70% of organizations experienced at least two critical risk events in the past year. Over 40% experienced at least three, and nearly 20% suffered six or more incidents, according to a 2023 report by Forrester and Dataminr.

Managing cybersecurity risk isn’t just about deploying firewalls or strong password practices. It’s about adopting a comprehensive and proactive approach to safeguarding your information assets from your organization's specific threats. Just as meteorologists grapple with uncertain factors like wind patterns, temperature fluctuations, and atmospheric conditions, risk managers face their own set of challenges when trying to pin down the numerical value of risk.

A risk score quantifies the level of risk associated with a specific decision, activity, or threat, so that organizations can effectively prioritize and mitigate risks. In this article, we’ll dive deeper into the components of a risk score and walk through some popular methodologies for calculating cybersecurity risk.

Understanding risk scores

A risk score is a numerical value that represents the potential severity and likelihood of a negative event occurring. This score helps organizations prioritize risks, enabling them to allocate resources and implement effective controls to safeguard against critical risks.

Essentially, a risk score translates the complex dimensions of risk into a simple number that’s easy to interpret. To understand and calculate a risk score, you need to consider two fundamental components: risk likelihood and risk impact.

• Risk likelihood: This component assesses risk probability. Likelihood can be measured using numerical values such as 1-5, percentages, or qualitative descriptors (e.g., rare, likely, almost certain). To determine risk likelihood, consider historical data, consult internal experts, examine industry trends, and evaluate the strength of your existing controls.
• Risk impact: This component considers the consequences of the risk event should it materialize. To assess impact, consider potential financial loss, reputational damage, and legal and compliance implications. Like likelihood, impact can be quantified using numerical values or qualitative descriptors, ranging from minimal to catastrophic.

Risk score calculation: The basic formula

A simple formula for calculating a risk score is a combination of likelihood and impact of risk:

This basic calculation allows organizations a quick snapshot across different risks for easy comparison and prioritization. A higher risk score of course indicates a greater level of risk, with more urgent mitigation efforts.

For instance, consider a scenario where the likelihood of a data breach is rated as 4 on a scale of 1 to 5 and the potential impact is assessed as 5. Using the formula, the risk score for a data breach would be:

Risk Score = 4 (Likelihood) × 5 (Impact) = 20

Meanwhile, the likelihood of a server failure is rated as a 2 out of 5 and the impact a 4 out of 5. The risk score for this possibility would be:

Risk Scores = 2 (Likelihood) x 4 (Impact) = 8

These scores help organizations easily compare risks and determine how to allocate resources for optimal risk response strategies.

What is a quantitative risk analysis?

There are two foundational ways to assess risk. A qualitative approach such as a risk assessment matrix relies on expertise and experience to assign a risk rating like “highly likely” or “critical.” A quantitative approach uses mathematical calculations and measurable data to assign numerical risk scores like “37% probability” and “$20k annual loss”.

While the level of precision quantitative risk analysis offers gives organizations a clearer, more specific idea of their risk exposure, it is also more difficult and resource-intensive to complete.

Quantitative risk analysis vs qualitative risk analysis

Based on factors like strategic goals and available resources, organizations may lean towards one type of risk assessment over the other.

When to use qualitative risk assessments:

• Limited resources: Quantitative analysis can be resource-intensive, requiring access to reliable data, analytical tools, and internal expertise. Smaller organizations or those with limited resources may initially opt for qualitative assessments.
• Uncertain cybersecurity landscape: In highly complex environments or for specific types of risks, quantitative data may be scarce. Qualitative assessments can offer valuable insights when the information required to quantify risks is not available.

When to use quantitative risk assessments:

• Need for precision: Quantitative assessments are particularly useful when you need to make exact financial decisions, such as justifying cybersecurity investments or determining insurance coverage. They provide a clearer cost-benefit analysis for weighing different risk mitigation strategies.
• Regulatory and compliance requirements: Certain industries and regulatory frameworks may involve quantitative risk assessments to meet compliance standards and reporting requirements. For example, SOX compliance involves quantitative risk assessments for financial controls. While NIST 800-53 doesn’t specifically require it, the framework does encourage quantitative methods as a way to inform and improve risk management decisions.
• Greater GRC maturity: Organizations with more mature GRC and risk management practices often evolve towards quantitative methods as they accumulate historical data and develop a deeper understanding of their risk environment.

