docs.retach.io

RETACH Documentation

Methodology, model assumptions, terms of use, and engagement templates for the S.I.N.S. Framework™ for Digital Resilience.

CRQ Methodology

Version 1.1  ·  May 2026  ·  RETACH Digital Ltd

The RETACH Cyber Risk Quantification Engine applies a frequency-severity actuarial model to produce financial loss estimates for organisations assessed under the S.I.N.S. Framework™. This document describes the full methodology — the model steps, the assumptions behind every constant, and the sources used to calibrate them.

Plain-English Summary

Every number the CRQ Engine produces traces back to a calculation described on this page. We use the same core mathematics as insurance actuaries — Expected Loss = Frequency × Severity — applied to your specific sector, size, and control posture. We then model the distribution of possible outcomes using lognormal statistics to show you not just the average year, but a bad year and a very bad year.

How the model works — five steps

  1. 01
    Count how often attacks happen (Frequency)
    Base attack probabilities for six scenario types — phishing, ransomware, financial fraud, data breach, business continuity failure, and insider threat — are drawn from published East Africa sector incident data. A sector multiplier adjusts for the relative attack frequency of the assessed organisation's industry: a Fintech faces attacks 2.4× more often than baseline; a SACCO 1.8×. A risk modifier derived from the organisation's control posture (MFA adoption, backup posture, ODPC status, S.I.N.S. score) adjusts the final likelihood downward where controls are in place.
  2. 02
    Estimate how much each event costs (Severity)
    Severity is modelled as a percentage of annual revenue, because an organisation's revenue is the most reliable proxy for the scale of data held, transactions processed, and operational complexity. Ransomware typically costs 18% of annual revenue when it hits. A data breach costs 12%. These percentages are calibrated to East Africa incident cost data and validated against IBM Cost of a Data Breach 2023 and Zurich Insurance emerging markets loss data.
  3. 03
    Multiply: Expected Loss = Frequency × Severity
    This is the same formula an insurance actuary uses to price a premium. If ransomware has a 30% annual probability and costs KES 9M when it hits, the expected annual loss from ransomware is KES 2.7M. The Engine calculates this for six attack types and sums them. That total is your Expected Annual Loss.
  4. 04
    Model the distribution (Poisson-Lognormal)
    The EAL is the mean of a loss distribution, not a guarantee. Real losses follow a lognormal distribution — most years are cheaper than average, but occasionally an event is catastrophic. We use a Poisson-Lognormal model with sector-specific dispersion constants (σ) calibrated from Serianu and Zurich emerging markets data. This gives you the 50th percentile (Expected), 75th percentile (Adverse), and 95th percentile (Severe/Worst-Case) loss figures.
  5. 05
    Add regulatory fine exposure
    For each sector, applicable Kenyan regulatory frameworks are assessed separately. The Kenya Data Protection Act 2019 (max KES 5M, ODPC) applies universally. Sector-specific regulators — CBK, SASRA, CA Kenya, ICT Authority, NC4 — add additional exposure. For Critical Infrastructure sectors, CMCA 2018/2024 s.18 adds up to KES 25M, creating a combined ceiling of KES 30M. These figures are modelled independently from the EAL and added to produce Total Risk Exposure.
EAL = Σ (Frequency × Severity) across six S.I.N.S. scenario types
Total Risk Exposure = EAL + Regulatory Fine Exposure + Reputational Cost (downtime × revenue/day)

Assumptions & limits

Every modelling assumption is listed here. Where a figure is an estimate rather than an empirical measurement, that is noted explicitly.

