CRML — Cyber Risk Modeling Language

CRML is a domain-specific language (DSL) and runtime for quantitative cyber risk modeling.

It is designed to:

Capture enterprise cyber risk models as version-controlled code (YAML/JSON)
Support both FAIR-style Monte Carlo and QBER-style Bayesian models
Integrate real telemetry from tools like PAM, DLP, IAM, XDR, WAF
Produce defensible metrics such as EAL, VaR, CVaR, tail quantiles

High-Level Architecture

			
graph TD
  A[Security Telemetry<br/>PAM / DLP / IAM / XDR / WAF] --> B[Feature Mapping]
  B --> C[CRML Model<br/>YAML / JSON]
  C --> D[CRML Runtime<br/>Python]
  D --> E[Simulation Engine<br/>MC + MCMC]
  E --> F[Risk Metrics<br/>EAL / VaR / Tail]

		

CRML separates what the risk model is from how it is executed:

The CRML file declares assets, frequency/severity models, dependencies, and outputs.
The runtime turns this into simulations, posterior estimates, and metrics.

Key Concepts

Frequency models: Poisson, Gamma–Poisson (Negative Binomial), hierarchical
Severity models: Lognormal, Gamma, finite mixtures
Entropy-based criticality: Shannon entropy over controls, exposure, data classes
Dependencies: Gaussian copula over components
Inference: Metropolis–Hastings MCMC for selected parameters
Metrics: EAL, VaR₉₅, VaR₉₉, VaR_99.9

Explore the Entire Project