Critical Infrastructure Vulnerability Assessment Calculator

ANA›Life Services Authority›National Calculator Authority›Critical Infrastructure Vulnerability Assessment Calculator

.calc-container { max-width: 640px; margin: 2rem 0; padding: 1.5rem; background: #fff; border: 1px solid #ddd; border-radius: 8px; box-shadow: 0 1px 3px rgba(0,0,0,0.06); font-family: system-ui, -apple-system, sans-serif; } .calc-container h3 { font-family: Georgia, serif; font-size: 1.15rem; color: #1a1a1a; margin-bottom: 1rem; padding-bottom: 0.5rem; border-bottom: 2px solid var(--ac, #3d5a80); } .calc-row { display: flex; align-items: center; gap: 0.75rem; margin-bottom: 0.75rem; flex-wrap: wrap; } .calc-row label { min-width: 160px; font-size: 0.9rem; color: #333; font-weight: 500; } .calc-row input[type="number"], .calc-row select { flex: 1; min-width: 120px; max-width: 200px; padding: 0.5rem 0.6rem; border: 1px solid #ccc; border-radius: 4px; font-size: 0.9rem; font-family: system-ui, sans-serif; color: #1a1a1a; background: #fafaf8; } .calc-row input:focus, .calc-row select:focus { outline: none; border-color: var(--ac, #3d5a80); box-shadow: 0 0 0 2px rgba(26,74,138,0.12); } .calc-row .unit { font-size: 0.82rem; color: #888; min-width: 30px; } .calc-btn { display: inline-block; margin-top: 0.5rem; padding: 0.55rem 1.5rem; background: var(--ac, #3d5a80); color: #fff; border: none; border-radius: 4px; font-size: 0.9rem; font-weight: 600; cursor: pointer; font-family: system-ui, sans-serif; } .calc-btn:hover { opacity: 0.9; } .calc-result { margin-top: 1.25rem; padding: 1rem 1.25rem; background: #f0f6fc; border-left: 3px solid var(--ac, #3d5a80); border-radius: 0 6px 6px 0; display: none; } .calc-result.visible { display: block; } .calc-result-label { font-size: 0.78rem; text-transform: uppercase; letter-spacing: 0.06em; color: #666; margin-bottom: 0.25rem; } .calc-result-value { font-size: 1.6rem; font-weight: 700; color: var(--ac, #3d5a80); } .calc-result-detail { font-size: 0.85rem; color: #555; margin-top: 0.5rem; line-height: 1.5; } .calc-note { margin-top: 1rem; font-size: 0.8rem; color: #888; font-style: italic; } .calc-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 0.75rem; margin-top: 0.75rem; } .calc-grid-item { padding: 0.6rem 0.8rem; background: #f8f9fa; border-radius: 4px; border: 1px solid #eee; } .calc-grid-item .label { font-size: 0.75rem; color: #888; text-transform: uppercase; letter-spacing: 0.04em; } .calc-grid-item .value { font-size: 1.1rem; font-weight: 600; color: #1a1a1a; } @media (max-width: 720px) { .calc-row { flex-direction: column; align-items: flex-start; gap: 0.3rem; } .calc-row label { min-width: auto; } .calc-row input[type="number"], .calc-row select { max-width: 100%; width: 100%; } .calc-grid { grid-template-columns: 1fr; } } .calc-chart { margin: 1rem 0; text-align: center; } .calc-chart svg { max-width: 100%; height: auto; } .calc-chart-legend { display: flex; flex-wrap: wrap; justify-content: center; gap: 0.6rem 1.2rem; margin-top: 0.6rem; font-size: 0.8rem; color: #555; } .calc-chart-legend span { display: inline-flex; align-items: center; gap: 0.3rem; } .calc-chart-legend i { display: inline-block; width: 10px; height: 10px; border-radius: 2px; font-style: normal; } .calc-related { max-width: 640px; margin: 2rem 0 1rem; padding: 1.25rem 1.5rem; background: #f8f9fa; border: 1px solid #e8e8e8; border-radius: 8px; } .calc-related h3 { font-family: Georgia, serif; font-size: 1rem; color: #1a1a1a; margin: 0 0 0.75rem; padding-bottom: 0.4rem; border-bottom: 2px solid var(--ac, #3d5a80); } .calc-related-list { list-style: none; padding: 0; margin: 0 0 0.75rem; display: grid; grid-template-columns: 1fr 1fr; gap: 0.4rem 1.5rem; } .calc-related-list li a { font-size: 0.88rem; color: var(--ac, #3d5a80); text-decoration: none; } .calc-related-list li a:hover { text-decoration: underline; } .calc-browse-all { margin: 0.5rem 0 0; font-size: 0.9rem; font-weight: 600; } .calc-browse-all a { color: var(--ac, #3d5a80); text-decoration: none; } .calc-browse-all a:hover { text-decoration: underline; } @media (max-width: 720px) { .calc-related-list { grid-template-columns: 1fr; } }

