Security risk analysis typically treats control effectiveness as a static input, yet controls degrade through configuration drift, depend on monitoring systems that may themselves be degraded, and compete for finite remediation budgets. The FAIR Controls Analytics Model (FAIR-CAM) provides the theoretical framework for these dynamics but has so far remained theoretical. We present the first agent-based model to operationalize the core FAIR-CAM dynamics, making control physiology computationally observable, and release the implementation as open source. The simulation implements eight agent types, a multiplicative defense-in-depth susceptibility formula, a three-source variance model, budget-constrained remediation, and a narrative causation engine that produces a complete causal trace for every loss event. In a hospital ransomware scenario (N=1,000 iterations), three organizational dynamics emerge that static analysis cannot represent. First, emergent operational efficacy diverges from the analytical FAIR-CAM formula by approximately 17 percent, driven by correlated extrinsic variance; the divergence grows linearly with extrinsic frequency and vanishes under purely intrinsic drift. Second, a sharp queueing regime transition in the remediation pipeline approximately 2.8x expected loss when budget falls below a scenario-specific threshold (5-10 engineer-hours/month). Third, cascading monitoring failures propagate through the VMC topology: a single degraded VMC silently compounds undetected variance across the controls it manages. These dynamics are structural properties of the FAIR-CAM architecture and should generalize beyond the specific scenario studied.

翻译：安全风险分析通常将控制有效性视为静态输入，但控制措施会因配置漂移而退化、依赖可能自身已退化的监控系统，并竞争有限的安全修复预算。FAIR控制分析模型（FAIR-CAM）为这些动力学提供了理论框架，但至今仍停留在理论层面。我们提出了首个基于智能体的模型，将FAIR-CAM核心动力学转化为可计算观测的控制生理学，并以开源形式发布实现。该仿真实现了八种智能体类型、乘性纵深防御敏感性公式、三源方差模型、预算约束修复机制，以及可为每个损失事件生成完整因果链的叙事因果引擎。在医院勒索软件场景（N=1000次迭代）中，出现了静态分析无法表征的三种组织动力学。第一，由相关外源方差驱动的涌现运行效能与FAIR-CAM解析公式产生约17%的偏差；该偏差随外源频率线性增长，并在纯内源漂移条件下消失。第二，修复流水线中出现的尖锐排队机制转换——当预算低于场景特定阈值（5-10工程师小时/月）时，预期损失放大至约2.8倍。第三，级联监控故障经VMC拓扑结构传播：单个退化的VMC会静默放大其管理控制措施中未被检测的方差。这些动力学是FAIR-CAM架构的结构性属性，应可推广至本研究场景之外。