Assumption What it means Honest limit
Frequency from published data Base attack probabilities from Serianu 2023, CBK, and CA Kenya sector reports Historical frequency does not guarantee future attack rates. Threat actors evolve.
Severity as % of revenue Impact calibrated as a share of annual revenue — larger organisations face larger absolute losses Actual severity depends on systems held, data volume, and attacker sophistication — not size alone.
Sector multipliers Fintechs face 2.4× the baseline frequency; SACCOs 1.8×; Critical Infrastructure 2.5–2.9× — from sector incident data Calibrated from published sector reports. Refined as RETACH engagement data accumulates.
Control efficacy Full MFA reduces risk by 38%; tested backup by 30% — from NIST 800-53 benchmarks Actual reduction depends on implementation quality, not just whether a control exists.
Loss distribution shape (σ) Lognormal distribution; sector dispersion (σ) calibrated to Serianu and Zurich emerging markets data. CI sectors use σ = 1.10 — the highest constant, reflecting nation-state threat exposure and OT/IT risk. Not derived from RETACH's own claims dataset yet. Improves as the RETACH Risk Ledger™ grows.
Single-organisation scope Models your organisation's direct loss exposure Does not model supply chain contagion or systemic sector-wide events.
Point-in-time snapshot Reflects your posture at the time of assessment Risk changes as threats evolve and controls are added or removed. Reassess annually.
FX rate USD conversion at KES 130 Exchange rate movements are not modelled. KES figures are primary.
Disclaimer

RETACH CRQ outputs are financial planning estimates based on the modelling methodology described above. They are not actuarial certifications, legal opinions, or insurance advice. Figures should be used for internal risk management, board reporting, and informed conversations with insurers and legal counsel — not as binding loss projections. RETACH Digital Ltd is not a licensed insurer, broker, or legal firm.

Calibration sources

The following published sources are used to calibrate sector multipliers, severity percentages, and control efficacy constants in the CRQ Engine.

Serianu Africa Cybersecurity Report 2023 CBK Cybersecurity Guidelines 2019 Communications Authority of Kenya ODPC Enforcement Data 2022–2026 IBM Cost of a Data Breach 2023 NIST SP 800-53 Zurich Emerging Markets CI Loss Data ISO 27005 Risk Practices ENISA CI Threat Landscape 2023 NC4 Kenya Incident Data

Run the CRQ Engine for your organisation

See your Expected Annual Loss, 75th and 95th percentile loss bands, and regulatory fine exposure — calibrated to your sector and size.

Open CRQ Engine →

CRQ Terms & EULA

By using the RETACH CRQ Engine, you agree to the following terms. These terms govern the use of all quantification outputs, reports, and models produced by RETACH Digital Ltd tools.

Clause 1  ·  Output Limitations
CRQ outputs are planning estimates, not certifications

All figures produced by the RETACH CRQ Engine are financial planning estimates based on the frequency-severity model described in this document. They are not actuarial certifications, insurance valuations, regulatory assessments, or legal opinions. No output constitutes a guarantee of accuracy, completeness, or fitness for any particular purpose.

Clause 2  ·  No Legal or Insurance Advice
RETACH is not a licensed insurer, broker, or legal firm

CRQ outputs must not be used as the sole basis for insurance purchasing decisions, legal compliance determinations, or regulatory submissions. Regulatory fine exposure figures are indicative estimates based on publicly available enforcement data, not legal advice. Engage qualified legal counsel and licensed insurance brokers for binding decisions.

Clause 3  ·  Permitted Use
Internal risk management and board reporting

CRQ outputs may be used for: internal risk registers, board and executive risk reporting, cyber insurance gap analysis conversations, investment prioritisation for security controls, and general organisational awareness. They may not be reproduced in marketing materials, public filings, or third-party reports without written permission from RETACH Digital Ltd.

Clause 4  ·  Liability
Limitation of liability

RETACH Digital Ltd is not liable for any direct, indirect, incidental, or consequential loss arising from reliance on CRQ outputs. The user accepts full responsibility for decisions made based on CRQ figures. RETACH's total liability under any engagement is limited to the fees paid for that engagement.

Clause 5  ·  Intellectual Property
The S.I.N.S. Framework™ and CRQ Engine are proprietary

The S.I.N.S. Framework™, RETACH CRQ Engine, and all associated methodology, scoring models, and outputs are the intellectual property of RETACH Digital Ltd. Reverse engineering, reproduction, or commercial use of the methodology without written licence is prohibited.