7 Popular approaches to calculating cybersecurity risk

There are multiple approaches and methodologies to quantify and manage risks. Below, we’ll explain 7 common approaches and formulas used to calculate cybersecurity risk and share an example for each.

1. Annual Loss Expectancy (ALE)

ALE quantifies the potential financial loss an organization can expect in a year as a result of specific security incidents or threats. This formula is particularly valuable for organizations looking to prioritize their cybersecurity investments and strategies by identifying which threats pose the greatest financial risk.

• SLE (Single Loss Expectancy): The estimated monetary loss or impact from a single occurrence of a threat.
• ARO (Annual Rate of Occurrence): The expected frequency of a threat occurring within a year.

By calculating the ALE for various cybersecurity threats, organizations can make informed decisions about allocating resources to threats with the highest ALE, offering clearer justification for cybersecurity budgets and investments. By demonstrating the potential financial impact of unmitigated risks, security leaders can make a compelling case for the budget required to implement effective security measures.

By comparing the cost of implementing a security control against the reduction in ALE it provides, risk management leaders can also make informed decisions about which controls offer the best return on investment. For any risks that cannot be completely mitigated through controls, ALE can be a valuable metric for determining the appropriate level of cyber insurance coverage, ensuring that the organization is adequately protected against potential financial losses.

Example: How to use ALE to calculate risk

1. Identify risk: Start by identifying a specific risk that your organization faces. This could be anything from a social engineering attack to hardware failure.
2. Calculate SLE:
3. Assess asset value: This could be the value of data, hardware, or any other resource.
4. Determine Exposure Factor (EF): Estimate the percentage of loss the identified risk would cause if it occurs. For instance, if a risk event would result in losing 50% of the value of an asset, the EF is 0.5.
5. Calculate SLE: SLE = Asset Value × EF
6. Estimate ARO: Estimate how many times the identified risk is likely to occur in a year based on historical data, industry benchmarks, or expert judgment.
7. Calculate ALE: Multiply the SLE by the ARO to get the ALE.

For example, suppose an organization assesses the risk of a data breach and determines the SLE to be $400,000, taking into account incident response, potential fines, breach notification costs, and reputational damage. Based on the organization's threat landscape and historical data, the ARO is estimated to be 0.2 (indicating one occurrence every five years).

ALE = $400,000 × 0.2 = $80,000

This means the organization can expect to lose an average of $80,000 annually due to data breaches.

2. Factor Analysis of Information Risk (FAIR)

FAIR is a framework for quantifying information risk in financial terms, breaking down risk into factors like threat event frequency, vulnerability, and loss magnitude.

FAIR divides risk into two main categories, each with several sub-components:

• Loss Event Frequency (LEF): The frequency a specific loss event is expected to occur, taking into consideration:
• Threat Event Frequency (TEF): How often a threat event is likely to occur
• Vulnerability: The probability that a threat event will become a loss event
• Probable Loss Magnitude (PLM): The range of potential losses for each event, taking into consideration:
• Primary loss: Direct financial losses from an event.
• Secondary loss: Indirect losses, including reputation damage, response costs, etc.

Example: How to use FAIR to calculate risk

While FAIR does not offer specific formulas for each step, organizations often use Monte Carlo simulations or other statistical models to calculate LEF and PLM.

