Example data table
Sample scenarios to compare input patterns and expected risk outcomes.
| Scenario | After-hours logins/week | MFA coverage | Monitoring coverage | Privileged sessions | Expected level |
|---|---|---|---|---|---|
| Well controlled | 15 | 95% | 90% | 10% | Low |
| Growing operations | 40 | 80% | 70% | 20% | Moderate |
| Legacy access | 65 | 55% | 55% | 35% | High |
| Weak controls | 90 | 35% | 40% | 55% | Critical |
| Incident response mode | 120 | 70% | 75% | 60% | High |
Formula used
The calculator converts each input into a 0–100 risk component, then applies weights to produce a final 0–100 score.
- After-hours volume = min(100, logins/week ÷ 50 × 100)
- Privileged usage = privileged sessions percent
- MFA gap = 100 − MFA coverage percent
- Monitoring gap = 100 − monitoring coverage percent
- Approval weakness = (5 − strength) ÷ 4 × 100
- Device weakness = (5 − trust) ÷ 4 × 100
- Geo anomalies = min(100, anomalies/month ÷ 20 × 100)
- Breakglass = min(100, events/month ÷ 10 × 100)
Score = Σ(weightᵢ × componentᵢ), clamped to 0–100.
Levels: Low < 25, Moderate < 50, High < 75, Critical ≥ 75.
How to use this calculator
- Gather counts from VPN, SSO, admin consoles, and remote tools.
- Estimate privileged session percentage from IAM logs or PAM reports.
- Enter MFA and monitoring coverage for after-hours pathways.
- Rate approvals and device trust based on enforced controls.
- Review the score, top drivers, and recommendations, then remediate.
- Re-run monthly to track improvements and detect control drift.
After-hours access as an attack window
After-hours sessions concentrate risk because staffing is thin and escalations are slower. Track the share of logins occurring outside approved windows, and identify which business services those sessions touch. A sustained increase often correlates with operational debt, ad‑hoc fixes, or unmanaged remote tooling.
Quantifying exposure with activity and privilege ratios
Combine volume and privilege to estimate blast radius. High login volume with low privilege can still be risky if lateral movement is easy. A useful benchmark is privileged sessions below 15% for routine operations, and a documented justification whenever privileged use exceeds 30% during nights or weekends.
Control effectiveness indicators to track
Two indicators drive rapid improvement: MFA coverage and monitoring coverage. Treat any gap in these as compounded risk. Aim for 95%+ MFA on remote and administrative paths, and collect logs for identity, endpoint, network, and key applications with retention suitable for investigations. Review approval strength and device trust as enforced controls, not policy statements.
Include anomaly rates: geo anomalies per month, new device sign-ins, and breakglass usage. Many teams target fewer than five geo anomalies monthly after tuning, and require a post-use review for every breakglass event within 24 hours. If monitoring coverage is below 70%, assume missed detections and raise incident response readiness. Correlate spikes with change windows and vendor maintenance to separate justified access from misuse.
Interpreting the score for decision-making
A low score supports periodic review and trend monitoring. Moderate scores indicate control gaps that can be closed within a sprint. High scores suggest elevated likelihood of credential misuse, persistence, and privilege escalation. Critical scores justify immediate containment steps, such as limiting access hours, enforcing step‑up authentication, and tightening just‑in‑time elevation.
Operationalizing improvements and continuous review
Use the top drivers to create a remediation backlog with owners and dates. Measure progress by reducing after-hours volume, shrinking privileged share, and increasing MFA and monitoring coverage. Validate changes with tabletop testing and post‑change sampling. Recalculate monthly, and log score changes in the risk register to demonstrate measurable control maturity. Document exceptions, then retire them with automation and stronger access hygiene.
FAQs
What counts as after-hours access?
Any login outside your approved window, including nights, weekends, and holidays, for VPN, SSO, admin consoles, servers, databases, and key SaaS tools.
How should I estimate privileged session percentage?
Use IAM or PAM logs to count sessions with admin roles, sudo, or elevated tokens. If data is limited, sample a week of logs and apply the ratio to the month.
Why do MFA and monitoring gaps increase risk so much?
Attackers rely on weak authentication and blind spots. Missing MFA enables credential reuse, while missing logs delay detection, reduce evidence quality, and expand the time window for persistence.
What is “breakglass” and why is it risky?
Breakglass accounts bypass normal controls for emergencies. Their power makes them attractive targets, so require strong rotation, tight storage, time-bound use, and rapid post-use reviews.
How often should we re-run the calculator?
Run monthly for governance, and after major changes like new remote tools, acquisitions, identity migrations, or incidents. Trend direction is often more informative than a single point score.
Can this replace a formal security risk assessment?
No. It helps prioritize controls and track maturity. Use it alongside asset criticality, threat modeling, and audit requirements for a complete assessment and risk acceptance process.