Physical Security Risk Assessment Calculator

ANA›Life Services Authority›National Calculator Authority›Physical Security Risk Assessment Calculator

.calc-container { max-width: 640px; margin: 2rem 0; padding: 1.5rem; background: #fff; border: 1px solid #ddd; border-radius: 8px; box-shadow: 0 1px 3px rgba(0,0,0,0.06); font-family: system-ui, -apple-system, sans-serif; } .calc-container h3 { font-family: Georgia, serif; font-size: 1.15rem; color: #1a1a1a; margin-bottom: 1rem; padding-bottom: 0.5rem; border-bottom: 2px solid var(--ac, #3d5a80); } .calc-row { display: flex; align-items: center; gap: 0.75rem; margin-bottom: 0.75rem; flex-wrap: wrap; } .calc-row label { min-width: 160px; font-size: 0.9rem; color: #333; font-weight: 500; } .calc-row input[type="number"], .calc-row select { flex: 1; min-width: 120px; max-width: 200px; padding: 0.5rem 0.6rem; border: 1px solid #ccc; border-radius: 4px; font-size: 0.9rem; font-family: system-ui, sans-serif; color: #1a1a1a; background: #fafaf8; } .calc-row input:focus, .calc-row select:focus { outline: none; border-color: var(--ac, #3d5a80); box-shadow: 0 0 0 2px rgba(26,74,138,0.12); } .calc-row .unit { font-size: 0.82rem; color: #888; min-width: 30px; } .calc-btn { display: inline-block; margin-top: 0.5rem; padding: 0.55rem 1.5rem; background: var(--ac, #3d5a80); color: #fff; border: none; border-radius: 4px; font-size: 0.9rem; font-weight: 600; cursor: pointer; font-family: system-ui, sans-serif; } .calc-btn:hover { opacity: 0.9; } .calc-result { margin-top: 1.25rem; padding: 1rem 1.25rem; background: #f0f6fc; border-left: 3px solid var(--ac, #3d5a80); border-radius: 0 6px 6px 0; display: none; } .calc-result.visible { display: block; } .calc-result-label { font-size: 0.78rem; text-transform: uppercase; letter-spacing: 0.06em; color: #666; margin-bottom: 0.25rem; } .calc-result-value { font-size: 1.6rem; font-weight: 700; color: var(--ac, #3d5a80); } .calc-result-detail { font-size: 0.85rem; color: #555; margin-top: 0.5rem; line-height: 1.5; } .calc-note { margin-top: 1rem; font-size: 0.8rem; color: #888; font-style: italic; } .calc-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 0.75rem; margin-top: 0.75rem; } .calc-grid-item { padding: 0.6rem 0.8rem; background: #f8f9fa; border-radius: 4px; border: 1px solid #eee; } .calc-grid-item .label { font-size: 0.75rem; color: #888; text-transform: uppercase; letter-spacing: 0.04em; } .calc-grid-item .value { font-size: 1.1rem; font-weight: 600; color: #1a1a1a; } @media (max-width: 720px) { .calc-row { flex-direction: column; align-items: flex-start; gap: 0.3rem; } .calc-row label { min-width: auto; } .calc-row input[type="number"], .calc-row select { max-width: 100%; width: 100%; } .calc-grid { grid-template-columns: 1fr; } } .calc-chart { margin: 1rem 0; text-align: center; } .calc-chart svg { max-width: 100%; height: auto; } .calc-chart-legend { display: flex; flex-wrap: wrap; justify-content: center; gap: 0.6rem 1.2rem; margin-top: 0.6rem; font-size: 0.8rem; color: #555; } .calc-chart-legend span { display: inline-flex; align-items: center; gap: 0.3rem; } .calc-chart-legend i { display: inline-block; width: 10px; height: 10px; border-radius: 2px; font-style: normal; } .calc-related { max-width: 640px; margin: 2rem 0 1rem; padding: 1.25rem 1.5rem; background: #f8f9fa; border: 1px solid #e8e8e8; border-radius: 8px; } .calc-related h3 { font-family: Georgia, serif; font-size: 1rem; color: #1a1a1a; margin: 0 0 0.75rem; padding-bottom: 0.4rem; border-bottom: 2px solid var(--ac, #3d5a80); } .calc-related-list { list-style: none; padding: 0; margin: 0 0 0.75rem; display: grid; grid-template-columns: 1fr 1fr; gap: 0.4rem 1.5rem; } .calc-related-list li a { font-size: 0.88rem; color: var(--ac, #3d5a80); text-decoration: none; } .calc-related-list li a:hover { text-decoration: underline; } .calc-browse-all { margin: 0.5rem 0 0; font-size: 0.9rem; font-weight: 600; } .calc-browse-all a { color: var(--ac, #3d5a80); text-decoration: none; } .calc-browse-all a:hover { text-decoration: underline; } @media (max-width: 720px) { .calc-related-list { grid-template-columns: 1fr; } }

