Phishing Exposure Risk Calculator

ANA›Life Services Authority›National Calculator Authority›Phishing Exposure Risk Calculator

.calc-container { max-width: 640px; margin: 2rem 0; padding: 1.5rem; background: #fff; border: 1px solid #ddd; border-radius: 8px; box-shadow: 0 1px 3px rgba(0,0,0,0.06); font-family: system-ui, -apple-system, sans-serif; } .calc-container h3 { font-family: Georgia, serif; font-size: 1.15rem; color: #1a1a1a; margin-bottom: 1rem; padding-bottom: 0.5rem; border-bottom: 2px solid var(--ac, #3d5a80); } .calc-row { display: flex; align-items: center; gap: 0.75rem; margin-bottom: 0.75rem; flex-wrap: wrap; } .calc-row label { min-width: 160px; font-size: 0.9rem; color: #333; font-weight: 500; } .calc-row input[type="number"], .calc-row select { flex: 1; min-width: 120px; max-width: 200px; padding: 0.5rem 0.6rem; border: 1px solid #ccc; border-radius: 4px; font-size: 0.9rem; font-family: system-ui, sans-serif; color: #1a1a1a; background: #fafaf8; } .calc-row input:focus, .calc-row select:focus { outline: none; border-color: var(--ac, #3d5a80); box-shadow: 0 0 0 2px rgba(26,74,138,0.12); } .calc-row .unit { font-size: 0.82rem; color: #888; min-width: 30px; } .calc-btn { display: inline-block; margin-top: 0.5rem; padding: 0.55rem 1.5rem; background: var(--ac, #3d5a80); color: #fff; border: none; border-radius: 4px; font-size: 0.9rem; font-weight: 600; cursor: pointer; font-family: system-ui, sans-serif; } .calc-btn:hover { opacity: 0.9; } .calc-result { margin-top: 1.25rem; padding: 1rem 1.25rem; background: #f0f6fc; border-left: 3px solid var(--ac, #3d5a80); border-radius: 0 6px 6px 0; display: none; } .calc-result.visible { display: block; } .calc-result-label { font-size: 0.78rem; text-transform: uppercase; letter-spacing: 0.06em; color: #666; margin-bottom: 0.25rem; } .calc-result-value { font-size: 1.6rem; font-weight: 700; color: var(--ac, #3d5a80); } .calc-result-detail { font-size: 0.85rem; color: #555; margin-top: 0.5rem; line-height: 1.5; } .calc-note { margin-top: 1rem; font-size: 0.8rem; color: #888; font-style: italic; } .calc-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 0.75rem; margin-top: 0.75rem; } .calc-grid-item { padding: 0.6rem 0.8rem; background: #f8f9fa; border-radius: 4px; border: 1px solid #eee; } .calc-grid-item .label { font-size: 0.75rem; color: #888; text-transform: uppercase; letter-spacing: 0.04em; } .calc-grid-item .value { font-size: 1.1rem; font-weight: 600; color: #1a1a1a; } @media (max-width: 720px) { .calc-row { flex-direction: column; align-items: flex-start; gap: 0.3rem; } .calc-row label { min-width: auto; } .calc-row input[type="number"], .calc-row select { max-width: 100%; width: 100%; } .calc-grid { grid-template-columns: 1fr; } } .calc-chart { margin: 1rem 0; text-align: center; } .calc-chart svg { max-width: 100%; height: auto; } .calc-chart-legend { display: flex; flex-wrap: wrap; justify-content: center; gap: 0.6rem 1.2rem; margin-top: 0.6rem; font-size: 0.8rem; color: #555; } .calc-chart-legend span { display: inline-flex; align-items: center; gap: 0.3rem; } .calc-chart-legend i { display: inline-block; width: 10px; height: 10px; border-radius: 2px; font-style: normal; } .calc-related { max-width: 640px; margin: 2rem 0 1rem; padding: 1.25rem 1.5rem; background: #f8f9fa; border: 1px solid #e8e8e8; border-radius: 8px; } .calc-related h3 { font-family: Georgia, serif; font-size: 1rem; color: #1a1a1a; margin: 0 0 0.75rem; padding-bottom: 0.4rem; border-bottom: 2px solid var(--ac, #3d5a80); } .calc-related-list { list-style: none; padding: 0; margin: 0 0 0.75rem; display: grid; grid-template-columns: 1fr 1fr; gap: 0.4rem 1.5rem; } .calc-related-list li a { font-size: 0.88rem; color: var(--ac, #3d5a80); text-decoration: none; } .calc-related-list li a:hover { text-decoration: underline; } .calc-browse-all { margin: 0.5rem 0 0; font-size: 0.9rem; font-weight: 600; } .calc-browse-all a { color: var(--ac, #3d5a80); text-decoration: none; } .calc-browse-all a:hover { text-decoration: underline; } @media (max-width: 720px) { .calc-related-list { grid-template-columns: 1fr; } }

Phishing Exposure Risk Calculator

Estimates your organization's annualized phishing risk exposure (in USD) based on workforce size, email volume, click-through rates, incident response costs, and existing security controls.

