Calculator inputs
Use the form below to evaluate breach probability, operational effect, and estimated annualized financial exposure.
Example data table
Use these sample scenarios as a benchmark when testing the calculator.
| Scenario | Sector | Records | MFA | Patch days | Encryption | Likelihood | Impact | Risk level |
|---|---|---|---|---|---|---|---|---|
| Regional healthcare portal | Healthcare | 680,000 | 58% | 35 | 74% | 72.4 | 79.3 | Critical |
| Mid-market SaaS platform | SaaS | 250,000 | 72% | 28 | 78% | 58.9 | 63.8 | High |
| Manufacturing supplier network | Manufacturing | 90,000 | 88% | 14 | 90% | 37.6 | 46.1 | Moderate |
Formula used
This calculator normalizes key inputs to a 0 to 100 scale, then blends them with weighted scoring for likelihood, impact, and control effectiveness.
| Metric | Formula |
|---|---|
| Likelihood score | (0.16×Threat) + (0.14×Attack Surface) + (0.10×Third Party) + (0.14×MFA Gap) + (0.12×Patch Score) + (0.10×Phishing) + (0.10×Security Gap) + (0.06×Training Gap) + (0.08×Vendor Score) |
| Impact score | (0.24×Record Scale) + (0.20×Sensitivity) + (0.12×Encryption Gap) + (0.14×Regulatory Exposure) + (0.10×Backup Gap) + (0.10×IR Gap) + (0.10×Revenue Scale) |
| Control strength | 100 − weighted average of security maturity gap, MFA gap, encryption gap, training gap, backup gap, and incident response gap |
| Overall risk score | (0.55×Likelihood Score) + (0.45×Impact Score) |
| Annual breach probability | 0.03 + (Likelihood Score ÷ 100 × 0.72), capped between 3% and 95% |
| Single-incident cost estimate | Records × Cost Per Record × (0.55 + Impact Score ÷ 100) |
| Expected downtime | 0.5 + (Impact Score ÷ 100 × 6) + (Backup Gap ÷ 100 × 4) + (IR Gap ÷ 100 × 3) |
| Annualized breach exposure | (Single-incident cost × Annual breach probability) + Downtime cost |
This is a decision-support model, not an actuarial guarantee. Adjust assumptions to match your environment, sector, and control maturity.
How to use this calculator
- Enter organization context, revenue, and the number of records that could be exposed.
- Rate exposure, attack surface, third-party dependence, and maturity on the 1 to 5 scales.
- Add practical coverage percentages for MFA, encryption, training, and backup readiness.
- Enter patch latency, phishing fail rate, incident response maturity, and vendor count.
- Submit the form to see overall risk, likelihood, impact, downtime, and annualized financial exposure.
- Use the CSV and PDF downloads to compare scenarios, document assumptions, and prioritize remediation plans.
Frequently asked questions
1. What does the overall risk score represent?
The overall score combines breach likelihood and business impact on a 0 to 100 scale. It helps prioritize work, compare scenarios, and communicate urgency clearly.
2. Is this calculator a compliance certification tool?
No. It supports internal risk assessment and budgeting decisions. It does not replace legal review, formal audit work, or sector-specific compliance evidence.
3. How often should I update the inputs?
Update them after major architecture changes, new vendor onboarding, mergers, security incidents, or quarterly control reviews. Fast-changing environments benefit from monthly refreshes.
4. What counts as records at risk?
Use the estimated number of individual records that would matter in a meaningful breach. Include customer, employee, patient, or regulated records exposed by the same incident path.
5. Why do MFA and encryption affect the score so much?
They materially reduce breach paths and limit the usefulness of stolen data. Strong coverage lowers both the chance of compromise and the size of the resulting impact.
6. Can I compare multiple business units or scenarios?
Yes. Run the calculator several times with different assumptions, export the outputs, and compare scores, costs, and top drivers side by side.
7. Does a lower score mean I can ignore breach risk?
No. Lower risk still needs maintenance and monitoring. A modest score means your current posture appears stronger, not that the threat disappears.
8. Can the formula be customized for my organization?
Yes. You can tune weights, add variables, or align cost assumptions with your historical incidents, insurance model, or sector-specific loss estimates.