Physical Security Risk Assessment Calculator

Quantify physical security risk using the NIST SP 800-30 risk model: Risk = Threat Likelihood × Vulnerability × Asset Value. Scores are normalized to a 0–100 scale.

### Asset Information

Asset Value (1–10)

Rate the importance/criticality of the asset (1 = low, 10 = critical infrastructure).

Asset Exposure Score (1–10)

How accessible or visible is the asset to potential threats (1 = isolated, 10 = fully public).

### Threat Assessment

Threat Likelihood (1–10)

Likelihood that a threat actor will attempt to exploit the asset (1 = rare, 10 = near certain).

Threat Capability (1–10)

Resources and skill level of the threat actor (1 = unskilled, 10 = nation-state level).

### Vulnerability & Controls

Vulnerability Score (1–10)

Degree of weakness in existing physical controls (1 = hardened, 10 = no controls).

Existing Control Effectiveness (0–100%)

How effective are current physical security controls (locks, guards, cameras, fencing, etc.).

### Impact Assessment

Safety Impact (1–10)

Potential harm to personnel if a breach occurs.

Operational Impact (1–10)

Disruption to operations if the asset is compromised.

Financial Impact (1–10)

Estimated financial loss from a successful breach.

Reputational Impact (1–10)

Damage to organizational reputation if the breach becomes public.

Calculate Risk Score

### Risk Assessment Results

Component Score Interpretation

Overall Physical Security Risk Score

function phyValidate(id, min, max, label) { var val = parseFloat(document.getElementById(id).value); if (isNaN(val) || val max) { alert(label + " must be between " + min + " and " + max + "."); return null; } return val; }

function phyInterpret(score, thresholds) { // thresholds: [low, medium, high, critical] boundaries on 1-10 scale if (score >= 8) return "Critical"; if (score >= 6) return "High"; if (score >= 4) return "Medium"; if (score >= 2) return "Low"; return "Minimal"; }

function phyCalc() { // --- Retrieve & validate inputs --- var assetValue = phyValidate("phy-asset-value", 1, 10, "Asset Value"); var assetExposure = phyValidate("phy-asset-exposure", 1, 10, "Asset Exposure Score"); var threatLikelihood = phyValidate("phy-threat-likelihood", 1, 10, "Threat Likelihood"); var threatCapability = phyValidate("phy-threat-capability", 1, 10, "Threat Capability"); var vulnerability = phyValidate("phy-vulnerability", 1, 10, "Vulnerability Score"); var controlEff = phyValidate("phy-control-effectiveness",0, 100, "Control Effectiveness"); var impactSafety = phyValidate("phy-impact-safety", 1, 10, "Safety Impact"); var impactOps = phyValidate("phy-impact-operational", 1, 10, "Operational Impact"); var impactFinancial = phyValidate("phy-impact-financial", 1, 10, "Financial Impact"); var impactRep = phyValidate("phy-impact-reputational", 1, 10, "Reputational Impact");

if ([assetValue, assetExposure, threatLikelihood, threatCapability, vulnerability, controlEff, impactSafety, impactOps, impactFinancial, impactRep].some(v => v === null)) return;

