800-30, Hubbard calibration methods, and Monte Carlo simulation. It decomposes every risk into five measurable factors: Threat Probability (TP), Attack Success Rate (ASR), Impact Severity (IS), Cascading Impact (CI), and Impact Multiplier (IM). These factors are combined to calculate Annual Loss Expectancy (ALE)—a defensible dollar amount your board can act on.

The five QRM factors are: (1) Threat Probability (TP) — how often attackers attempt an attack; (2) Attack Success Rate (ASR) — how often those attempts succeed; (3) Impact Severity (IS) — direct costs when an attack succeeds; (4) Cascading Impact (CI) — secondary costs like regulatory fines, lawsuits, or reputation damage; and (5) Impact Multiplier (IM) — the probability that those secondary impacts occur. The formula is: ALE = (TP × ASR) × (IS + (CI × IM)).

QRM explicitly maps to NIST Special Publication 800-30 Rev. 1, the federal standard for conducting risk assessments. This provides regulatory alignment for federal contractors and regulated industries, audit defensibility with documented methodology, and compatibility with NIST Cybersecurity Framework (CSF) and NIST 800-53 controls.

Calibration training helps you give accurate probability estimates. Research by Douglas Hubbard shows that when people give 90% confidence intervals, they typically contain the true answer only 50-60% of the time. This overconfidence makes risk calculations unreliable. RisqRadar requires calibration training before you create risk assessments because garbage in = garbage out. Our goal is to ensure that when you say 90% confident, you're actually right 90% of the time.

Our AI Calibration Coach detects and helps correct several cognitive biases including: anchoring (over-relying on the first number you hear), overconfidence (confidence intervals that are too narrow), availability bias (overweighting recent or memorable events), and the planning fallacy (underestimating time and costs). The coach provides personalized exercises targeting your specific bias patterns.

Monte Carlo simulation runs thousands of scenarios (typically 10,000) using your input probability distributions. For each scenario, it randomly samples values for all five QRM factors, then calculates the resulting loss. The output is a probability distribution showing the range of possible outcomes—including expected loss, 90th percentile loss, and the probability of exceeding various thresholds. This properly propagates uncertainty through the calculation.

That's exactly why we use probability distributions instead of point estimates. You provide a range (minimum, most likely, maximum) that captures your uncertainty. The AI Estimation Assistant helps by providing industry benchmarks from sources like Verizon DBIR, IBM Ponemon, and Coveware. Even rough estimates, when properly calibrated, produce useful results—and you can use Value of Information analysis to identify which estimates are worth refining.

RisqRadar includes five AI-powered features: (1) AI Calibration Coach — analyzes your performance and detects cognitive biases; (2) AI Estimation Assistant — provides industry benchmarks and validation on every input; (3) AI Scenario Generator — recommends relevant risk scenarios for your organization; (4) AI Report Narrator — generates board-ready talking points and Q&A preparation; (5) AI Question Generator — creates fresh calibration questions for ongoing certification.

No. The AI guides but never replaces your judgment. It provides industry benchmarks, flags estimates that seem too narrow or wide, and helps decompose complex estimates into simpler parts. But it never gives you a single "correct" answer. You remain in control of all risk assessments and final decisions.

The AI Estimation Assistant references authoritative sources including: Verizon Data Breach Investigations Report (DBIR), IBM/Ponemon Cost of a Data Breach Report, Coveware Ransomware Reports, Mandiant M-Trends, and the HHS HIPAA Penalty Database. These provide evidence-based starting points for your estimates.

Risk matrices can't tell you actual exposure in dollars, can't be mathematically combined (you can't add "high" + "medium"), and often produce inconsistent rankings. QRM gives you numbers you can use: expected annual loss, value at risk percentiles, and return on security investment. Instead of "high risk," you can tell your board "$2.4M expected annual loss with 10% chance of exceeding $8M."

Enterprise cyber risk quantification tools typically cost $50K-$200K annually, require 3-6 months to implement, need external consultants, and charge extra for calibration training. RisqRadar provides equivalent capabilities at $99/month, can be set up in 30 minutes, requires no consultants, and includes calibration training built-in. We believe quantitative risk analysis shouldn't require a massive budget.

Yes. QRM's explicit alignment with NIST 800-30 provides a defensible approach to risk assessment recognized by regulators and auditors. Your quantitative analysis, with documented assumptions, calibrated estimators, and transparent methodology, provides much stronger audit evidence than subjective heat maps. Many organizations use RisqRadar to support SOC 2, HIPAA, and federal compliance requirements.

Run simulations with and without a proposed control to see the expected loss reduction. RisqRadar's control analysis shows exactly how each control affects the five QRM factors. Compare the annual loss reduction against the control's cost. If a $100K control reduces expected annual loss by $500K, you have a clear ROI case for leadership.

RisqRadar can model any cyber risk scenario including ransomware attacks, data breaches, insider threats, DDoS attacks, business email compromise, third-party/supply chain breaches, system outages, regulatory penalties, and more. The AI Scenario Generator can recommend relevant scenarios based on your industry, size, and technology profile.

The Starter plan is free forever and includes: 3 risk scenarios, basic calibration training, limited AI assistance, and 1 user. It's designed to let you experience QRM methodology and see the value of quantitative risk analysis before upgrading.

The Professional plan ($99/month) includes: unlimited risk scenarios, full AI Calibration Coach, full AI Estimation Assistant, AI Scenario Generator, AI Report Narrator, calibration certification program, and up to 5 team members. This is our most popular plan for security teams.

Enterprise plans include everything in Professional plus: unlimited team members, SSO/SAML integration, API access for integration with your tools, custom integrations, and dedicated support. Contact us for custom pricing based on your organization's needs.

Yes, you can cancel your subscription at any time from your account settings. If you cancel, you'll retain access until the end of your current billing period. Your data remains accessible, and you can export reports before your subscription ends.

All plans include email support. Professional plans include priority support with faster response times. Enterprise customers get dedicated onboarding, training sessions, and a named customer success manager. We also maintain comprehensive documentation and video tutorials.

Yes. Professional and Enterprise plans include access to our calibration certification program. You can earn certification by demonstrating calibrated estimation skills (90% accuracy at the 90% confidence level). Certifications require annual recertification to ensure skills remain sharp—the AI Question Generator creates fresh questions so you never see the same one twice.