Clause 6  ·  Authorisation
Engagement authorisation for assessment tools

Active assessment tools — including the AD Audit module and Pentest Kit — must only be used under written engagement authorisation. Unauthorised use of these tools against systems you do not own or have explicit permission to assess may violate the Kenya Computer Misuse and Cybercrimes Act 2018 and equivalent legislation in your jurisdiction.

Engagement Templates

Standardised deliverable templates used across RETACH engagements. Download and use as the basis for client reporting.

Report Template · DOCX
Risk Delta Report
The engagement close-out document. Shows before/after EAL delta, S.I.N.S. pillar breakdown, controls implemented, open items mapped to next service, ROI statement, and CRQ snapshots. Font: Barlow Condensed + IBM Plex Mono.
↓ Download template
Coming Soon
S.I.N.S. Health Scan Report
Scored executive report with risk heatmap and 30/60/90-day roadmap template.
Coming soon
Coming Soon
AD Audit Executive Summary
Active Directory findings report with pillar-by-pillar scoring and remediation priorities.
Coming soon
Coming Soon
Incident Response Plan Template
RETACH IRP template — ODPC 72-hour notification procedure included.
Coming soon

S.I.N.S. Framework™

The S.I.N.S. Framework™ for Digital Resilience is a four-pillar methodology for building organisational resilience against digital risk. It is an implementation alignment layer that translates global standards (ISO 27001, NIST CSF, CIS Controls) into executable programmes for organisations without dedicated security teams.

The pillars are sequenced intentionally — each layer depends on the one before it. You cannot meaningfully govern security risks (Security) without knowing what infrastructure you have (Infrastructure). You cannot segment a network (Network) without managing what connects to it (Systems).

S
Layer 1 — Foundation
Systems
Asset inventory, identity & access management, endpoint configuration, patch management, SharePoint/M365 governance.
I
Layer 2 — Operational
Infrastructure
Backup & DR (Veeam, Zerto, Dell EMC), BCP, BIA, RTO/RPO design, server hardening, data centre management.
N
Layer 3 — Connectivity
Network
Firewall policy (Sophos, Meraki/Cisco ASA), Zero Trust (ZTNA), NAC (PacketFence), segmentation, RADIUS, WAF, physical security.
S
Layer 4 — Governance
Security & Governance
ISP, IRP, Change Management Policy, Risk Register, DPA compliance, CMCA compliance, awareness training (LMS), PAM (Segura), DAM (Imperva).

Critical Infrastructure Protection

The RETACH CRQ Engine models organisations in sectors designated as critical infrastructure under applicable law separately from general commercial sectors — with higher frequency multipliers, tighter RTO assumptions, and combined regulatory fine exposure reflecting both data protection and sector-specific cyber legislation.

RETACH's practice includes direct operational security experience inside critical national infrastructure — including enterprise network security, identity management, IRP, and BCP delivery in a mission-critical, geographically distributed environment. That practitioner background informs how the framework is calibrated for CI sectors.

Designated CI sectors modelled in the CRQ Engine
Transport & Logistics
Rail · Port · Aviation · Road infrastructure
KES 30M combined
Energy & Utilities
Power · Water · Oil & Gas
KES 30M combined
Telecommunications & ICT
Operators · ISPs · CA Kenya CII Regulations
KES 30M combined
Financial Market Infrastructure
NSE · CBK Clearing · Payment Switches
KES 30M combined
Government Core Systems
KRA · NTSA · eCitizen · ICT Authority
KES 30M combined
Critical Health Infrastructure
KNH · KEMSA · National Blood Services
KES 30M combined

Combined fine = DPA 2019 max KES 5M (ODPC) + CMCA 2018/2024 s.18 max KES 25M (NC4/DCI). Both penalties can be imposed simultaneously for the same security failure. CMCA s.18 also carries a custodial sentence of up to 20 years imprisonment. This does not constitute legal advice — validate with qualified Kenyan counsel.

Book a Critical Infrastructure Security Review

Delivered by a practitioner with direct CI operational experience. Scope covers CMCA compliance obligations, OT/IT separation, BCP for essential services, and NC4 incident reporting readiness.

Book CI Review →