CRML is an open, declarative, engine-agnostic and Control / Attack framework–agnostic Cyber Risk Modeling Language. It provides a YAML/JSON format for describing cyber risk models, telemetry mappings, simulation pipelines, dependencies, and output requirements — without forcing you into a specific quantification method, simulation engine, or security-control / threat catalog. CRML enables RaC (Risk as Code): risk and compliance assumptions become versioned, reviewable artifacts that can be validated and executed consistently across teams and tools.
Cyber security, compliance, and risk management professionals often face the same practical problems: Risk models are locked in spreadsheets, slide decks, or proprietary tools, making them hard to review, audit, reproduce, and automate. Control effectiveness and “defense in depth” assumptions are documented inconsistently, so results vary by analyst and by quarter. Threat and control frameworks (e.g., ATT&CK, CIS, NIST, ISO, SCF, internal catalogs) change over time; do not provide a consistent machine readable format; mappings are brittle and rarely versioned. Quantification engines differ (FAIR-style Monte Carlo, Bayesian/QBER, actuarial models, internal platforms), causing costly rewrites and re-interpretation. Audit-ready evidence is fragmented: “what was modeled, with which parameters, using which data, and producing which outputs” is hard to prove. CRML addresses this by standardizing the _description_ of cyber risk models and their inputs/outputs, so different engines and organizations can exchange and execute the same model with clear validation and traceability.
Qualitative methods (red/amber/green, “high/medium/low”, maturity scores) are useful for communication and prioritization, but they tend to break down when you need to: Justify security spend (or a new security product) by comparing expected risk _with_ vs. _without_ the investment, compare risk consistently across business units, vendors, or time periods, show measured risk reduction from controls (not just “improved posture”), connect cyber risk to enterprise risk, insurance, and financial planning, produce repeatable, audit-ready evidence of “how we calculated this number”. The next evolution is **quantified risk management**: treating cyber risk as an estimable distribution of outcomes, grounded in explicit assumptions and data, and computed by repeatable methods. But quantified approaches only scale when models are **standardized** — so they can be validated, reviewed, reused, and executed across tools and teams. CRML’s goal is to be this standard: it makes the model _portable_, the assumptions _explicit_, and the results _reproducible_.
admin
Key features include control effectiveness modeling — quantify how controls reduce risk (including defense-in-depth), median-based parameterization — specify medians directly for lognormal distributions, multi-currency support — model across currencies with automatic conversion, auto-calibration — calibrate distributions from loss data, strict validation — JSON Schema validation catches errors before simulation, implementation-agnostic — works with any compliant simulation engine, human-readable YAML — easy to read, review, and audit.
CRML works by standardizing the description of cyber risk models and their inputs/outputs, so different engines and organizations can exchange and execute the same model with clear validation and traceability. It provides a YAML/JSON format for describing cyber risk models, telemetry mappings, simulation pipelines, dependencies, and output requirements — without forcing you into a specific quantification method, simulation engine, or security-control / threat catalog. The language enables RaC (Risk as Code), making risk and compliance assumptions versioned, reviewable artifacts that can be validated and executed consistently.
Benefits and outcomes for users include making cyber risk reproducible, comparable, and automatable across teams while still allowing methodological diversity. It addresses problems like risk models being locked in spreadsheets, slide decks, or proprietary tools, making them hard to review, audit, reproduce, and automate. It helps justify security spend by comparing expected risk with vs. without the investment, compare risk consistently across business units, vendors, or time periods, show measured risk reduction from controls, connect cyber risk to enterprise risk, insurance, and financial planning, and produce repeatable, audit-ready evidence of “how we calculated this number”.
Use cases include a security architect proposing a new control program by updating CRML documents; the change is peer-reviewed in Git with clear diffs. GRC and audit teams can trace every metric back to a validated, versioned model (inputs, assumptions, mappings, outputs). Different quant engines (vendor platforms, internal FAIR Monte Carlo, Bayesian QBER, insurance actuarial models) all consume the same CRML documents. Framework changes are handled by updating catalogs/mappings (also versioned), rather than rewriting the model logic. Organizations can exchange models with partners, insurers, and regulators without sending spreadsheets or screenshots. A cyber security authority can publish its yearly threat landscape report in CRML — encoding richer nuance than narrative PDFs (assumptions, distributions, dependencies, control baselines, and mappings) — and in turn benefit from more standardized, machine-readable data submissions from industry.
Target users are cyber security, compliance, and risk management professionals. It is supported by community contributors and early adopters. The repository ships two Python packages and a web UI: `crml-lang`: language/spec models + schema validation + YAML IO, `crml-engine`: reference runtime + `crml` CLI (depends on `crml-lang`), `web/`: **CRML Studio** — browser UI for validation and simulation (Next.js). Installation is via pip: `pip install crml-engine` for the CLI or `pip install crml-lang` for the language library. It is open-source under the MIT License.
CRML’s primary value proposition is standardizing the description of cyber risk models to enable Risk as Code, making models portable, assumptions explicit, and results reproducible across teams and tools.
CRML targets cyber security, compliance, and risk management professionals who face challenges with locked, inconsistent, or non-reproducible risk models. It is for teams needing to justify security spend, compare risk across units, show measured control reduction, connect cyber risk to enterprise planning, and produce audit-ready evidence. Supported by community contributors and early adopters, it serves users in GRC, audit, security architecture, and quantification roles seeking standardized, engine-agnostic risk modeling.