Cloud Security Risk Score Calculator
Calculates a composite Cloud Security Risk Score (0–100) using weighted factors including vulnerability severity, access control maturity, data sensitivity, compliance gaps, and historical incident rate. A higher score indicates greater risk.
Your risk score will appear here.
Formula
Each input is normalised to a 0–100 scale and combined with empirically-derived weights:
- Vnorm = (CVSS Score / 10) × 100
- Anorm = ((5 − Access Maturity) / 4) × 100 (inverted: lower maturity = higher risk)
- Snorm = ((Sensitivity − 1) / 4) × 100
- Cnorm = Compliance Gap % (already 0–100)
- Inorm = min(Incidents / 10, 1) × 100 (capped at 10 incidents)
Risk Score = 0.30 × Vnorm + 0.25 × Anorm + 0.20 × Snorm + 0.15 × Cnorm + 0.10 × Inorm
Risk Bands: <20 Low | 20–39 Moderate | 40–59 High | 60–79 Very High | 80–100 Critical
Assumptions & References
- CVSS (Common Vulnerability Scoring System) scores sourced from NIST NVD; use the average across all open findings in scope.
- Access Control Maturity is assessed against the CIS Controls v8 IG levels or NIST CSF Identify/Protect tiers (1 = ad-hoc, 5 = optimised).
- Data Sensitivity follows a 5-point scale aligned with NIST SP 800-60 data categorisation (1 = public, 5 = restricted/PII/PHI/PCI).
- Compliance Gap % represents the percentage of applicable controls failing in your most recent audit (e.g., SOC 2, ISO 27001, FedRAMP, HIPAA).
- Incident count covers confirmed security incidents (breaches, misconfigurations exploited, privilege escalations) in the trailing 12 months; capped at 10 for normalisation.
- Weights (30/25/20/15/10) are derived from the Cloud Security Alliance (CSA) Cloud Controls Matrix v4 domain risk rankings and NIST CSF function priorities.
- This score is a relative risk indicator for prioritisation purposes and does not replace a formal risk assessment per ISO 31000 or NIST RMF.