Walkthrough — Customer data breach (Event Risk)
This article walks through the sample envelope shipped with Event Risk Exposure. Open /event-risk in another tab and follow along — the model on screen is the one we describe here. The scenario is deliberately compact (two causes, two impacts, two controls, two treatments) but covers every mechanic of the tool: shared multi-target controls, dual-reduction treatments, mixed likelihood input modes, and a cost-benefit table where one treatment pays back and one doesn't quite.
The event
Loss of sensitive customer data
Same event statement as the Beau-Tie sample (see that walkthrough for the qualitative bow-tie of the same risk). Phrased noun-form, no embedded cause or impact.
Two causes
1. Phishing of staff credentials
Likelihood mode: distribution (triangular). Parameters: min 5%, mode 15%, max 30%. Reflects elicited uncertainty — "we think phishing succeeds in 5–30% of attack waves, most-likely 15%".
2. Malicious insider exfiltration
Likelihood mode: band at L2 (Unlikely). Per-band probability at L2 = 5% (default). Insider risk is well-bounded at typical organisations — distribution-mode uncertainty would be elicitation noise here, so band mode is the more honest choice.
Two impacts
Regulatory fines and penalties
Distribution: triangular, min $200k, mode $800k, max $2.5M. Reflects statutory penalty ranges for data-protection incidents at the size of customer base being modelled.
Reputational damage and churn
Distribution: PERT, min $100k, mode $500k, max $3M. PERT (not TRI) because reputational impact tends to cluster around a most- likely 12-month churn estimate with rare-tail catastrophic scenarios — that's the PERT shape.
Two existing controls
MFA enforcement on all SSO accounts
Targets: both causes (phishing + insider). Reduction: 40% likelihood. A single control applying to multiple cause-drivers — the multi-target pattern. Reads as: "MFA on every account reduces the chance of EITHER a phishing OR an insider-credential pathway succeeding by 40%".
Documented incident response runbook
Targets: both impacts (regulatory + reputational). Reduction: 20% consequence. Same multi-target pattern but on the impact side — the runbook reduces severity if the event fires, applied to both consequence dimensions.
Two treatments
Comprehensive cyber training program (annual)
Targets: phishing cause AND reputational impact. Reductions: 25% likelihood, 10% consequence. Cost: $180,000.
The dual-reduction + dual-target pattern in one treatment. Reads as: "better-trained staff reduce phishing-pathway likelihood by 25% AND reduce reputational impact by 10% (faster incident response from trained staff cuts the 12-month churn estimate)".
DLP tooling rollout
Targets: insider cause only. Reduction: 35% likelihood. Cost: $240,000.
Indicative results (10 000 iterations)
Your numbers will vary by ~1–2% per run (no seedable PRNG). Order-of-magnitude:
- Baseline occurrence rate: roughly 15–20% of iterations — most of the time the event doesn't fire.
- Baseline P80: around $2.5M — read as "in an 80%-confidence budgeting scenario, carry this much contingency to cover risk events".
- Treated P80: around $1.8M — both treatments together knock ~28% off the contingency.
- Portfolio ROI: around 1.5× — for every $1 invested in the treatment portfolio ($420k total), expected loss falls by ~$1.50. Defensible investment on the math alone.
Reading the cost-benefit table
Two rows, one per treatment. The marginal-reduction column tells you what happens if you skip THAT treatment but keep the other:
- Training program ($180k) — marginal reduction around $250–350k, ROI ~1.5×. Pays for itself even on the risk math alone. The dual-reduction (likelihood + consequence) earns the keep.
- DLP rollout ($240k) — marginal reduction around $150–250k, ROI ~0.8×. Roughly break- even. Real call here would consider non-financial factors (compliance, attestation requirements) — the risk math alone doesn't decisively endorse it.
Reading the driver sensitivity tornado
Three side-by-side lists. With the default envelope you'll typically see:
- Causes: phishing dominates by a wide margin (its distribution-mode likelihood has variance the band-mode insider cause doesn't). Tells you the phishing pathway is where treatment effort lands hardest.
- Impacts: reputational damage drives more variance than regulatory (PERT tail vs TRI bounded tail). Tells you the reputational dimension is the one to focus consequence-reducing treatments against.
- Controls: the MFA control ranks highest — it's a multi-target control reducing both causes' likelihood, so removing it would re-introduce a lot of variance.
Iterating on the model
The most valuable thing the tool does is let you ask "what if?" Edit a treatment's reduction percentages or cost and re-run; the ROI table moves in real time. A few patterns:
- The breakeven question. Halve a treatment's cost and re-run. If the ROI flips above 1.0×, you have your willingness-to-pay number for the conversation with the treatment vendor.
- The combination question. Delete one treatment, re-run. The other's marginal reduction will likely INCREASE (it's now carrying load that was previously shared). Tells you which treatments are complements vs substitutes.
- The reduction-sensitivity question. If the SME quoted "25% likelihood reduction" for the training program, try 15% and 35% and re-run. If P80 doesn't move much, the elicitation imprecision isn't a problem; if it does, push the SME for more confidence.