Vendor Cyber Risk Calculator

Analyze likelihood, impact, control gaps, and recovery strength. Quantify expected loss before onboarding critical suppliers. Compare scenarios quickly through dashboards, scores, graphs, and downloads.

Calculated Vendor Risk Summary

Moderate
Inherent Risk Score
0.00
Mitigation Index
0.00
Residual Risk Score
0.00
Annual Incident Probability
0.00%
Expected Gross Loss
$0.00
Net Expected Loss
$0.00
Risk-Adjusted Vendor Cost
$0.00
Risk-to-Value Ratio
0.00x

Top Risk Drivers

Recommended Decision

Plotly Risk Visualization

Calculator Inputs

Enter vendor, exposure, control, and resilience values. The model scores weighted inherent risk, applies mitigation strength, then estimates expected financial loss.

Used in exports and result summaries.
Annual spend committed to this vendor.
Total potential loss from a major vendor incident.
Amount expected to be recovered or covered.
Base incident likelihood before controls.
Assesses preventive and detective control strength.
Measures backup, response, and service restoration readiness.
Past confirmed security events or public incidents.
Slower detection increases residual exposure.
Longer response time raises disruption and loss.

Example Data Table

These sample vendor profiles show how the model separates lower-risk providers from higher-risk, higher-impact dependencies.

Vendor Contract Value Breach Cost Likelihood Control Maturity Recovery Readiness Inherent Risk Residual Risk Net Expected Loss Tier
Payroll SaaS $75,000.00 $420,000.00 38% 72 68 63.56 34.31 $56,462.36 Moderate
DevOps MSP $180,000.00 $950,000.00 61% 54 49 79.38 52.29 $248,070.92 High
Office Supplies $24,000.00 $70,000.00 14% 81 85 23.88 11.12 $0.00 Low

Formula Used

The calculator converts each risk factor into a normalized 0-100 score, then combines them using weighted scoring.

Inherent Risk = Σ(Weighted Factor Scores)

Heavier weights are assigned to inherent likelihood, data sensitivity, access, business criticality, and probable financial impact.

Mitigation strength blends control maturity and recovery readiness.

Mitigation Index = (0.70 × Control Maturity) + (0.30 × Recovery Readiness)

Preventive control maturity receives more weight because it reduces both incident frequency and severity.

Residual risk applies mitigation against inherent exposure.

Residual Risk = Inherent Risk × (1 − 0.65 × Mitigation Index / 100)

The 0.65 factor caps risk reduction so strong controls reduce risk meaningfully without implying perfect safety.

Annual incident probability is estimated from residual risk.

Annual Incident Probability = max(min((Residual Risk / 100) × 0.60, 0.95), 0.01)

This keeps probability inside practical planning bounds while preserving relative differences across vendor profiles.

Financial loss is then estimated and adjusted for coverage.

Expected Gross Loss = Annual Incident Probability × Estimated Breach Cost

Net Expected Loss = max(Expected Gross Loss − Coverage Offset, 0)

Risk-Adjusted Vendor Cost = Contract Value + Net Expected Loss

How to Use This Calculator

  1. Enter the vendor name for tracking and exports.
  2. Add annual contract value and estimated breach cost.
  3. Enter expected insurance recovery or contractual coverage.
  4. Score likelihood, controls, recovery, access, criticality, and compliance exposure.
  5. Record incident history, fourth-party dependency, region risk, and timing values.
  6. Press Calculate Risk to show the result above the form.
  7. Review top drivers, the risk tier, expected loss, and decision guidance.
  8. Use the CSV or PDF buttons to save the assessment for procurement, security, or audit records.

FAQs

1) What does inherent risk mean here?

Inherent risk measures exposure before vendor safeguards are considered. It reflects likelihood, sensitive data, privileged access, critical operations, compliance pressure, prior incidents, and potential financial impact.

2) What is residual risk?

Residual risk is the remaining exposure after control maturity and recovery readiness reduce the initial risk. It is usually the best value for approval decisions and monitoring frequency.

3) Why include contract value and breach cost together?

Contract value shows what you pay for the vendor. Breach cost shows what you could lose if things go wrong. Comparing both reveals whether the vendor’s cyber exposure is economically acceptable.

4) Can this calculator replace a full vendor assessment?

No. It supports triage and decision consistency. You should still review evidence such as certifications, questionnaires, penetration results, contractual obligations, and incident response commitments.

5) How should I choose the 1-5 scores?

Use a consistent scoring rubric across all vendors. Define each level in policy, train reviewers, and document why each score was selected to improve repeatability and governance.

6) Why does insurance reduce net expected loss?

Coverage offsets part of the projected loss if the incident qualifies and the policy responds. It lowers expected financial exposure, but it does not reduce operational or regulatory disruption.

7) How often should vendor cyber risk be recalculated?

Refresh scores at onboarding, renewal, material scope changes, new incidents, large architecture changes, or when the vendor starts handling more sensitive data or broader access.

8) What is a good approval threshold?

Many teams approve low and moderate vendors through standard review, require remediation for high vendors, and escalate critical vendors for executive signoff or rejection.

Related Calculators

third party impactthird party risk scorevendor security riskvendor compliance risk

Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.