Cyber Risk Score Calculator

Quantifies organizational cyber risk exposure using threat likelihood, vulnerability severity, asset value, and control effectiveness to produce a composite risk score (0–100) with severity classification.

Probability that a threat actor will attempt an attack (1 = very unlikely, 10 = near certain).
CVSS-aligned severity of the most critical known vulnerability (1 = minimal, 10 = critical).
Business criticality of the asset at risk (1 = low-value, 10 = mission-critical).
Percentage effectiveness of existing security controls in mitigating the threat (0 = no controls, 100 = fully mitigated).
Percentage of the asset that would be compromised if the threat materialises (0 = no impact, 100 = total loss).
Fill in all fields and click Calculate.

Formula

Step 1 — Inherent Risk (IR):
IR = (Threat Likelihood × Vulnerability Severity × Asset Value) / 10

Step 2 — Residual Risk (RR):
Control Multiplier (CM) = 1 − (Control Effectiveness / 100)
Exposure Multiplier (EM) = Exposure Factor / 100
RR = IR × CM × EM

Step 3 — Cyber Risk Score (CRS):
CRS = (IR × 0.40) + (RR × 0.60)

Severity Bands:
0–19.99 = Very Low  |  20–39.99 = Low  |  40–59.99 = Moderate  |  60–79.99 = High  |  80–100 = Critical

Assumptions & References

  • All ordinal inputs (1–10) are treated as linear scales; organisations may substitute logarithmic scales for finer granularity.
  • Inherent Risk is normalised to 0–100 by dividing the product of three 1–10 inputs by 10 (maximum product = 1 000).
  • The 40 / 60 weighting between IR and RR reflects the industry convention that post-control residual exposure is the primary decision driver.
  • Vulnerability Severity is aligned with the CVSS v3.1 base score scale (FIRST.org, 2019).
  • Risk classification bands follow NIST SP 800-30 Rev. 1 (Guide for Conducting Risk Assessments, 2012).
  • The Exposure Factor concept is drawn from NIST SP 800-30 and the FAIR (Factor Analysis of Information Risk) model.
  • Control Effectiveness is a self-assessed percentage; organisations should derive it from audit results, penetration-test findings, or maturity assessments (e.g., CIS Controls, ISO/IEC 27001).
  • This calculator produces a relative risk indicator for prioritisation purposes and does not replace a full quantitative risk assessment.

More Calculators

Browse All 1861 Free Calculators at National Calculator Authority

In the network

Network