1. Scope the risk scenario: Clearly define the risk scenario you want to analyze, including the assets involved, potential threats, and the context.
2. Identify relevant factors: Break down the scenario into its FAIR components. Identify the relevant threats, the vulnerabilities of the assets involved, and the potential impacts (both primary and secondary).
3. Collect data: Gather historical incident data, industry benchmarks, expert opinions, and any other relevant information for the risk scenario.
4. Analyze data: For LEF, combine your data on Threat Event Frequency and Vulnerability to estimate the number of times a loss event is likely to occurFor PLM, estimate the range of potential losses, considering both primary and secondary impacts.
5. Quantify risk: Use the collected data and analyses to estimate the risk in financial terms. FAIR typically expresses risk as a range to account for the inherent uncertainty of risk analysis. This involves calculating the probable range of Loss Event Frequencies and the Probable Loss Magnitudes to derive an overall risk figure.

Suppose an organization is concerned about the risk of phishing attacks. The specific risk scenario they define is a data breach caused by an employee inadvertently sharing sensitive information due to a phishing attack.

1. Estimate TEF: The organization analyzes past incidents and industry benchmarks to determine that employees receive an average of 5 sophisticated phishing attempts each year.
2. Assess vulnerability: Based on security awareness training and email filtering, the organization estimates that there's a 10% chance an employee will fall for a phishing attempt.
3. Calculate LEF: LEF = 5 (TEF) × 0.1 (Vuln) = 0.5 events per year. So on average, a successful phishing attack leading to a data breach could occur once every two years.
4. Estimate Probably Loss Magnitude (PLM): Based on past incidents and industry benchmarks, direct costs could range from $50,000 - $200,000 per breach and indirect costs are estimated between $100,000 - $500,000. Combining direct and indirect costs, the total loss magnitude could range from $150,000 to $700,000 per breach.
5. Aggregate risk estimates: Given the LEF of 0.5 and the PLM range, the organization can expect an average annual loss (ALE) of $75,000-$350,000 due to phishing-induced data breaches.

3. The Common Vulnerability Scoring System (CVSS)

The CVSS provides a framework for classifying the severity of software vulnerabilities, assessing issues like exploitability and impact to assign a score from 0 to 10.

CVSS scores are calculated using several metrics, which are grouped into three main categories:

1. Base metrics: These represent the intrinsic qualities of a vulnerability that are consistent over time and across user environments. This includes:

• Attack Vector: How the vulnerability is exploited (e.g., local access, adjacent network, network).
• Attack Complexity: The complexity of the attack required to exploit the vulnerability.
• Privileges Required: The level of access privileges an attacker must possess before successfully exploiting the vulnerability.
• User Interaction: Whether the vulnerability exploitation requires any action by a user.
• Scope: Whether the vulnerability affects components beyond its security scope.
• Impact Metrics: The impact of the vulnerability exploitation on data confidentiality, integrity, and availability.

2. Temporal metrics: These represent aspects of a vulnerability that may change over time but not across user environments. This includes:

• Exploit Code Maturity: The availability of exploit code or techniques.
• Remediation Level: The level of an available fix.
• Report Confidence: The degree of confidence in the vulnerability report.

3. Environmental metrics: These metrics account for the specific impact of the vulnerability on an organization, considering factors like:

• Security Requirements: The importance of confidentiality, integrity, and availability to the affected system.
• Modified Base Metrics: Adjustments to the Base Metrics to account for mitigations that reduce exploitability or impact within the user's environment.

Example: How to use CVSS to calculate risk

1. Base score calculation: Start with the Base Metrics to calculate a Base Score between 0 and 10.
2. Temporal score calculation: Adjust the Base Score based on Temporal Metrics, if relevant data is available. This may increase or decrease the score based on factors like exploit code maturity and remediation level.
3. Environmental score calculation: Make additional score adjustments based on Environmental Metrics to tailor the score to the specific context of an organization. This takes into account how critical the affected system is and any security controls in place that may mitigate the impact.

NIST provides a CVSS calculator that automates this process. You input the values for each metric and the calculator produces the Base, Temporal, and Environmental scores.

As an example, suppose a security team discovers a vulnerability in one of their web applications. This vulnerability allows an attacker to execute arbitrary code on the server where the application is hosted, potentially leading to data theft, data corruption, or unauthorized access to sensitive systems.

