Cyber Risk Score Calculator

ANA›Life Services Authority›National Calculator Authority›Cyber Risk Score Calculator

.calc-container { max-width: 640px; margin: 2rem 0; padding: 1.5rem; background: #fff; border: 1px solid #ddd; border-radius: 8px; box-shadow: 0 1px 3px rgba(0,0,0,0.06); font-family: system-ui, -apple-system, sans-serif; } .calc-container h3 { font-family: Georgia, serif; font-size: 1.15rem; color: #1a1a1a; margin-bottom: 1rem; padding-bottom: 0.5rem; border-bottom: 2px solid var(--ac, #3d5a80); } .calc-row { display: flex; align-items: center; gap: 0.75rem; margin-bottom: 0.75rem; flex-wrap: wrap; } .calc-row label { min-width: 160px; font-size: 0.9rem; color: #333; font-weight: 500; } .calc-row input[type="number"], .calc-row select { flex: 1; min-width: 120px; max-width: 200px; padding: 0.5rem 0.6rem; border: 1px solid #ccc; border-radius: 4px; font-size: 0.9rem; font-family: system-ui, sans-serif; color: #1a1a1a; background: #fafaf8; } .calc-row input:focus, .calc-row select:focus { outline: none; border-color: var(--ac, #3d5a80); box-shadow: 0 0 0 2px rgba(26,74,138,0.12); } .calc-row .unit { font-size: 0.82rem; color: #888; min-width: 30px; } .calc-btn { display: inline-block; margin-top: 0.5rem; padding: 0.55rem 1.5rem; background: var(--ac, #3d5a80); color: #fff; border: none; border-radius: 4px; font-size: 0.9rem; font-weight: 600; cursor: pointer; font-family: system-ui, sans-serif; } .calc-btn:hover { opacity: 0.9; } .calc-result { margin-top: 1.25rem; padding: 1rem 1.25rem; background: #f0f6fc; border-left: 3px solid var(--ac, #3d5a80); border-radius: 0 6px 6px 0; display: none; } .calc-result.visible { display: block; } .calc-result-label { font-size: 0.78rem; text-transform: uppercase; letter-spacing: 0.06em; color: #666; margin-bottom: 0.25rem; } .calc-result-value { font-size: 1.6rem; font-weight: 700; color: var(--ac, #3d5a80); } .calc-result-detail { font-size: 0.85rem; color: #555; margin-top: 0.5rem; line-height: 1.5; } .calc-note { margin-top: 1rem; font-size: 0.8rem; color: #888; font-style: italic; } .calc-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 0.75rem; margin-top: 0.75rem; } .calc-grid-item { padding: 0.6rem 0.8rem; background: #f8f9fa; border-radius: 4px; border: 1px solid #eee; } .calc-grid-item .label { font-size: 0.75rem; color: #888; text-transform: uppercase; letter-spacing: 0.04em; } .calc-grid-item .value { font-size: 1.1rem; font-weight: 600; color: #1a1a1a; } @media (max-width: 720px) { .calc-row { flex-direction: column; align-items: flex-start; gap: 0.3rem; } .calc-row label { min-width: auto; } .calc-row input[type="number"], .calc-row select { max-width: 100%; width: 100%; } .calc-grid { grid-template-columns: 1fr; } } .calc-chart { margin: 1rem 0; text-align: center; } .calc-chart svg { max-width: 100%; height: auto; } .calc-chart-legend { display: flex; flex-wrap: wrap; justify-content: center; gap: 0.6rem 1.2rem; margin-top: 0.6rem; font-size: 0.8rem; color: #555; } .calc-chart-legend span { display: inline-flex; align-items: center; gap: 0.3rem; } .calc-chart-legend i { display: inline-block; width: 10px; height: 10px; border-radius: 2px; font-style: normal; } .calc-related { max-width: 640px; margin: 2rem 0 1rem; padding: 1.25rem 1.5rem; background: #f8f9fa; border: 1px solid #e8e8e8; border-radius: 8px; } .calc-related h3 { font-family: Georgia, serif; font-size: 1rem; color: #1a1a1a; margin: 0 0 0.75rem; padding-bottom: 0.4rem; border-bottom: 2px solid var(--ac, #3d5a80); } .calc-related-list { list-style: none; padding: 0; margin: 0 0 0.75rem; display: grid; grid-template-columns: 1fr 1fr; gap: 0.4rem 1.5rem; } .calc-related-list li a { font-size: 0.88rem; color: var(--ac, #3d5a80); text-decoration: none; } .calc-related-list li a:hover { text-decoration: underline; } .calc-browse-all { margin: 0.5rem 0 0; font-size: 0.9rem; font-weight: 600; } .calc-browse-all a { color: var(--ac, #3d5a80); text-decoration: none; } .calc-browse-all a:hover { text-decoration: underline; } @media (max-width: 720px) { .calc-related-list { grid-template-columns: 1fr; } }

Cyber Risk Score Calculator

Quantifies organizational cyber risk exposure using threat likelihood, vulnerability severity, asset value, and control effectiveness to produce a composite risk score (0–100) with severity classification.

