Measure attacker strength and weakness clearly. Balance technical damage against business consequences using structured scoring. Prioritize remediation using evidence-backed ratings across every assessment cycle.
Use values from 0 to 9. Higher numbers mean stronger attack conditions, weaker controls, or larger consequences.
| Scenario | Threat Agent Avg | Vulnerability Avg | Likelihood | Technical Impact Avg | Business Impact Avg | Chosen Impact | Severity |
|---|---|---|---|---|---|---|---|
| Public SQL injection on customer portal | 7.50 | 8.00 | 7.75 | 7.00 | 8.25 | 8.25 | Critical |
| Admin panel brute-force with MFA fallback | 5.50 | 4.50 | 5.00 | 4.25 | 4.75 | 4.75 | Medium |
| Internal file exposure with narrow data scope | 3.25 | 3.75 | 3.50 | 2.50 | 3.00 | 3.00 | Medium |
This calculator follows the OWASP-style scoring approach by rating four threat agent factors, four vulnerability factors, four technical impact factors, and four business impact factors on a 0–9 scale.
| Threat Agent Average | (Skill Level + Motive + Opportunity + Size) / 4 |
|---|---|
| Vulnerability Average | (Ease of Discovery + Ease of Exploit + Awareness + Intrusion Detection) / 4 |
| Likelihood Score | (Threat Agent Average + Vulnerability Average) / 2 |
| Technical Impact Average | (Confidentiality + Integrity + Availability + Accountability) / 4 |
| Business Impact Average | (Financial Damage + Reputation Damage + Non-Compliance + Privacy Violation) / 4 |
| Chosen Impact Score | MAX(Technical Impact Average, Business Impact Average) |
| Overall Score | (Likelihood Score + Chosen Impact Score) / 2 |
The final severity comes from a likelihood-versus-impact matrix. Using the higher impact side makes the result conservative and practical for triage.
It estimates application or system risk by scoring attacker capability, weakness exposure, technical damage, and business consequences. The output helps compare risks consistently across assessments.
A 0–9 range gives enough separation between weak, moderate, and severe conditions. It supports more nuance than small scales while staying easy to review quickly.
Security teams often choose the larger of technical and business impact to avoid understating serious risk. This keeps decisions conservative when either side alone is severe.
This version uses whole-number selections for faster reviews and cleaner comparisons. If you prefer decimals, the same formulas can be extended with number fields later.
No. The overall score is a numeric summary. Severity comes from the likelihood-impact matrix, which reflects how OWASP-style ratings are commonly communicated to stakeholders.
A critical result appears when both likelihood and chosen impact land in the high band. That combination suggests urgent remediation, containment, or compensating controls.
Yes. Technical teams usually rate exploitability and technical damage better, while business owners judge financial, legal, privacy, and brand consequences more accurately.
Document the assumptions, attach evidence, assign owners, and rank the issue beside other findings. Recalculate after controls change so the residual risk is visible.
Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.