The team assesses the vulnerability using these CVSS metrics and determines:

• Attack vector: The vulnerability is exploitable remotely over the network.
• Attack complexity: The attack is of low complexity; no specialized access or conditions are required.
• Privileges required: The attacker doesn't need special access privileges.
• User interaction: No user interaction is needed for exploitation.
• Scope: The vulnerability does not impact other resources beyond the vulnerable component.
• Impact: The vulnerability has a high impact on the confidentiality, integrity, and availability of the system.

Based on these assessments, the CVSS calculator assigns the following scores:

• Base Score: 9.8 (Critical)
• Temporal Score: 8.8
• Environmental Score: 7.5

With a Critical base score, this high-risk vulnerability is prioritized for immediate remediation, and the company allocates resources for an urgent patch or workaround. The CVSS score is also documented for compliance purposes and used in risk reporting to management and other stakeholders.

4. Attack tree analysis

This method involves creating a graphical model of potential attack paths that might be used to compromise a system. It helps risk team members visualize the different ways a system could be attacked through a tree-like diagram, with the primary goal or attack as the trunk and the different methods to achieve that goal as branches.

• Root node: Represents the main objective of the attack or the primary threat being assessed.
• Intermediate nodes: Represent the sub-goals or intermediate steps that an attacker might take to achieve the main objective. These can branch out further into more detailed steps.
• Leaf nodes: These are the end points of the tree, representing specific attack techniques or actions that can be taken to achieve the sub-goals above them.

Example: How to use attack tree analysis to calculate risk

1. Define the main goal: Start with the primary security threat or goal of the potential attacker as the root of the tree.
2. Identify sub-goals: Break down the main goal into intermediate objectives or steps that an attacker would need to achieve to reach the main goal. These become the branches stemming from the root.
3. Detail attack methods: For each intermediate step, identify the specific attack methods or actions an attacker might use. These become the leaf nodes of the tree.
4. Assign values: Assign values to each leaf node to represent the cost, difficulty, or likelihood of that attack method.
5. Calculate risk: Aggregate the values from the leaf nodes up through the tree to determine the overall risk associated with the main goal.
6. Analyze and prioritize: Use the completed attack tree to identify which attack vectors are most likely or would have the highest impact, and prioritize security measures to mitigate those risks.

While attack trees provide a structured way to visualize and analyze potential attack vectors, quantifying risk through attack trees can be as straightforward as identifying the path of least resistance (lowest cost or highest likelihood for the attacker) or as complex as applying probabilistic models to each node to estimate overall risk.

As an example, consider an organization assessing the risk of unauthorized access to its systems. The root goal is "Gain unauthorized access to the internal network."

Branch nodes might include "Exploit software vulnerability," "Social engineering attack to gain credentials," and "Gain physical access to the network."

Leaf nodes under "Exploit software vulnerability" might include specific vulnerabilities in software the company uses, each with a numerical value representing the difficulty of exploitation.

By assessing each path's likelihood and potential impact, the organization can prioritize which vulnerabilities to patch first, adjust employee cybersecurity training, or decide which physical security measures to enhance.

5. Bayesian Networks

Bayesian networks are a probabilistic graphical model that can be used to predict the likelihood of specific cybersecurity events based on various risk factors. Bayesian networks are based on:

• Nodes: These represent variables such as system vulnerabilities, threat occurrences, or security controls.
• Edges: Directed edges (arrows) connect nodes to represent the relationships between variables. The direction of the arrow indicates the direction of influence.
• Probability tables: Each node is associated with a probability table that quantifies the likelihood of the node's outcomes.

Example: How to use Bayesian Networks to calculate risk

1. Define the problem and variables: Start by clearly defining the risk scenario you are analyzing. Identify all relevant variables that could influence the outcome, including threats, vulnerabilities, controls, impacts, and any other relevant factors.
2. Structure the Bayesian network: Arrange the variables as nodes and use arrows to represent the relationships between them
3. Assign probabilities: For each node, create a conditional probability table that quantifies the likelihood of each possible outcome.
4. Perform inference: Once the network is built and probabilities are assigned, use a Bayesian inference calculator to determine the probabilities across the network based on known states of certain nodes (e.g., if a specific vulnerability is present or a security control is in place).
5. Analyze: These updated probabilities can help you assess the likelihood of different risk scenarios and evaluate the effectiveness of various mitigation strategies. By observing the effects of changing certain variables (e.g., adding security controls), you can make informed decisions about how to effectively manage and mitigate risks.