// --- Composite Threat Score (0–10) --- // Weighted: likelihood 60%, capability 40% var threatScore = (0.6 * threatLikelihood) + (0.4 * threatCapability);

// --- Adjusted Vulnerability (0–10) --- // Reduce raw vulnerability by control effectiveness // controlEff 100% → vulnerability reduced to 0; 0% → no reduction var adjVulnerability = vulnerability * (1 - controlEff / 100);

// --- Composite Asset Score (0–10) --- // Weighted: asset value 70%, exposure 30% var assetScore = (0.7 * assetValue) + (0.3 * assetExposure);

// --- Composite Impact Score (0–10) --- // Weighted: safety 35%, operational 30%, financial 20%, reputational 15% var impactScore = (0.35 * impactSafety) + (0.30 * impactOps) + (0.20 * impactFinancial) + (0.15 * impactRep);

// --- Core Risk Score (NIST SP 800-30 model) --- // Risk = Threat × Vulnerability × Asset Value (each 0–10) // Max raw = 10 × 10 × 10 = 1000 → normalize to 0–100 var rawRisk = threatScore * adjVulnerability * assetScore; var normalizedRisk = (rawRisk / 1000) * 100;

// --- Final Risk Score --- // Blend core risk (70%) with impact score normalized (30%) // impactScore is 0–10 → scale to 0–100 var impactNorm = impactScore * 10; var finalRisk = (0.70 * normalizedRisk) + (0.30 * impactNorm); finalRisk = Math.min(100, Math.max(0, finalRisk));

// --- Residual Risk after controls --- // Residual = Final Risk × (1 - controlEff/100) var residualRisk = finalRisk * (1 - controlEff / 100);

// --- Risk Reduction Potential --- var riskReduction = finalRisk - residualRisk;

// --- Build results table --- var rows = [ ["Composite Threat Score", threatScore.toFixed(2) + " / 10", phyInterpret(threatScore)], ["Adjusted Vulnerability", adjVulnerability.toFixed(2) + " / 10", phyInterpret(adjVulnerability)], ["Composite Asset Score", assetScore.toFixed(2) + " / 10", phyInterpret(assetScore)], ["Composite Impact Score", impactScore.toFixed(2) + " / 10", phyInterpret(impactScore)], ["Core Risk (Threat×Vuln×Asset)",normalizedRisk.toFixed(1) + " / 100",phyRiskLabel(normalizedRisk).label], ["Final Blended Risk Score", finalRisk.toFixed(1) + " / 100",phyRiskLabel(finalRisk).label], ["Residual Risk (post-controls)",residualRisk.toFixed(1) + " / 100",phyRiskLabel(residualRisk).label], ["Risk Reduction from Controls", riskReduction.toFixed(1) + " pts", controlEff + "% control effectiveness"], ];

var tbody = document.getElementById("phy-result-body"); tbody.innerHTML = ""; rows.forEach(function(r) { var tr = document.createElement("tr"); tr.innerHTML = "" + r[0] + "" + r[1] + "" + r[2] + ""; tbody.appendChild(tr); });

// --- Gauge --- var info = phyRiskLabel(finalRisk); var gauge = document.getElementById("phy-risk-gauge"); gauge.style.background = info.color + "22"; gauge.style.border = "2px solid " + info.color; document.getElementById("phy-risk-score-display").textContent = finalRisk.toFixed(1); document.getElementById("phy-risk-score-display").style.color = info.color; document.getElementById("phy-risk-label").textContent = info.label + " Risk"; document.getElementById("phy-risk-label").style.color = info.color; var bar = document.getElementById("phy-risk-bar"); bar.style.width = finalRisk.toFixed(1) + "%"; bar.style.background = info.color;

