Business Cyber Risk Score Calculator

Assess your organization's overall cyber risk score (0–100) based on industry-standard factors including asset value, threat likelihood, vulnerability severity, and existing security controls. A lower score indicates better security posture.

Asset Value / Data Sensitivity (1–10) Threat Likelihood (1–10) Vulnerability Severity (1–10) Security Control Effectiveness (1–10, 10 = best) Past Incident History Score (1–10, 10 = many incidents) Number of Employees Remote Workforce Percentage (0–100%) Number of Third-Party Integrations / Vendors

Formula

Step 1 – Base Risk:
Base Risk = (Asset Value × Threat Likelihood × Vulnerability Severity) / 10

Step 2 – Control Reduction Factor:
Control Factor = (11 − Control Effectiveness) / 10
Adjusted Risk = Base Risk × Control Factor

Step 3 – Employee Scale Factor:
Employee Factor = log₁₀(Employees + 1) / log₁₀(1001)
Normalizes organization size so 1,000 employees = 1.0 multiplier.

Step 4 – Modifiers:
Incident Modifier = (Incident History − 1) × (10 / 9)
Remote Modifier = (Remote % / 10) × 0.5
Third-Party Modifier = min(Vendors × 0.3, 10)

Step 5 – Final Score (clamped 0–100):
Score = (Adjusted Risk × Employee Factor) + Incident Modifier + Remote Modifier + Third-Party Modifier

Assumptions & References

Risk scoring methodology is adapted from the NIST SP 800-30 Rev. 1 risk assessment framework (Likelihood × Impact model).
Control Effectiveness inversely reduces risk, consistent with ISO/IEC 27001 control maturity principles.
Employee scale uses logarithmic normalization to reflect that larger organizations have proportionally larger attack surfaces, per Verizon DBIR findings.
Remote workforce modifier reflects increased endpoint exposure; each 10% remote workforce adds 0.5 risk points, based on CISA Remote Work Security guidance.
Third-party vendor risk is capped at 10 points, reflecting supply-chain risk per NIST SP 800-161 (Cybersecurity Supply Chain Risk Management).
Incident history modifier reflects that organizations with prior breaches face elevated re-breach probability, per IBM Cost of a Data Breach Report 2023.
All input scales (1–10) are self-assessed; for production use, map these to quantitative metrics (e.g., CVSS scores for vulnerability severity).
Risk bands: Low (<20), Moderate-Low (20–39), Moderate (40–59), High (60–79), Critical (80–100).
This calculator provides a relative risk indicator and does not replace a formal cybersecurity risk assessment by a qualified professional.

Business Cyber Risk Score Calculator

Formula

Assumptions & References

In the network

Network

Business Cyber Risk Score Calculator

Formula

Assumptions & References

More Calculators

In the network

Network