Endpoint Risk Score Calculator
ANA›Life Services Authority›National Calculator Authority›Endpoint Risk Score Calculator
.calc-container { max-width: 640px; margin: 2rem 0; padding: 1.5rem; background: #fff; border: 1px solid #ddd; border-radius: 8px; box-shadow: 0 1px 3px rgba(0,0,0,0.06); font-family: system-ui, -apple-system, sans-serif; } .calc-container h3 { font-family: Georgia, serif; font-size: 1.15rem; color: #1a1a1a; margin-bottom: 1rem; padding-bottom: 0.5rem; border-bottom: 2px solid var(--ac, #3d5a80); } .calc-row { display: flex; align-items: center; gap: 0.75rem; margin-bottom: 0.75rem; flex-wrap: wrap; } .calc-row label { min-width: 160px; font-size: 0.9rem; color: #333; font-weight: 500; } .calc-row input[type="number"], .calc-row select { flex: 1; min-width: 120px; max-width: 200px; padding: 0.5rem 0.6rem; border: 1px solid #ccc; border-radius: 4px; font-size: 0.9rem; font-family: system-ui, sans-serif; color: #1a1a1a; background: #fafaf8; } .calc-row input:focus, .calc-row select:focus { outline: none; border-color: var(--ac, #3d5a80); box-shadow: 0 0 0 2px rgba(26,74,138,0.12); } .calc-row .unit { font-size: 0.82rem; color: #888; min-width: 30px; } .calc-btn { display: inline-block; margin-top: 0.5rem; padding: 0.55rem 1.5rem; background: var(--ac, #3d5a80); color: #fff; border: none; border-radius: 4px; font-size: 0.9rem; font-weight: 600; cursor: pointer; font-family: system-ui, sans-serif; } .calc-btn:hover { opacity: 0.9; } .calc-result { margin-top: 1.25rem; padding: 1rem 1.25rem; background: #f0f6fc; border-left: 3px solid var(--ac, #3d5a80); border-radius: 0 6px 6px 0; display: none; } .calc-result.visible { display: block; } .calc-result-label { font-size: 0.78rem; text-transform: uppercase; letter-spacing: 0.06em; color: #666; margin-bottom: 0.25rem; } .calc-result-value { font-size: 1.6rem; font-weight: 700; color: var(--ac, #3d5a80); } .calc-result-detail { font-size: 0.85rem; color: #555; margin-top: 0.5rem; line-height: 1.5; } .calc-note { margin-top: 1rem; font-size: 0.8rem; color: #888; font-style: italic; } .calc-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 0.75rem; margin-top: 0.75rem; } .calc-grid-item { padding: 0.6rem 0.8rem; background: #f8f9fa; border-radius: 4px; border: 1px solid #eee; } .calc-grid-item .label { font-size: 0.75rem; color: #888; text-transform: uppercase; letter-spacing: 0.04em; } .calc-grid-item .value { font-size: 1.1rem; font-weight: 600; color: #1a1a1a; } @media (max-width: 720px) { .calc-row { flex-direction: column; align-items: flex-start; gap: 0.3rem; } .calc-row label { min-width: auto; } .calc-row input[type="number"], .calc-row select { max-width: 100%; width: 100%; } .calc-grid { grid-template-columns: 1fr; } } .calc-chart { margin: 1rem 0; text-align: center; } .calc-chart svg { max-width: 100%; height: auto; } .calc-chart-legend { display: flex; flex-wrap: wrap; justify-content: center; gap: 0.6rem 1.2rem; margin-top: 0.6rem; font-size: 0.8rem; color: #555; } .calc-chart-legend span { display: inline-flex; align-items: center; gap: 0.3rem; } .calc-chart-legend i { display: inline-block; width: 10px; height: 10px; border-radius: 2px; font-style: normal; } .calc-related { max-width: 640px; margin: 2rem 0 1rem; padding: 1.25rem 1.5rem; background: #f8f9fa; border: 1px solid #e8e8e8; border-radius: 8px; } .calc-related h3 { font-family: Georgia, serif; font-size: 1rem; color: #1a1a1a; margin: 0 0 0.75rem; padding-bottom: 0.4rem; border-bottom: 2px solid var(--ac, #3d5a80); } .calc-related-list { list-style: none; padding: 0; margin: 0 0 0.75rem; display: grid; grid-template-columns: 1fr 1fr; gap: 0.4rem 1.5rem; } .calc-related-list li a { font-size: 0.88rem; color: var(--ac, #3d5a80); text-decoration: none; } .calc-related-list li a:hover { text-decoration: underline; } .calc-browse-all { margin: 0.5rem 0 0; font-size: 0.9rem; font-weight: 600; } .calc-browse-all a { color: var(--ac, #3d5a80); text-decoration: none; } .calc-browse-all a:hover { text-decoration: underline; } @media (max-width: 720px) { .calc-related-list { grid-template-columns: 1fr; } }
Endpoint Risk Score Calculator
Calculates a composite endpoint risk score (0–100) using vulnerability severity, patch lag, network exposure, and asset criticality — based on the CVSS-influenced risk scoring model.
