Calculator Inputs
Use the responsive input grid below. Large screens show three columns, medium screens show two, and mobile shows one.
Example Data Table
Use this example to understand how the modeled fields can be documented during a removable media assessment.
| Scenario | Device Type | Monthly Transfers | Data Sensitivity | Encryption | Residual Risk |
|---|---|---|---|---|---|
| Finance Archive Imports | External HDD / SSD | 18 | 5 - Very High | 75 - Broad | 61.8 |
| Field Laptop Updates | USB Flash Drive | 36 | 4 - High | 75 - Broad | 54.2 |
| Managed Engineering Media | Managed Encrypted Corporate Device | 10 | 3 - Moderate | 100 - Fully Enforced | 19.6 |
Formula Used
Likelihood = 0.18(Device Type) + 0.14(Device Count) + 0.16(Usage Days) + 0.18(Transfer Events) + 0.18(Untrusted Media %) + 0.16(Incident History)
Impact = 0.35(Data Sensitivity) + 0.25(Endpoint Criticality) + 0.20(Regulatory Scope) + 0.20(Data Volume)
Control Effectiveness = weighted average of encryption, scanning, approvals, logging, DLP, training, write restriction, and autorun settings.
Inherent Risk = 0.58(Likelihood) + 0.42(Impact)
Residual Risk = Inherent Risk × (1 − 0.70 × Control Effectiveness / 100) + 1.5 × Incident Count
All component scores are normalized to a 0–100 scale. Residual risk thresholds are: Very Low < 20, Low 20–39.99, Moderate 40–59.99, High 60–79.99, and Critical 80+.
How to Use This Calculator
- Enter a scenario name so reports stay traceable.
- Select the removable media type being assessed.
- Estimate device count, usage days, transfer frequency, and average transferred data volume.
- Enter the percentage of untrusted media and any recent incidents.
- Score business impact using sensitivity, endpoint criticality, and regulatory scope.
- Rate each control honestly based on actual deployment quality.
- Submit the form to place the result above the calculator.
- Download CSV or PDF to share the assessment output.
Frequently Asked Questions
1. What does removable media risk mean here?
It estimates how likely and damaging a removable media event could be, then reduces that exposure using your stated controls. The score supports comparison, not absolute prediction.
2. Why is residual risk more important than inherent risk?
Inherent risk shows baseline exposure before defenses. Residual risk reflects what remains after encryption, scanning, approvals, logging, and other protections are considered.
3. How should I score control effectiveness?
Score the real deployment state, not the policy goal. A control should only be marked fully enforced when coverage, monitoring, and exception handling are consistently active.
4. Can this support policy exception reviews?
Yes. Create one scenario for the current state and another with proposed safeguards. Comparing outputs helps explain whether an exception remains acceptable or needs compensating controls.
5. Why include untrusted media percentage?
Personal, vendor, or unknown devices increase malware, exfiltration, and data integrity concerns. That percentage is a direct exposure driver, even when approved devices are well managed.
6. Does a higher data volume always mean higher impact?
Usually yes, but sensitivity and system importance still matter more. A small transfer of highly regulated data can outrank a large transfer of low-value content.
7. Can I use this for audits and gap reviews?
Yes. The weakest control list and control gap value help identify where remediation planning should start, especially before audits, vendor reviews, or security committee discussions.
8. Is this calculator suitable for every organization?
It is a flexible model, but you should adjust assumptions to match your environment, tolerance, policies, and regulatory obligations before adopting it for formal governance decisions.