Physical Security Risk Assessment Calculator
Quantify physical security risk using the NIST SP 800-30 risk model: Risk = Threat Likelihood × Vulnerability × Asset Value. Scores are normalized to a 0–100 scale.
Asset Information
Rate the importance/criticality of the asset (1 = low, 10 = critical infrastructure). How accessible or visible is the asset to potential threats (1 = isolated, 10 = fully public).Threat Assessment
Likelihood that a threat actor will attempt to exploit the asset (1 = rare, 10 = near certain). Resources and skill level of the threat actor (1 = unskilled, 10 = nation-state level).Vulnerability & Controls
Degree of weakness in existing physical controls (1 = hardened, 10 = no controls). How effective are current physical security controls (locks, guards, cameras, fencing, etc.).Impact Assessment
Potential harm to personnel if a breach occurs. Disruption to operations if the asset is compromised. Estimated financial loss from a successful breach. Damage to organizational reputation if the breach becomes public.Formulas Used
1. Composite Threat Score (0–10):
Threat = (0.6 × Threat Likelihood) + (0.4 × Threat Capability)
2. Adjusted Vulnerability (0–10):
Adj. Vulnerability = Vulnerability × (1 − Control Effectiveness / 100)
Reflects the residual weakness after existing controls are applied.
3. Composite Asset Score (0–10):
Asset Score = (0.7 × Asset Value) + (0.3 × Asset Exposure)
4. Composite Impact Score (0–10):
Impact = (0.35 × Safety) + (0.30 × Operational) + (0.20 × Financial) + (0.15 × Reputational)
5. Core Risk Score (normalized 0–100) — NIST SP 800-30:
Core Risk = (Threat × Adj. Vulnerability × Asset Score) / 1000 × 100
Maximum raw value = 10 × 10 × 10 = 1,000 → normalized to 100.
6. Final Blended Risk Score (0–100):
Final Risk = (0.70 × Core Risk) + (0.30 × Impact Score × 10)
Blends likelihood-based risk with consequence severity.
7. Residual Risk (0–100):
Residual Risk = Final Risk × (1 − Control Effectiveness / 100)
Risk Levels: Minimal (0–19) | Low (20–39) | Medium (40–59) | High (60–79) | Critical (80–100)
Assumptions & References
- Risk model based on NIST SP 800-30 Rev. 1: "Guide for Conducting Risk Assessments" (2012).
- Impact weighting (safety 35%, operational 30%, financial 20%, reputational 15%) follows ISO/IEC 27005:2022 risk treatment guidance adapted for physical security contexts.
- Threat scoring methodology aligns with ASIS International Physical Security Professional (PSP) standards.
- Control effectiveness is assumed to linearly reduce vulnerability; in practice, control effectiveness may be non-linear and should be validated through penetration testing.
- All input scores (1–10) are ordinal ratings assigned by a qualified security assessor based on site surveys, historical incident data, and threat intelligence.
- The calculator assumes a single asset assessment; multi-asset environments should aggregate individual scores weighted by asset criticality.
- Scores do not account for cascading failures, insider threats, or cyber-physical attack vectors unless explicitly included in the threat and vulnerability ratings.
- Reassessment is recommended after any significant change to the physical environment, threat landscape, or control posture, and at minimum annually per NIST CSF 2.0.