Base CVSS Score (0–10)
Days Since Last Patch (0–365)
Network Exposure
-- Select -- Internal Only (0.4) DMZ / Partially Exposed (0.7) Internet-Facing (1.0)
Asset Criticality
-- Select -- Low — General workstation (0.5) Medium — Business system (0.75) High — Server / Critical infra (1.0) Critical — Core infrastructure (1.25)
Number of Known Vulnerabilities (0–500)
Antivirus / EDR Installed?
-- Select -- No (1.0) Yes, but outdated (0.7) Yes, up to date (0.4)
Calculate Risk Score
function endCalc() { var resultDiv = document.getElementById('end-result'); resultDiv.style.display = 'none'; resultDiv.innerHTML = '';
// --- Collect inputs --- var cvssRaw = document.getElementById('end-cvss').value.trim(); var patchRaw = document.getElementById('end-patch-days').value.trim(); var exposure = document.getElementById('end-exposure').value; var crit = document.getElementById('end-criticality').value; var vulnRaw = document.getElementById('end-vuln-count').value.trim(); var avFactor = document.getElementById('end-av-installed').value;
// --- Validation --- var errors = [];
if (cvssRaw === '') { errors.push('CVSS Score is required.'); } else { var cvss = parseFloat(cvssRaw); if (isNaN(cvss) || cvss 10) errors.push('CVSS Score must be between 0 and 10.'); }
if (patchRaw === '') { errors.push('Days Since Last Patch is required.'); } else { var patchDays = parseInt(patchRaw, 10); if (isNaN(patchDays) || patchDays 365) errors.push('Days Since Last Patch must be between 0 and 365.'); }
if (exposure === '') errors.push('Network Exposure selection is required.'); if (crit === '') errors.push('Asset Criticality selection is required.');
if (vulnRaw === '') { errors.push('Number of Known Vulnerabilities is required.'); } else { var vulnCount = parseInt(vulnRaw, 10); if (isNaN(vulnCount) || vulnCount 500) errors.push('Vulnerability count must be between 0 and 500.'); }
if (avFactor === '') errors.push('Antivirus / EDR status selection is required.');
if (errors.length > 0) { resultDiv.style.display = 'block'; resultDiv.innerHTML = 'Please fix the following:' + errors.map(function(e){ return ''; }).join('') + ''; return; }
// --- Parse validated values --- cvss = parseFloat(cvssRaw); patchDays = parseInt(patchRaw, 10); exposure = parseFloat(exposure); crit = parseFloat(crit); vulnCount = parseInt(vulnRaw, 10); avFactor = parseFloat(avFactor);
// --- Formula components ---
// 1. Vulnerability Severity Component (0–10 → 0–1) var severityScore = cvss / 10.0;
// 2. Patch Lag Component: logarithmic scale, max at 365 days // patchLag = log(1 + patchDays) / log(1 + 365) var patchLag = Math.log(1 + patchDays) / Math.log(1 + 365);
// 3. Vulnerability Density Component: log-normalised over 0–500 // vulnDensity = log(1 + vulnCount) / log(1 + 500) var vulnDensity = Math.log(1 + vulnCount) / Math.log(1 + 500);
// 4. Composite base score (weighted sum, weights sum to 1.0) // Weights: severity=0.35, patchLag=0.25, vulnDensity=0.20, exposure=0.20 // exposure is already 0–1 normalised by selection var baseScore = (0.35 * severityScore) + (0.25 * patchLag) + (0.20 * vulnDensity) + (0.20 * (exposure - 0.4) / 0.6); // normalise 0.4–1.0 → 0–1
// 5. Apply asset criticality multiplier (0.5–1.25) // Normalise criticality to 0.5–1.25 range as a multiplier var critMultiplier = crit; // already 0.5–1.25
// 6. Apply AV/EDR mitigation factor (0.4–1.0) var mitigatedScore = baseScore * critMultiplier * avFactor;
// 7. Scale to 0–100 and clamp // Maximum theoretical: baseScore=1 * critMultiplier=1.25 * avFactor=1.0 = 1.25 // Scale: divide by 1.25 then multiply by 100 var riskScore = Math.min(100, Math.max(0, (mitigatedScore / 1.25) * 100)); var riskScoreRounded = Math.round(riskScore * 10) / 10;