// --- Recommendations --- var recs = []; if (adjVulnerability > 6) recs.push("🔒 Strengthen physical controls: Install reinforced access control systems, upgrade locks, and add intrusion detection sensors."); if (threatLikelihood > 7) recs.push("👁️ Increase surveillance: Deploy CCTV with AI-based anomaly detection and increase security patrol frequency."); if (threatCapability > 7) recs.push("🛡️ Harden perimeter: Implement anti-ram barriers, mantraps, and layered access zones to counter sophisticated threats."); if (assetExposure > 7) recs.push("📍 Reduce asset exposure: Relocate critical assets to restricted areas, limit public knowledge of asset locations."); if (controlEff 7) recs.push("🚨 Emergency response plan: Develop and drill physical security incident response procedures to minimize personnel harm."); if (impactOps > 7) recs.push("⚙️ Business continuity: Establish redundant operational sites and backup systems to maintain operations during a breach."); if (finalRisk >= 60) recs.push("📊 Immediate risk treatment required: Escalate to senior management and initiate a formal risk treatment plan within 30 days."); if (residualRisk > 40) recs.push("💡 Invest in additional controls: Current controls are insufficient to reduce residual risk to an acceptable level."); if (recs.length === 0) recs.push("✅ Risk is within acceptable range: Continue monitoring and conduct periodic reassessments (at least annually).");

var recDiv = document.getElementById("phy-recommendations"); recDiv.innerHTML = "#### Recommendations " + recs.map(function(r){ return ""; }).join("") + "";

document.getElementById("phy-result").style.display = "block"; document.getElementById("phy-result").scrollIntoView({ behavior: "smooth" }); }

#### Formulas Used

1. Composite Threat Score (0–10): Threat = (0.6 × Threat Likelihood) + (0.4 × Threat Capability)

2. Adjusted Vulnerability (0–10): Adj. Vulnerability = Vulnerability × (1 − Control Effectiveness / 100) Reflects the residual weakness after existing controls are applied.

3. Composite Asset Score (0–10): Asset Score = (0.7 × Asset Value) + (0.3 × Asset Exposure)

4. Composite Impact Score (0–10): Impact = (0.35 × Safety) + (0.30 × Operational) + (0.20 × Financial) + (0.15 × Reputational)

5. Core Risk Score (normalized 0–100) — NIST SP 800-30: Core Risk = (Threat × Adj. Vulnerability × Asset Score) / 1000 × 100 Maximum raw value = 10 × 10 × 10 = 1,000 → normalized to 100.

6. Final Blended Risk Score (0–100): Final Risk = (0.70 × Core Risk) + (0.30 × Impact Score × 10) Blends likelihood-based risk with consequence severity.

7. Residual Risk (0–100): Residual Risk = Final Risk × (1 − Control Effectiveness / 100)

Risk Levels: Minimal (0–19) | Low (20–39) | Medium (40–59) | High (60–79) | Critical (80–100)

#### Assumptions & References

Risk model based on NIST SP 800-30 Rev. 1: "Guide for Conducting Risk Assessments" (2012).
Impact weighting (safety 35%, operational 30%, financial 20%, reputational 15%) follows ISO/IEC 27005:2022 risk treatment guidance adapted for physical security contexts.
Threat scoring methodology aligns with ASIS International Physical Security Professional (PSP) standards.
Reassessment is recommended after any significant change to the physical environment, threat landscape, or control posture, and at minimum annually per NIST CSF 2.0.

Physical Security Risk Assessment Calculator

Physical Security Risk Assessment Calculator

More Calculators

Read Next

References

Physical Security Risk Assessment Calculator

Physical Security Risk Assessment Calculator

More Calculators

Read Next

References

Related Authorities