• blogangle-right
  • What's Your Cyber Risk Score? How to Calculate Cyber Risk + 4 Risk Scoring Models

Table of Contents

What's Your Cyber Risk Score? How to Calculate Cyber Risk + 4 Risk Scoring Models

  • October 14, 2025
Author

Emily Bonnie

Senior Content Marketing Manager

Reviewer

Rob Gutierrez

Senior Cybersecurity and Compliance Manager, CISA, CCSK, CMMC RP

From informing strategic decision-making to ensuring regulatory compliance, a clear understanding of cyber risk is essential for modern organizations. But with a constantly shifting threat landscape, how can organizations accurately measure and track their level of exposure?

Cyber risk scores offer a tangible way to measure your organization’s risk profile and cybersecurity posture. This article explains how to calculate risk scores, unpacks several risk scoring methodologies, and answers some common questions around measuring and mitigating organizational risk.

What is a cyber risk score?

A cyber risk score measures an organization’s risk exposure compared to the strength of its cybersecurity posture. It’s like a report card for the organization’s overall asset and risk management. 

Organizations use risk scores to assess their own internal security posture as well as evaluate potential vendors and partners. The better your risk score, the more likely you are to close deals, secure partnerships, save on insurance rates, and attract merger and acquisition opportunities.  

Cyber risk scores are typically represented either as a whole number, kind of like a credit score, or as a percentage that indicates what portion of identified risk has been mitigated by security controls. The remainder is either accepted or residual risk. 

Types of risk scores: 

  • Internal risk scores: Risks posed by insider threats, such as human error, data or asset loss, bugs or malfunctions, and malicious actors

External risk scores: Risks posed by external threats, such as cyberattacks, natural disasters, and political and socioeconomic changes.

How to calculate your cyber risk score

Calculating a cyber risk score involves assessing an organization's vulnerabilities, threats, and potential impacts to determine the overall level of risk associated with its cybersecurity posture. While there's no one-size-fits-all formula, here's a general approach to calculating a cyber risk score:

1. Asset Identification: Identify and categorize all assets (hardware, software, data, etc.) in your environment. This includes knowing where your data resides, who has access to it, and what protective measures are in place.

2. Vulnerability Assessment: Identify and rate any vulnerabilities in your systems through tools like vulnerability scanners, penetration tests, internal audits, and other assessments. Be sure to account for third-party risk when identifying potential vulnerabilities to evaluate your entire risk posture.

3. Threat Assessment: Identify and rate potential threats to your organization. This can include cyber threats like data breaches, supply chain issues, insider threats, natural disasters, etc.

4. Impact Assessment: For each identified vulnerability and threat, assess the potential impact on the organization if they were exploited or occurred. This can be represented by financial loss, reputational damage, operational disruption, etc.

5. Likelihood Estimation: Estimate the likelihood of each threat occurring using historical data, industry trends, and expert judgment.

6. Calculate Risk: For each vulnerability-threat pair, calculate the risk using a formula like:

Risk = Impact x Likelihood

7. Aggregate Risk: Combine the risk scores for all vulnerability-threat pairs to get an overall risk score for the organization.

8. Normalization: Depending on your scoring model, you might need to normalize the score to fit within a predefined range (e.g., 0-100 or 0-10).

9. Prioritization: Prioritize risks based on their risk score and create a remediation plan. Once controls are in place, you can eliminate or reduce the associated vulnerability-threat pair scores to adjust your overall risk score.

10. Continuous Monitoring and Updating: Cyber risk landscapes change rapidly. It's important to update the risk score regularly to reflect the evolving threat and vulnerability landscape.

Remember that a cyber risk score is just one tool in your cybersecurity toolbox. It provides a high-level view of cyber risk, but risk management decisions should also incorporate long-term business objectives, risk tolerance, stakeholder input, and any legal or regulatory compliance requirements.

4 Cyber risk scoring methodologies to quantify risk

There are several risk scoring methodologies organizations can follow to evaluate and quantify risks. Here are a few types of risk scoring models and how they’re applied: 

NIST cyber risk score

The National Institute for Standards and Technology (NIST) created a cyber risk scoring solution that helps organizations quantify risks across systems and components. 