Threat Likelihood (1–10)

Probability that a threat actor will attempt an attack (1 = very unlikely, 10 = near certain).

Vulnerability Severity (1–10)

CVSS-aligned severity of the most critical known vulnerability (1 = minimal, 10 = critical).

Asset Value (1–10)

Business criticality of the asset at risk (1 = low-value, 10 = mission-critical).

Security Control Effectiveness (0–100 %)

Percentage effectiveness of existing security controls in mitigating the threat (0 = no controls, 100 = fully mitigated).

Exposure Factor (0–100 %)

Percentage of the asset that would be compromised if the threat materialises (0 = no impact, 100 = total loss).

Calculate Risk Score Fill in all fields and click Calculate.

function cybCalc() { var resultDiv = document.getElementById('cyb-result');

var tl = parseFloat(document.getElementById('cyb-threat-likelihood').value); var vs = parseFloat(document.getElementById('cyb-vulnerability-severity').value); var av = parseFloat(document.getElementById('cyb-asset-value').value); var ce = parseFloat(document.getElementById('cyb-control-effectiveness').value); var ef = parseFloat(document.getElementById('cyb-exposure-factor').value);

// --- Input validation --- var errors = []; if (isNaN(tl) || tl 10) errors.push('Threat Likelihood must be between 1 and 10.'); if (isNaN(vs) || vs 10) errors.push('Vulnerability Severity must be between 1 and 10.'); if (isNaN(av) || av 10) errors.push('Asset Value must be between 1 and 10.'); if (isNaN(ce) || ce 100) errors.push('Control Effectiveness must be between 0 and 100.'); if (isNaN(ef) || ef 100) errors.push('Exposure Factor must be between 0 and 100.');

if (errors.length > 0) { resultDiv.innerHTML = '' + errors.join('') + ''; return; }

/ * Formula derivation * ------------------ * Inherent Risk (IR) — raw risk before controls, normalised to 0–100: * IR = (ThreatLikelihood × VulnerabilitySeverity × AssetValue) / 10 * Max possible = (10 × 10 × 10) / 10 = 100 ✓ * * Residual Risk (RR) — risk after applying controls and exposure factor: * ControlMultiplier (CM) = 1 − (ControlEffectiveness / 100) * ExposureMultiplier (EM) = ExposureFactor / 100 * RR = IR × CM × EM * * Cyber Risk Score (CRS) — composite score 0–100: * CRS = (IR × 0.40) + (RR × 0.60) * Weighting: residual risk carries more weight because it reflects * the real-world post-control exposure. /

var IR = (tl * vs * av) / 10; // 0–100 var CM = 1 - (ce / 100); // 0–1 var EM = ef / 100; // 0–1 var RR = IR * CM * EM; // 0–100

var CRS = (IR * 0.40) + (RR * 0.60); // 0–100 CRS = Math.min(100, Math.max(0, CRS)); // clamp

// Severity classification (NIST SP 800-30 aligned) var severity, sevColor; if (CRS ' + 'Residual Risk Score: ' + RR.toFixed(2) + ' / 100' + 'Cyber Risk Score (CRS): ' + CRS.toFixed(2) + ' / 100' + 'Severity Level: ' + severity + ''; }

#### Formula

Step 1 — Inherent Risk (IR): IR = (Threat Likelihood × Vulnerability Severity × Asset Value) / 10

Step 2 — Residual Risk (RR): Control Multiplier (CM) = 1 − (Control Effectiveness / 100) Exposure Multiplier (EM) = Exposure Factor / 100 RR = IR × CM × EM

Step 3 — Cyber Risk Score (CRS): CRS = (IR × 0.40) + (RR × 0.60)

Severity Bands: 0–19.99 = Very Low | 20–39.99 = Low | 40–59.99 = Moderate | 60–79.99 = High | 80–100 = Critical

#### Assumptions & References

Vulnerability Severity is aligned with the CVSS v3.1 base score scale (FIRST.org, 2019).
Risk classification bands follow NIST SP 800-30 Rev. 1 (Guide for Conducting Risk Assessments, 2012).
The Exposure Factor concept is drawn from NIST SP 800-30 and the FAIR (Factor Analysis of Information Risk) model.

More Calculators

References

10 CFR § 73.77 — § 73.77 Cyber security event notifications.

Cyber Risk Score Calculator

Cyber Risk Score Calculator

More Calculators

Read Next

References

Related Authorities