What is the CIA triad in risk assessment?

The CIA triad represents three core security objectives: Confidentiality (preventing unauthorized disclosure), Integrity (preventing unauthorized modification), and Availability (ensuring authorized access). Risks that impact multiple CIA elements are typically more severe and warrant higher priority.

How do I determine likelihood?

Consider threat frequency from industry reports, your incident history, vulnerability exposure, and attacker motivation. For example, phishing attacks are 'Almost Certain' for most organizations, while sophisticated nation-state attacks may be 'Rare' for small businesses.

What's the difference between inherent and residual risk?

Inherent risk is the raw risk before any controls are applied. Residual risk is what remains after implementing security measures. Effective controls reduce likelihood, impact, or both. Your goal is to bring residual risk within acceptable tolerance levels.

How does this align with ISO 27001?

ISO 27001 requires organizations to identify risks, assess likelihood and impact, and implement appropriate controls. This calculator follows ISO 27001's risk assessment methodology while incorporating NIST CSF's structured approach to categorization.

When should I escalate a risk?

Critical risks (scores 20-25) typically require immediate executive attention and action. High risks (15-19) should be prioritized for near-term remediation. Medium risks (10-14) warrant documented treatment plans. Low and Minimal risks can be monitored or accepted with proper documentation.

Technology

Risk Severity Calculator

Assess and quantify cybersecurity risks using industry-standard methodologies. Calculate inherent risk scores based on likelihood and impact, apply CIA triad modifiers, and determine residual risk after controls.

Likelihood

Impact

CIA Triad Impact

Confidentiality Impact

Integrity Impact

Availability Impact

Asset Value

Existing Controls

Made with love

Support

Related Calculators

You might also find these calculators useful

CVSS Score Calculator

Calculate CVSS v3.1 vulnerability severity scores

Data Breach Cost Calculator

Estimate the financial impact of a data breach

Phishing Risk Calculator

Assess organizational phishing vulnerability and risk

Binary Calculator

Convert between binary, decimal, hex & octal

Quantify Your Cybersecurity Risks

Risk severity assessment is fundamental to cybersecurity management. This calculator implements ISO 27001 and NIST Cybersecurity Framework methodologies to help you quantify risks using a standard 5×5 matrix approach, applying CIA triad considerations and existing control effectiveness.

Why Calculate Risk Severity?

Prioritize Security Investments

Quantified risk scores help you allocate limited security budgets to the highest-impact threats.

Demonstrate Due Diligence

Documented risk assessments show auditors and regulators that you follow structured risk management practices.

Enable Risk-Based Decisions

Transform subjective security concerns into objective scores that executives can compare and act upon.

Track Risk Reduction

Measure how security controls reduce residual risk over time and justify continued investment.

How to Calculate Risk Severity

Frequently Asked Questions

A 5×5 risk matrix plots likelihood (1-5) against impact (1-5) to create 25 possible risk positions. The resulting score (1-25) is typically grouped into risk levels: Minimal (1-4), Low (5-9), Medium (10-14), High (15-19), and Critical (20-25). This standardized approach enables consistent risk communication across organizations.