Critical Infrastructure Vulnerability Assessment Calculator

Quantifies the composite vulnerability risk score for critical infrastructure assets by combining threat likelihood, asset criticality, control effectiveness, and exposure factors using the NIST SP 800-30 and DHS CARVER-inspired methodology.

Threat Likelihood (1–10)

Probability that a threat actor will attempt to exploit a vulnerability (1 = very unlikely, 10 = near certain).

Asset Criticality (1–10)

Importance of the asset to operations and public safety (e.g., power grid node = 9–10, auxiliary system = 1–3).

Vulnerability Severity (1–10)

Inherent severity of the identified vulnerability (align with CVSS base score ÷ 10 × 10 for consistency).

Control Effectiveness (0–100%)

Percentage effectiveness of existing security controls (physical, cyber, procedural) in reducing exploitation risk.

Exposure Factor (0–1)

Degree to which the asset is exposed to potential threat actors (0 = isolated, 1 = fully accessible).

Impact Magnitude (1–10)

Estimated consequence magnitude if the vulnerability is successfully exploited (consider safety, economic, and societal impact).

Calculate Vulnerability Risk Score

Fill in all fields and click Calculate to see the Composite Vulnerability Risk Score.

function criCalc() { // --- Retrieve inputs --- var tl = parseFloat(document.getElementById('cri-threat-likelihood').value); var ac = parseFloat(document.getElementById('cri-asset-criticality').value); var vs = parseFloat(document.getElementById('cri-vulnerability-severity').value); var ce = parseFloat(document.getElementById('cri-control-effectiveness').value); var ef = parseFloat(document.getElementById('cri-exposure-factor').value); var im = parseFloat(document.getElementById('cri-impact-magnitude').value);

var resultDiv = document.getElementById('cri-result');

// --- Input validation --- var errors = []; if (isNaN(tl) || tl 10) errors.push("Threat Likelihood must be between 1 and 10."); if (isNaN(ac) || ac 10) errors.push("Asset Criticality must be between 1 and 10."); if (isNaN(vs) || vs 10) errors.push("Vulnerability Severity must be between 1 and 10."); if (isNaN(ce) || ce 100) errors.push("Control Effectiveness must be between 0 and 100."); if (isNaN(ef) || ef 1) errors.push("Exposure Factor must be between 0 and 1."); if (isNaN(im) || im 10) errors.push("Impact Magnitude must be between 1 and 10.");

if (errors.length > 0) { resultDiv.innerHTML = 'Input Errors:' + errors.map(function(e){ return ''; }).join('') + ''; return; }

// --- Core Formula --- // Residual Threat = Threat Likelihood × Exposure Factor × (1 - Control Effectiveness / 100) var residualThreat = tl * ef * (1 - ce / 100);

// Inherent Risk = Vulnerability Severity × Asset Criticality × Impact Magnitude // Normalised to 0–10 scale (max raw = 10 × 10 × 10 = 1000) var inherentRisk = (vs * ac * im) / 100;

// Composite Vulnerability Risk Score (CVRS) — scaled 0–10 // CVRS = (Residual Threat × Inherent Risk) / 10 // Max residual threat = 10 × 1 × 1 = 10; max inherent risk = 10; product = 100 → /10 = 10 var cvrs = (residualThreat * inherentRisk) / 10;

// Clamp to [0, 10] cvrs = Math.min(10, Math.max(0, cvrs));

// --- Risk Rating --- var rating, ratingColor, recommendation; if (cvrs >= 8) { rating = "CRITICAL"; ratingColor = "#c0392b"; recommendation = "Immediate remediation required. Escalate to senior leadership. Consider temporary shutdown or isolation of the asset until controls are strengthened."; } else if (cvrs >= 6) { rating = "HIGH"; ratingColor = "#e67e22"; recommendation = "Urgent action needed within 30 days. Implement additional compensating controls, increase monitoring frequency, and develop an incident response plan specific to this asset."; } else if (cvrs >= 4) { rating = "MEDIUM"; ratingColor = "#f1c40f"; recommendation = "Schedule remediation within 90 days. Review and enhance existing controls, conduct tabletop exercises, and increase vulnerability scanning cadence."; } else if (cvrs >= 2) { rating = "LOW"; ratingColor = "#27ae60"; recommendation = "Address in next scheduled maintenance cycle. Document residual risk and ensure controls are reviewed annually."; } else { rating = "MINIMAL"; ratingColor = "#2980b9"; recommendation = "Risk is well-managed. Maintain current controls and continue routine monitoring."; }

