| Scenario | Key settings | Score | Level |
|---|---|---|---|
| Controlled corporate transfer | Organization-issued, scanned, EDR, encrypted, autorun off | 18 | Low |
| Routine office sharing | Personal drive, basic AV, internal data, shared, scan sometimes | 47 | Elevated |
| High-risk sensitive environment | Unknown source, no scan, executables allowed, outdated host, sensitive system | 86 | Critical |
Example scores are illustrative. Your environment and policies should drive final decisions.
This calculator models Likelihood and Impact separately, then combines them into a single score.
- Likelihood (0–5): Based on exposure and execution opportunity. It aggregates weighted factors (source trust, scanning, endpoint controls, autorun, executables/macros, sharing, frequency, time connected, prior incidents, brand channel, patch level).
- Impact (0–5): Based on business consequence if compromise or loss occurs. It aggregates data sensitivity, sensitive-system usage, encryption status, and write protection.
Impact = (ImpactPoints / 48) × 5
RiskScore = ((0.65 × Likelihood) + (0.35 × Impact)) × 20
Weighting emphasizes preventing execution and lateral spread, while still accounting for data loss and sensitive environments.
- Describe how the removable device is sourced, shared, and used.
- Select the controls that actually run on endpoints today.
- Set data sensitivity based on your classification policy.
- Click Calculate Risk to view score and actions.
- Export CSV or PDF to attach to tickets and audits.
Why removable media still matters
USB drives remain a bridge between networks, laptops, and kiosks. Convenience can bypass controls, making a single plug in event a security decision. This calculator converts choices into a measurable score from 0 to 100. It highlights where insertion behavior, device trust, and host hygiene combine to raise exposure. Use it to compare teams or processes and document why a stricter workflow is justified.
Interpreting likelihood and impact scores
Likelihood reflects how easily a threat could execute and spread after insertion. It uses a 0 to 5 scale derived from scanning, controls, autorun, executable files, sharing, and patch level. Impact reflects business consequence on a 0 to 5 scale, driven by data classification, encryption, write protection, and sensitive system use. The combined score weights likelihood at 65 percent and impact at 35 percent to support prioritization.
Controls that lower the score fastest
The biggest reductions come from technical enforcement. Device control with EDR reduces execution paths, while scan on insertion cuts the chance of payloads. Disabling autorun and blocking executables from removable media removes common infection routes. Encryption and write protection lower loss and tampering impact. If you must allow macros, require signed templates and keep the host patched. Apply controls consistently, then re score to show improvement.
Using results for policy and audits
Treat the score as a decision aid, not a verdict. Define bands that match your risk appetite: 0 to 19 low, 20 to 39 moderate, 40 to 59 elevated, 60 to 79 high, and 80 to 100 critical. Attach the exported CSV or PDF to change tickets and exception requests. Store results with asset tags and dates so auditors can see trends and enforcement.
Operational workflow for secure transfers
For higher scores, use a transfer station that is patched, monitored, and isolated from sensitive networks. Receive media, scan it, and copy only approved types into a staging folder. Validate hashes or file lists when possible, then move data through a channel to the target system. Issue organization owned drives to reduce supply chain uncertainty. Close the loop by updating this calculator after changes and saving the report with the work record.
FAQs
1) What does the 0–100 risk score represent?
The score summarizes weighted likelihood and impact from your inputs. Lower scores indicate stronger controls and safer handling. Higher scores signal higher exposure or higher consequence. Use it to prioritize controls and justify exceptions, not as a guarantee.
2) Why is likelihood weighted more than impact?
Most USB incidents start with execution opportunity. Blocking autorun, executables, and unsafe devices reduces the chance of compromise. Impact still matters, but preventing initial execution and spread usually delivers the biggest risk reduction.
3) Should we prohibit USB devices entirely?
Not always. Some roles need offline transfer. Instead, restrict usage to approved devices, enforce scanning and device control, and use a controlled transfer station for sensitive environments. Ban only where operational alternatives exist.
4) Which single change reduces risk the fastest?
Enable managed device control with strong endpoint protection and require scan on insertion. Then block executable files from removable media. These steps shrink the attack surface quickly and reduce both silent infections and lateral movement.
5) Can this calculator replace a formal assessment?
No. It supports consistent screening and documentation. Combine it with endpoint telemetry, asset criticality, data classification, and incident history. For high scores, conduct a deeper review and validate the transfer workflow.
6) How do I use the CSV and PDF exports?
Run a calculation, then download the report. Attach it to tickets, audit evidence, or exception approvals. Save the file with the asset name and date so you can compare scores after controls change.