Inherent Risk Score Calculator

Calculate inherent risk

Choose factors, enter scores, and tune weighting. Use the weighted model for governance, or the multiplicative model for quick triage.

Scenario name

Example: quarterly assessment, new vendor onboarding.

Asset name

Asset type

Industry

Scoring method

Scores are always 1 (low) to 5 (very high).

Notes (optional)

Select factors

Only selected factors influence the score. For weighted scoring, weights are normalized across selected factors.

Likelihood

Impact

Attack Surface

Data Sensitivity

Third-Party Dependency

Exposure

Threat Attractiveness

Enter scores (1–5)

Impact is calculated from confidentiality, integrity, availability, and business impact.

Likelihood

Confidentiality impact

Integrity impact

Availability impact

Business impact

Attack surface

Data sensitivity

Third-party dependency

Exposure

Threat attractiveness

Weights (percent)

Used only in the weighted method. Values are normalized across selected factors.

Likelihood weight

Impact weight

Attack Surface weight

Data Sensitivity weight

Third-Party Dependency weight

Exposure weight

Threat Attractiveness weight

Reset

Example data table

Sample inputs and a typical output for quick reference.

Scenario	Likelihood	Impact (avg)	Exposure	Attack Surface	Score (0–100)	Rating
External API with sensitive data	4.0	3.5	5.0	4.0	78.4	High
Internal tool with limited access	2.0	2.5	2.0	2.0	28.6	Moderate

Formula used

1) Derived impact

Impact = (Confidentiality + Integrity + Availability + BusinessImpact) / 4

2) Weighted method

For selected factors, weights are normalized to sum to 1. Raw = Σ(wᵢ × scoreᵢ) where each score is between 1 and 5.

The raw value is mapped to a 0–100 scale: Score = ((Raw − 1) / 4) × 100.

3) Multiplicative method

The core driver uses likelihood and impact: Core = Likelihood × Impact. A modifier is computed from the average of selected factors and scales the core.

4) Rating bands

Low: 0–19.99, Moderate: 20–39.99, Elevated: 40–59.99, High: 60–79.99, Critical: 80–100.

How to use this calculator

Enter scenario and asset details for reporting.
Select the factors you want included in scoring.
Score each input from 1 (low) to 5 (very high).
Choose weighted for governance, multiplicative for triage.
Adjust weights to reflect your risk appetite and context.
Submit to view score, rating, and full breakdown.
Download CSV or PDF for audits and stakeholders.

FAQs

What is an inherent risk score?

It estimates risk before considering existing controls. It focuses on threat likelihood, potential impact, and exposure drivers to support prioritization.

How do I choose scores from 1 to 5?

Use consistent definitions across teams. A “1” means minimal likelihood or impact, while “5” means very likely or severe impact with broad operational consequences.

Why is impact calculated from multiple sub-scores?

Security impact is multi-dimensional. Averaging confidentiality, integrity, availability, and business impact reduces blind spots and keeps the score more balanced.

When should I use the weighted method?

Use it for repeatable governance, portfolio comparison, and board reporting. It supports calibrated factor importance through weights and gives stable results.

When is the multiplicative method helpful?

Use it for quick triage and incident-like prioritization. It emphasizes likelihood and impact first, then adjusts with a modifier from selected factors.

Do weights need to sum to 100?

No. For weighted scoring, the calculator normalizes weights across selected factors. This lets you keep your own scale while preserving relative importance.

How should I interpret the rating bands?

The rating summarizes urgency. “High” and “Critical” usually warrant immediate mitigation planning, while “Low” may be accepted or monitored with minimal effort.

Is this the same as residual risk?

No. Residual risk considers control effectiveness and mitigations. Inherent risk is the baseline exposure, useful for deciding where controls are most needed.