Number of Employees

Phishing Emails Received Per Employee Per Day

Baseline Employee Click Rate (% without training)

Security Awareness Training Click Reduction (%)

Email Filter Catch Rate (% of phishing emails blocked)

Credential Compromise Rate per Click (% of clicks leading to compromise)

Average Cost per Phishing Incident (USD)

Working Days Per Year

Calculate Risk Exposure

function phiCalc() { // --- Grab inputs --- var employees = parseFloat(document.getElementById('phi-employees').value); var emailsPerDay = parseFloat(document.getElementById('phi-emails-per-day').value); var clickRatePct = parseFloat(document.getElementById('phi-click-rate').value); var trainingRedPct = parseFloat(document.getElementById('phi-training-reduction').value); var filterRatePct = parseFloat(document.getElementById('phi-filter-rate').value); var compromiseRatePct = parseFloat(document.getElementById('phi-compromise-rate').value); var incidentCost = parseFloat(document.getElementById('phi-incident-cost').value); var workingDays = parseFloat(document.getElementById('phi-working-days').value);

var resultDiv = document.getElementById('phi-result');

// --- Validation --- var errors = []; if (isNaN(employees) || employees 100) errors.push("Click rate must be between 0 and 100."); if (isNaN(trainingRedPct) || trainingRedPct 100) errors.push("Training reduction must be between 0 and 100."); if (isNaN(filterRatePct) || filterRatePct 100) errors.push("Filter catch rate must be between 0 and 100."); if (isNaN(compromiseRatePct)|| compromiseRatePct 100) errors.push("Compromise rate must be between 0 and 100."); if (isNaN(incidentCost) || incidentCost 365) errors.push("Working days must be between 1 and 365.");

if (errors.length > 0) { resultDiv.style.display = 'block'; resultDiv.innerHTML = 'Please fix the following:' + errors.map(function(e){ return ''; }).join('') + ''; return; }

// --- Core Formula --- // Step 1: Total phishing emails reaching inboxes per year (after filter) // emails_in_inbox = employees × emailsPerDay × workingDays × (1 - filterRate) var filterRate = filterRatePct / 100; var emailsInInbox = employees * emailsPerDay * workingDays * (1 - filterRate);

// Step 2: Effective click rate after training reduction // effectiveClickRate = baselineClickRate × (1 - trainingReduction) var baselineClickRate = clickRatePct / 100; var trainingReduction = trainingRedPct / 100; var effectiveClickRate = baselineClickRate * (1 - trainingReduction);

// Step 3: Expected number of clicks per year // totalClicks = emailsInInbox × effectiveClickRate var totalClicks = emailsInInbox * effectiveClickRate;

// Step 4: Expected number of compromises per year // totalCompromises = totalClicks × compromiseRate var compromiseRate = compromiseRatePct / 100; var totalCompromises = totalClicks * compromiseRate;

// Step 5: Annualized Loss Expectancy (ALE) // ALE = totalCompromises × incidentCost var ale = totalCompromises * incidentCost;

// Step 6: Risk per employee var alePerEmployee = ale / employees;

// Step 7: Probability that at least one incident occurs this year // P(at least 1) = 1 - (1 - compromiseRate × effectiveClickRate × (1-filterRate) × emailsPerDay × workingDays / employees)^employees // Simplified: P(≥1 incident) = 1 - e^(-totalCompromises) [Poisson approximation] var probAtLeastOne = 1 - Math.exp(-totalCompromises); if (probAtLeastOne > 1) probAtLeastOne = 1;

// --- Risk Level --- var riskLevel, riskColor; if (ale ' + 'Phishing Emails Reaching Inboxes / Year' + fmt(emailsInInbox) + '' + 'Effective Employee Click Rate' + fmtPct(effectiveClickRate) + '' + 'Expected Clicks / Year' + fmt(totalClicks) + '' + 'Expected Compromises / Year' + fmt(totalCompromises) + '' + 'Probability of ≥1 Incident This Year' + fmtPct(probAtLeastOne) + '' + 'Annualized Loss Expectancy (ALE)' + fmtUSD(ale) + '' + 'ALE per Employee' + fmtUSD(alePerEmployee) + '' + 'Risk Level' + riskLevel + '' + ''; }

#### Formula

Step 1 — Emails reaching inboxes per year: Emails_in_Inbox = Employees × Emails_Per_Day × Working_Days × (1 − Filter_Rate)

Step 2 — Effective click rate after training: Effective_Click_Rate = Baseline_Click_Rate × (1 − Training_Reduction)

Step 3 — Expected clicks per year: Total_Clicks = Emails_in_Inbox × Effective_Click_Rate

Step 4 — Expected compromises per year: Total_Compromises = Total_Clicks × Compromise_Rate

Step 5 — Annualized Loss Expectancy (ALE): ALE = Total_Compromises × Cost_Per_Incident

Step 6 — Probability of at least one incident (Poisson approximation): P(≥1 incident) = 1 − e−Total_Compromises

#### Assumptions & References

The Poisson approximation P(≥1) = 1 − e−λ is appropriate when individual incident probabilities are small and events are independent.
ALE is a standard metric from NIST SP 800-30 risk assessment methodology: ALE = ARO × SLE, where ARO is the annual rate of occurrence and SLE is the single loss expectancy.

Phishing Exposure Risk Calculator

Phishing Exposure Risk Calculator

More Calculators

Read Next

References

Phishing Exposure Risk Calculator

Phishing Exposure Risk Calculator

More Calculators

Read Next

References

Related Authorities