Exposure Results
Your results appear here after calculation and stay above the form.
Annualized Exposure Amount: $0.00
Risk Interpretation: Fill the form to calculate exposure.
Priority Actions: No recommendations yet.
Calculator Inputs
Use the weighted model below to estimate third party cyber exposure.
Example Data Table
| Input | Example Value | Notes |
|---|---|---|
| Data Sensitivity | 4 | Vendor handles regulated customer records. |
| Integration Depth | 4 | Core platform integration with multiple APIs. |
| Privileged Access | 3 | Admin access limited to one production environment. |
| Business Criticality | 5 | Service disruption directly affects operations. |
| Fourth-Party Dependency | 4 | Several cloud and subcontractor dependencies. |
| External Connectivity | 4 | Internet-facing services support integration. |
| Known Incidents | 2 | Two publicly disclosed issues in two years. |
| Open Critical Findings | 3 | Assessment still tracks important unresolved items. |
| Regulatory Footprint Count | 4 | GDPR, PCI, HIPAA, and local privacy rules. |
| Average Remediation Days | 45 | Moderate closure speed. |
| Control Maturity | 3 | Defined but not fully optimized. |
| Contract Assurance Strength | 4 | Clear security terms and evidence rights. |
| Continuous Monitoring Coverage | 70% | Regular ratings and evidence feeds. |
| External Security Rating | 76 | Acceptable but improvable observed posture. |
| Protective Control Coverage | 78% | MFA, segmentation, logging, and backups mostly present. |
| Business Value at Risk | $350,000 | Modeled annual exposure base. |
Formula Used
This calculator combines inherent risk drivers, control strength, and response speed into a residual exposure score. It is designed for comparative vendor reviews, prioritization, and governance reporting.
1) Normalization: 1–5 scales are converted to 0–100 using:((value - 1) / 4) × 100
2) Inherent Risk:(0.16 × Data) + (0.15 × Integration) + (0.17 × Privileged Access) + (0.15 × Criticality) + (0.10 × Fourth-Party) + (0.08 × Connectivity) + (0.07 × Incidents) + (0.07 × Findings) + (0.05 × Regulatory Footprint)
3) Control Effectiveness:(0.30 × Control Maturity) + (0.15 × Contract Strength) + (0.20 × Monitoring Coverage) + (0.20 × Security Rating) + (0.15 × Protective Coverage)
4) Residual Exposure:[Inherent Risk × (0.35 + (1 - Control Effectiveness/100) × 0.65)] + (0.10 × Remediation Score)
5) Incident Probability:3 + (0.45 × Residual Exposure) + (0.10 × Incident Score) + (0.07 × Findings Score) + (0.05 × Connectivity Score)
6) Annualized Exposure Amount:Value at Risk × (Incident Probability / 100) × [0.35 + (0.65 × Criticality Score/100)] × [0.55 + (Inherent Risk/200)]
The model is directional, not actuarial. Use it to compare vendors consistently, identify outliers, and support review decisions with a transparent weighting structure.
How to Use This Calculator
- Rate the vendor’s data access, integration depth, privilege, and operational importance.
- Enter history-based indicators such as incidents, open findings, and regulatory scope.
- Score mitigating factors including maturity, contract strength, monitoring, and protective controls.
- Add the business value at risk to estimate annualized exposure.
- Press Calculate Exposure to show results above the form.
- Use the CSV or PDF buttons to export current inputs and results for documentation.
Frequently Asked Questions
1. What does this calculator measure?
It estimates how much cyber exposure a vendor creates after accounting for access, data sensitivity, control strength, history, and business importance. The score is best used for comparison and prioritization.
2. Is this a replacement for a full risk assessment?
No. It is a screening and governance tool. Formal assessments still need evidence reviews, architecture checks, legal terms, control testing, and scenario analysis.
3. Why does control maturity matter so much?
Mature controls reduce the chance that an exposure turns into an incident. Strong governance, logging, access management, and tested response plans usually lower residual risk meaningfully.
4. How should I estimate business value at risk?
Use a practical loss base such as annual contract value, impacted revenue, service restoration cost, likely regulatory exposure, or an internally approved risk quantification figure.
5. What if the vendor has limited public information?
Use internal due diligence evidence, questionnaires, audits, architecture reviews, and contractual commitments. Unknown information can justify conservative scoring until better evidence appears.
6. Should all vendors use the same weights?
Not always. The included weights suit general third-party cyber reviews. Regulated, cloud-native, or operational technology environments may need custom weighting.
7. How often should I recalculate exposure?
Recalculate after onboarding, major architecture changes, incident disclosures, contract renewals, audit findings, or changes in data scope and privilege levels.
8. What is a good next step after a high score?
Escalate review depth, request remediation evidence, tighten contracts, reduce privileges, add monitoring, and consider contingency planning or alternative suppliers.