Here’s how it works:

Step 1: Risk profiling

This process determines how important a system is to the organization’s mission and operations. Stakeholders determine the appropriate risk appetite and create a risk profile methodology. That methodology is then mapped to business processes and systems to identify and quantify risk likelihood and impact. This risk profile is used to define total potential risk and identify applicable controls. 

Step 2: Risk scoring

Using a quantitative risk-based analysis, organizations can understand risk from one system compared to another. Every control is assigned an initial weighting (1-10) based on its importance to the organization’s security and privacy posture. This is the control baseline risk score. 

A data type questionnaire is then used to modify the baseline risk score by assigning CIA (confidentiality, integrity, and availability) ratings (1-10) based on the importance of the data type. System components are then assessed based on implemented controls. The sum of all Component potential risk equals the System potential risk

ISS ESG cyber risk score

ISS ESG, a part of Institutional Shareholder Services (ISS), offers an evaluation of companies' cybersecurity risk based on a proprietary methodology. The ISS ESG Cyber Risk Rating aims to provide an understanding of a company's exposure to cybersecurity threats and their ability to manage those threats.

The exact proprietary algorithms used by ISS ESG are publicly disclosed, but the general approach usually involves several key steps:

  1. Data Collection: ISS ESG aggregates vast amounts of data from publicly available sources, commercial data providers, and other undisclosed methods.
  2. Assessment Categories: The assessment generally touches on areas such as:
  3. The complexity of the IT environment
  4. The likelihood of a company suffering a cyberattack
  5. The potential impact of such an attack
  6. The company's preparedness and resiliency against cyber threats
  7. Compliance with relevant regulations and standards
  8. Risk Indicators: Within each assessment category, several risk indicators are evaluated. These can range from technical measures, such as patch management practices and network security configurations, to internal processes such as employee training and incident response plans.
  9. Scoring: Based on this data, a risk score is assigned. Typically, these scores are represented in a tiered or graded fashion (e.g., low risk to high risk).
  10. Benchmarking: Scores can be compared against industry peers, providing a relative understanding of where the company stands in terms of cybersecurity risk compared to its competitors.
  11. Continuous Monitoring and Updates: ISS ESG's methodology involves periodic updates to ensure the risk ratings remain current.
  12. Detailed Reports: Along with the overall risk score, detailed reports provide insights into specific areas of concern, potential vulnerabilities, or best practices that a company may be following.

FAIR cyber risk score

Factor Analysis of Information Risk (FAIR) is a model for assessing and quantifying risk in financial terms, making it different from more traditional, qualitative risk assessments.

Here’s how FAIR cyber risk scoring generally works:

  1. Risk definition: FAIR defines "risk" as the probable frequency and magnitude of a future loss. The FAIR model breaks down risk into two primary components:
  2. Loss Event Frequency (LEF): How often you expect a loss event to occur in a given timeframe. LEF is influenced by two factors: Threat Event Frequency (how often a threat actor might target the asset) and Vulnerability (the likelihood that a threat will manifest as a loss).
  3. Loss Magnitude: How much you expect to lose when the event occurs. This includes both primary loss (i.e., initial response costs) and secondary loss (i.e., residual losses, usually affecting other entities such as customers).
  4. Quantitative Analysis: The next step is to assign quantitative values to risk factors and components. For example, if there's a 10% chance that a data breach will occur in the next 12 months, and the expected cost of a breach would be $1 million, the annualized loss expectancy (ALE) would be $100,000.
  5. Monte Carlo Simulations: FAIR often uses Monte Carlo simulations to predict future events. This method uses a large number of simulations to estimate the probability distributions for loss event frequency and loss magnitude, providing a more comprehensive view of potential risk outcomes.
  6. Risk Treatment: Quantifying risk in financial terms can help organizations make more informed decisions about how to prioritize and treat risk—whether it's accepting it, transferring it (e.g., through insurance), mitigating it (e.g., by implementing new controls), or avoiding it altogether.
  7. Continuous Assessment: Like all risk models, FAIR is most effective when used as part of a continuous risk assessment process.

