## Open-Sourcing riskquant, a library for quantifying risk Netflix has a program in our Information Security department for quantifying the risk of deliberate (attacker-driven) and accidental losses. This program started on the Detection Engineering team with a home-grown Python library called riskquant, which we’ve released as open source for you to use (and contribute to). Since that library was written, we have hired two amazing full-time Risk Engineers (Prashanthi Koutha and Tony Martin-Vegue) who are expanding rigorous quantified risk across the company.

The Factor Analysis of Information Risk (FAIR) framework describes best practices for quantifying risk, which at the highest level of abstraction involves forecasting two quantities:

• Frequency of loss: How many times per year do you expect this loss to occur?
• Magnitude of loss: If this loss occurs, how bad will it be? (Low-loss scenario to high-loss scenario, representing a 90% confidence interval)

riskquant takes a list of loss scenarios, each with estimates of frequency, low loss magnitude, and high loss magnitude, and calculates and ranks the annualized loss for all scenarios. The annualized loss is the mean magnitude averaged over the expected interval between events, which is roughly the inverse of the frequency (e.g. a frequency of 0.1 implies an event about every 10 years).

For estimating magnitude, the 5th/95th (low/high) percentile estimates supplied by the user are mapped to a lognormal statistical distribution so that 5% of the probability falls below the lower magnitude, and 5% falls above the higher magnitude. A value drawn from the lognormal never falls below zero (reflecting that we can never earn money from a loss), and has a long tail on the high side (since losses can easily exceed initial estimates). Figure 1 shows a magnitude distribution where the 5th percentile was chosen as \$10,000 and the 95th percentile was \$100,000.