As an example, imagine a company assessing the risk of a data breach. The Bayesian network might include nodes for factors like "Firewall Integrity," "Employee Security Training," "Phishing Attack Likelihood," "Data Encryption," and "Breach Impact." Edges would represent the influence of these factors on one another, and probability tables would quantify these relationships.

Bayesian networks can also be updated with new information to keep the model relevant. If the company observes evidence of a phishing attack, they can update the network to recalculate probabilities. This updated probability can help the company decide whether their current security measures are adequate or if additional actions, like improving employee training or enhancing encryption protocols, are necessary to mitigate risk.

6. ISACA risk formula

The Information Systems Audit and Control Association (ISACA) defines a risk formula as a part of its Risk IT framework.

• Threat frequency: How often a specific threat is expected to occur within a given time frame. This could be an estimate based on past incidents, industry benchmarks, or threat intelligence reports.
• Vulnerability: The likelihood that a vulnerability will be exploited, based on existing security controls.
• Asset value: The importance or value of the assets that could be affected by the threat. This can include tangible assets like hardware and intangible assets like data and reputation. The value can be assessed in terms of replacement costs, impact on operations, or even legal and regulatory implications.

Example: How to use the ISACA risk formula to calculate risk

1. Identify assets: List all assets that are vital to your organization's operations.
2. Assess asset value: Define the value of each asset. This can involve financial assessments, impact of loss on operations or reputation, and legal or regulatory consequences.
3. Identify threats: For each asset, identify potential threats that could cause harm or loss. This could range from cyber attacks to natural disasters, depending on the nature of the asset.
4. Evaluate threat frequency: Estimate how often each identified threat could occur. This might be based on historical data, industry reports, or expert judgments.
5. Assess vulnerabilities: Evaluate how vulnerable each asset is to the identified threats. Consider existing security measures and their effectiveness in mitigating these threats.
6. Calculate risk: For each threat to each asset, multiply the threat frequency by the vulnerability and the asset value to get the risk value.

For example, say an organization has identified phishing attacks as a significant threat to its information security. The risk analysis team needs to assess the potential impact of phishing attacks and quantify the risk so they can prioritize mitigation efforts.

• Threat frequency: Based on industry reports and historical data, the team estimates that employees will face an average of 50 phishing attempts per year.
• Vulnerability: Given current email filters and employee security awareness training, the team estimates there's a 5% chance that any given phishing attempt will succeed.
• Asset value: The data accessible through employees' email accounts is highly valuable, containing proprietary information and personal data of clients. The team estimates the value of these assets at $2,000,000.

Using the ISACA formula, they calculate:

50 (Threat Frequency) × 0.05 (Vulnerability) × $2,000,000 (Asset Value) = $5,000,000 (Risk)

Based on this risk calculation, the organization decides to conduct employee security awareness training biannually instead of annually to reduce the vulnerability and potential impact.

7. Secureframe Comply AI for Risk

Instead of manually calculating risk using these various formulas, risk teams can also leverage tools to eliminate the heavy lifting and potential for human error. Secureframe’s security and compliance platform automates the risk assessment process and produces an inherent risk score, suggested treatment, and a residual risk score. 

Comply AI for risk leverages artificial intelligence to assess risk within your specific environment. Fill in a risk description and owner, or import a risk description from the Secureframe Risk Library, then use Comply AI to calculate inherent risk scores, suggested treatment, and residual risk scores. 

Once you’ve calculated risk scores, you can use dashboards to view and track your organization’s risk. Visualize your risk data as heat maps, summary tables, trend charts, and more, to monitor the overall health of your risk management program and easily report to executives, auditors, and other stakeholders.