Cybersecurity Risk Calculator

1) How often could this happen? i

Single event this year Advanced: Bernoulli

It either happens this year or it doesn’t. Enter a per-year chance.

Multiple hits this year Advanced: Poisson

May occur several times. Enter an expected count (λ) per year.

Chance this year

Accepts % or decimal. For multiple hits, enter expected count (e.g., 2.0).

Risk name

2) How big could it be? i

Default (90% bounds) Advanced: Lognormal

Provide Lower (5th) and Upper (95th). No mode needed.

Expert range (min • most-likely • max) Advanced: Beta-PERT

When an SME can give a most-likely estimate and bounds.

Quick rough (min • mode • max) Advanced: Triangular

Good for early ballparks you’ll refine later.

Lower (5th)

Mode / Most-likely

Upper (95th) / Max

3) Controls i

Reduce how often (%)

Reduce how bad (%)

Control cost ($/yr)

Helper: ways to think about bounds i

Downtime × revenue/hr + overtime + SLA penalties.
Records × cost/record (notifications, credits, legal).
Containment + recovery hours × loaded rates.
Ransom/negotiation ± business interruption.
Third-party outage: your portion of lost revenue + workarounds.

Tip: In “Default”, the two numbers are treated as the 5th and 95th percentiles (~90% of outcomes).

© 2025 Ask AppSec.