// --- Sub-metric display values --- var residualThreatPct = (residualThreat / 10 * 100).toFixed(1); var inherentRiskDisplay = inherentRisk.toFixed(2);

// --- Output --- resultDiv.innerHTML = '### Composite Vulnerability Risk Score (CVRS) ' + '' + cvrs.toFixed(2) + ' / 10' + 'Risk Rating: ' + rating + '' +

'' + 'MetricValue' + 'Threat Likelihood' + tl.toFixed(1) + ' / 10' + 'Asset Criticality' + ac.toFixed(1) + ' / 10' + 'Vulnerability Severity' + vs.toFixed(1) + ' / 10' + 'Control Effectiveness' + ce.toFixed(0) + '%' + 'Exposure Factor' + ef.toFixed(2) + '' + 'Impact Magnitude' + im.toFixed(1) + ' / 10' + 'Residual Threat Score' + residualThreat.toFixed(3) + ' (' + residualThreatPct + '% of max)' + 'Normalised Inherent Risk' + inherentRiskDisplay + ' / 10' + '' +

'' + 'Recommendation: ' + recommendation + ''; }

#### Formula

Step 1 — Residual Threat Score:

Residual Threat = Threat Likelihood × Exposure Factor × (1 − Control Effectiveness / 100) Captures how much of the raw threat remains after existing controls and exposure are factored in. Range: 0–10.

Step 2 — Normalised Inherent Risk:

Inherent Risk = (Vulnerability Severity × Asset Criticality × Impact Magnitude) / 100 Combines the three consequence-side dimensions. Dividing by 100 normalises the maximum (10 × 10 × 10 = 1000 → 10). Range: 0–10.

Step 3 — Composite Vulnerability Risk Score (CVRS):

CVRS = (Residual Threat × Inherent Risk) / 10 Multiplying the two normalised sub-scores (max product = 10 × 10 = 100) and dividing by 10 yields a final score on a 0–10 scale.

Risk Bands:

CVRS RangeRating 8.00 – 10.00Critical 6.00 – 7.99High 4.00 – 5.99Medium 2.00 – 3.99Low 0.00 – 1.99Minimal

#### Assumptions & References

• The formula is inspired by NIST SP 800-30 Rev. 1 (Guide for Conducting Risk Assessments) and the DHS CARVER+Shock methodology for critical infrastructure prioritisation.
• Threat Likelihood should be estimated using historical incident data, threat intelligence feeds (e.g., CISA advisories, ICS-CERT), or expert elicitation on a 1–10 ordinal scale.
• Asset Criticality reflects the asset's role in mission continuity; align with your organisation's Business Impact Analysis (BIA) or the NERC CIP asset classification for energy sector assets.
• Vulnerability Severity can be mapped directly from a CVSS v3.1 base score (0–10) for cyber vulnerabilities, or from a physical/procedural expert assessment for non-cyber vulnerabilities.
• Control Effectiveness should be derived from security control assessments (e.g., NIST SP 800-53A, IEC 62443 security level verification) and penetration test outcomes.
• Exposure Factor accounts for network connectivity, physical accessibility, and supply-chain exposure. An air-gapped OT system with no remote access scores near 0; an internet-facing SCADA HMI scores near 1.
• Impact Magnitude should consider cascading effects across interdependent systems (e.g., power outage affecting water treatment), economic loss, public safety consequences, and national security implications.

More Calculators

• Bias Detection Score Calculator
• AI Training Data Size Estimator
• Training ROI Calculator
• Spaced Repetition Interval Calculator
• Learning Retention Rate Calculator
• Course Completion Rate Analyzer

Read Next

Course Completion Rate Analyzer ANA › Life Services Authority › National Calculator Authority › Course Completion Rate Analyzer .calc-container { max-width:...

Study Time Planner Authority Network America › Life Services Authority › National Calculator Authority .calc-container { max-width: 640px;...

References

• ANA
• Life Services Authority