FAIR provides a different perspective from many traditional cybersecurity frameworks. This quantitative approach can offer clarity for business leaders and executives and help them align cybersecurity concerns with larger business objectives and financial considerations.

Key risk indicators (KRIs)

Key risk indicators are used to identify and track potential risks that could potentially jeopardize business operations or growth. KRIs help organizations detect emerging threats or vulnerabilities and so they can take preemptive action. KRIs are often quantitative, such as a percentage, count, or ratio, with thresholds that trigger alerts for management to act. 

KRI should be:

  • Measurable: KRIs are quantifiable by percentages, numbers, etc. 
  • Predictive: KRIs can be used as an early warning system.
  • Informative: KRIs are used to shape decision-making. 
  • Comparable: KRIs can be benchmarked internally and to industry standards. 
Key Risk Indicator Examples
Cybersecurity
    Number of unpatched vulnerabilities
    Frequency of failed login attempts
    Volume of traffic from unrecognized IP addresses
    Time taken to detect and respond to security incidents
Financial Services
    Number of fraud incidents reported
    Ratio of high-risk transactions
    Value of transactions that fail a particular risk check
Healthcare
    Rate of hospital-acquired infections
    Number of patient complaints or incidents
    Medication error rates
Manufacturing
    Number of equipment breakdowns or failures
    Rate of product defects or returns
    Number of safety incidents or accidents
Human Resources
    Employee turnover rate
    Number of grievances or complaints
Supply Chain
    Percentage of late deliveries from vendors
    Number of quality issues reported for received goods
    Percentage of key suppliers not evaluated in the last year

Recommended reading

How to Develop Effective Key Risk Indicators + Best Practices

Improve your cyber risk score with Secureframe

Secureframe offers end-to-end risk management capabilities to help you identify, assess, and mitigate organizational risk. 

  • Assess risk and document treatment plans to satisfy regulatory and compliance requirements
  • Automatically assess and treat risks with Comply AI. The fully automated risk assessment workflow includes risk information and details, risk treatment, residual risk, risk score, and justification. 
  • Easily add and track risks with the risk library. Our risk library includes NIST risk scenarios for categories including IT, Fraud, Legal, and Finance. 
  • Link risks to controls and view history to coordinate risk management strategies with compliance requirements. Close any gaps in your risk management program and demonstrate the steps you’ve taken to strengthen your security posture over time. 

To learn more about Secureframe’s powerful risk management capabilities, schedule a demo with a product expert. 

Use trust to accelerate growth

Request a demoangle-right
cta-bg

FAQs

What is a risk scoring model?

A risk scoring model is a way to measure and assign a score to potential risks. By turning risks into numbers or categories, organizations can compare, prioritize, and manage them more effectively.

What are the benefits of cyber risk scoring?

Cyber risk scoring gives organizations a clear, measurable view of their security posture. Benefits include:

  • Better decision-making about where to invest in security.
  • Consistent, comparable evaluation of risks.
  • Easier communication with executives, boards, and investors.
  • Benchmarking against peers and industry standards.
  • Clear prioritization of the most critical threats.
  • Tracking improvements or emerging risks over time.
  • Stronger justification for budgets and resources.
  • Support for compliance requirements.
  • Better vendor and third-party risk management.
  • Increased business trust and value.

How does risk scoring work?

Risk scoring assigns values to risks based on their impact and likelihood. A typical process includes:

  1. Identifying potential risks.
  2. Scoring their impact (e.g., minimal to catastrophic) and likelihood (rare to almost certain).
  3. Calculating an overall score, often by multiplying impact × likelihood.
  4. Ranking risks by score to prioritize actions.
  5. Setting thresholds for acceptable vs. unacceptable risks.
  6. Applying controls to reduce impact or likelihood.
  7. Reviewing and updating scores regularly.

What is the 5 point risk scale?

The 5-point scale is a common way to rate risks:

  • Very Low: Unlikely, minimal impact.
  • Low: Possible, minor impact.
  • Medium: Moderate chance, needs attention.
  • High: Likely, significant impact, requires action.
  • Very High: Almost certain, severe or catastrophic impact.