// --- Risk Band --- var band, bandColor; if (riskScore = 7.0) recs.push('High CVSS score — prioritise patching or virtual patching immediately.'); if (patchDays > 90) recs.push('Patch lag exceeds 90 days — apply outstanding patches urgently.'); if (exposure >= 1.0) recs.push('Internet-facing endpoint — review firewall rules and attack surface.'); if (vulnCount > 20) recs.push('High vulnerability count — run a full remediation cycle.'); if (avFactor >= 1.0) recs.push('No AV/EDR detected — deploy endpoint protection immediately.'); if (avFactor === 0.7) recs.push('AV/EDR is outdated — update definitions and engine.'); if (crit >= 1.0) recs.push('High-criticality asset — consider network segmentation and enhanced monitoring.'); if (recs.length === 0) recs.push('Risk is within acceptable range — maintain current controls and monitor regularly.');
// --- Output --- resultDiv.style.display = 'block'; resultDiv.innerHTML = '### Endpoint Risk Score: ' + riskScoreRounded + ' / 100 (' + band + ') ' + '' + 'ComponentValue' + 'Severity Score (CVSS normalised)' + (severityScore * 100).toFixed(1) + '%' + 'Patch Lag Score' + (patchLag * 100).toFixed(1) + '%' + 'Vulnerability Density Score' + (vulnDensity * 100).toFixed(1) + '%' + 'Network Exposure Factor' + exposure.toFixed(2) + '' + 'Asset Criticality Multiplier' + critMultiplier.toFixed(2) + 'x' + 'AV/EDR Mitigation Factor' + avFactor.toFixed(2) + '' + 'Composite Risk Score' + riskScoreRounded + ' / 100' + '' + '#### Recommendations ' + recs.map(function(r){ return ''; }).join('') + ''; }
#### Formula
Step 1 — Severity Score: SeverityScore = CVSS / 10
Step 2 — Patch Lag Score (log-normalised): PatchLag = log(1 + PatchDays) / log(1 + 365)
Step 3 — Vulnerability Density Score (log-normalised): VulnDensity = log(1 + VulnCount) / log(1 + 500)
Step 4 — Weighted Base Score: BaseScore = (0.35 × SeverityScore) + (0.25 × PatchLag) + (0.20 × VulnDensity) + (0.20 × ExposureNorm) where ExposureNorm = (ExposureFactor − 0.4) / 0.6
Step 5 — Apply Criticality & Mitigation: MitigatedScore = BaseScore × CriticalityMultiplier × AVFactor
Step 6 — Scale to 0–100: RiskScore = clamp((MitigatedScore / 1.25) × 100, 0, 100)
Risk Bands: Low (<20) · Moderate (20–39) · High (40–59) · Critical (60–79) · Severe (≥80)
#### Assumptions & References
- CVSS Base Score sourced from NIST NVD (nvd.nist.gov) or vendor advisories; scores range 0–10 per CVSSv3.1.
- Patch lag uses a logarithmic scale to reflect diminishing marginal risk increase beyond 180 days, consistent with CIS Control 7 (Continuous Vulnerability Management).
- Network exposure factors (0.4 / 0.7 / 1.0) are derived from the CVSS Attack Vector metric mapping (Local → Network).
- Asset criticality multipliers align with NIST SP 800-30 asset valuation tiers.
- AV/EDR mitigation factors reflect empirical detection rate ranges from AV-TEST Institute benchmarks (up-to-date EDR ≈ 60% risk reduction).
- Composite weighting (35/25/20/20) is adapted from the FAIR (Factor Analysis of Information Risk) model, prioritising vulnerability severity and patch currency.
More Calculators
- Flood Zone Risk & Premium Impact Calculator
- Bodily Injury Damages Calculator
- Claim Settlement Value Estimator
- Property Damage Loss Calculator
- Adjuster Caseload & Workload Estimator
- Diminished Value Calculator
Read Next
Study Time Planner Authority Network America › Life Services Authority › National Calculator Authority .calc-container { max-width: 640px;...