Cyber Threat Risk Score Calculator
Calculate a quantitative cyber threat risk score based on threat likelihood, asset impact, vulnerability severity, and control effectiveness using the NIST-aligned risk formula.
Probability that a threat will exploit a vulnerability (1 = very unlikely, 10 = near certain)
Business impact if the threat is realized (1 = negligible, 10 = catastrophic)
CVSS-style severity of the exploitable weakness (1 = minimal, 10 = critical)
How effective existing security controls are at mitigating the threat (0% = no controls, 100% = fully mitigated)
Hours per week the asset is exposed to the threat vector (168 = always on)
Formula
Step 1 — Residual Likelihood:
RL = L × (V / 10) × (1 − CE / 100)
Step 2 — Exposure Factor:
EF = EW / 168
Step 3 — Raw Risk Score:
RawRisk = RL × I × EF
Step 4 — Normalized Risk Score (0–100):
Score = (RawRisk / 10) × 100
Step 5 — Annualized Loss Expectancy Proxy:
ALE = (EW/168) × 52 × (L/10) × (V/10) × (1 − CE/100) × (I × $10,000)
Where: L = Threat Likelihood, I = Asset Impact, V = Vulnerability Severity, CE = Control Effectiveness (%), EW = Exposure Window (hrs/week).
Assumptions & References
- Formula is aligned with NIST SP 800-30 Rev. 1 (Guide for Conducting Risk Assessments) which defines Risk = Likelihood × Impact, adjusted for control effectiveness.
- Vulnerability Severity scoring mirrors the CVSS v3.1 base score scale (Common Vulnerability Scoring System, FIRST.org).
- Control Effectiveness represents the percentage reduction in residual likelihood achieved by existing security controls (e.g., firewalls, MFA, patching cadence).
- Exposure Window normalizes risk to a 168-hour week (24×7), reflecting that assets not continuously exposed carry proportionally lower risk.
- The ALE proxy assumes an impact unit value of $10,000 per impact point as a qualitative placeholder; replace with actual asset valuation for financial risk quantification per FAIR (Factor Analysis of Information Risk) methodology.
- Risk thresholds (Critical ≥75, High ≥50, Medium ≥25, Low ≥10, Minimal <10) follow common enterprise risk appetite frameworks and ISO/IEC 27005:2022 risk treatment guidelines.
- All inputs are bounded (1–10 or 0–100%) to prevent score inflation; the normalized score is clamped to [0, 100].