Privileged Access Risk Score Calculator
Calculates a composite Privileged Access Risk Score (PARS) on a 0–100 scale by weighting account exposure, access breadth, authentication controls, and behavioral activity factors. Higher scores indicate greater risk requiring immediate remediation.
—
Formula
PARS = 0.30 × C1 + 0.25 × C2 + 0.25 × C3 + 0.20 × C4
Where each component is scaled 0–100:
- C1 — Account Exposure:
[(Shared Accounts / Total Accounts) + (Dormant Accounts / Total Accounts)] / 2 × 100 - C2 — Access Breadth:
(Systems Accessible / Total Critical Systems) × 100 - C3 — Authentication Control Gap:
[(1 − MFA Coverage%) + (1 − PAM Coverage%)] / 2 × 100 - C4 — Behavioral Activity:
[(Off-Hours Logins / Total Logins) + min(Failed Logins / Total Logins, 1)] / 2 × 100
Risk Bands: 0–24 Low | 25–49 Moderate | 50–74 High | 75–100 Critical
Assumptions & References
- Dormancy threshold is set at 90 days of inactivity, consistent with CIS Control 5 and NIST SP 800-53 AC-2.
- Shared/generic accounts are treated as high-risk because they prevent individual accountability (ISO/IEC 27001:2022 A.5.16).
- MFA is weighted equally with PAM tooling coverage; both are Tier-1 controls per CISA's Zero Trust Maturity Model.
- Off-hours logins are a recognized behavioral indicator of insider threat and credential misuse (UEBA frameworks, MITRE ATT&CK T1078).
- Failed login rate is capped at 100% to handle burst brute-force scenarios without distorting the composite score.
- Component weights (30/25/25/20) reflect the relative impact ordering from Gartner's PAM risk guidance and the NIST Cybersecurity Framework PR.AC-4 / DE.CM-3 controls.
- PARS is an internal risk-prioritization metric, not a compliance certification. Scores should be reviewed quarterly or after significant infrastructure changes.
- References: NIST SP 800-53 Rev 5 (AC-2, AC-6, IA-2), CIS Controls v8 (Control 5 & 6), CISA Zero Trust Maturity Model v2, MITRE ATT&CK Enterprise (T1078 Valid Accounts).