Assessment inputs
Formula used
The calculator assigns points to each input, groups them into three categories, normalizes each category to a percentage, then produces a weighted overall score.
- Identity & Privileges considers change magnitude, scope, sensitivity, exposure, third-party access, and work mode.
- Controls & Approvals considers MFA, training, background checks, approvals, duties separation, elevation controls, and timeline pressure.
- Visibility & Monitoring considers logging maturity, exception volume, and recent incidents.
For each category: Category% = (CategoryPoints / CategoryMaxPoints) × 100.
Overall score: Overall = (A%×wA + B%×wB + C%×wC) / (wA+wB+wC), clamped to 0–100.
How to use this calculator
- Enter role details and estimate new access scope.
- Select the highest data sensitivity the role will handle.
- Choose exposure and control settings that match reality.
- Adjust weights only if your organization prioritizes a category.
- Click Calculate risk, then export the report for review.
Example data
| Scenario | Change type | Systems | Sensitivity | MFA | Monitoring | Typical tier |
|---|---|---|---|---|---|---|
| Promotion to cloud admin | Significant increase | 28 | Regulated | Some systems | Central logs, limited alerting | High |
| Lateral move to analyst | Lateral change | 10 | Confidential | Most systems | Central alerts on critical actions | Medium |
| Offboarding privileged access | Privilege decrease | 5 | Internal | All critical systems | Central alerts on critical actions | Low |
These examples are illustrative. Your environment and policy may change outcomes.
Role transition exposure map
This calculator converts role change details into a repeatable exposure view. Inputs are grouped into Identity & Privileges, Controls & Approvals, and Visibility & Monitoring. Each group has fixed maximum points, 78, 49, and 24, so teams can compare results across requests, months, and departments. The result also lists the top five point drivers to speed review.
Scoring ranges and tiers
Each group score is normalized: Group% = points divided by maximum, then multiplied by 100. The overall score averages the three group percentages with weights that can be tuned from 0.60 to 1.40. Default tiers are Low under 30, Medium 30–59.9, High 60–79.9, and Critical 80–100. Use tiers to trigger approvals, extra monitoring, or staged access.
Privilege scope calibration
Privilege magnitude and access breadth are primary exposure signals. Change type contributes up to 25 points for significant privilege increases. Systems and services add up to 15 points and saturate around 40 items, preventing oversized inventories from dominating. Data sensitivity adds up to 15 points for highly regulated records. Third party access adds 8 points, and fully remote work adds 5, reflecting wider attack paths.
Controls and approvals
Control gaps increase risk during the first days of a transition. Missing multi factor enforcement can add 10 points, while outdated or missing training adds up to 6. Background check age adds up to 5 points when unknown. No documented approval can add 8 points, missing duties separation adds 6, and weak elevation controls add 8. Time pressure adds 6 points within 7 days, 4 within 14, and 2 within 30.
Monitoring and evidence
Visibility measures how quickly abnormal access can be detected and contained. Monitoring maturity can add up to 8 points when logs are absent or unreliable. Policy exceptions add up to 8 points and saturate at eight exceptions, representing risk debt. Recent user incidents can add up to 8 points and should prompt added oversight. Export CSV or PDF to attach inputs, results, and timestamps to your change ticket, then recalculate after mitigations. Re-running the assessment after 7 and 30 days helps validate steady-state access, confirm least privilege, and document closure of exceptions formally today.
FAQs
What does the overall score represent?
It estimates exposure created by new entitlements during a role transition. The score blends privilege, control, and visibility signals into a 0–100 scale, helping you decide which changes need extra approvals, monitoring, or staged rollout.
How should I set the category weights?
Keep all weights at 1.00 for a balanced view. Increase a weight only when policy demands it, such as emphasizing privileged access programs or strict monitoring requirements. Avoid extreme tuning that hides meaningful gaps.
Which inputs typically drive higher risk?
Significant privilege increases, broad access scope, highly regulated data, and internet-exposed administration often raise the score. Gaps in multi factor enforcement, weak approvals, and absent monitoring also increase exposure, especially under tight timelines.
Does a Low tier mean the change is safe?
No. It means fewer risk signals were selected. You still must validate identity, approve access, and perform a post-change review. If any input is uncertain, choose the more conservative option and document assumptions.
When should we recalculate the score?
Recalculate after mitigations are applied, such as enabling multi factor, tightening elevation controls, or improving alerting. Many teams reassess at go-live, after one week, and after 30 days to confirm steady-state controls.
What is included in the CSV and PDF exports?
Exports include the timestamp, overall score, tier, category percentages, top drivers, and the input values you entered. Attach them to your change record to support audits, reviews, and consistent decision making.