Cybersecurity Risk Calculator: How Does It Work?
The Cybersecurity Risk Calculator maps the security posture of your organization and calculates a risk score from 0 to 100. In five steps, you analyze your technical and organizational controls, compliance status, and incident history. On this page, we explain how the calculator works, the methodology used, and what you can expect from the results.
What is the Cybersecurity Risk Calculator?
The Cybersecurity Risk Calculator is an interactive tool that calculates the risk profile of your organization based on five categories. Whether you are an SMB owner who wants to know where the biggest vulnerabilities lie, or an IT manager looking to guide security investments: the calculator provides you with an objective, data-driven assessment.
The tool asks targeted questions about your sector, the size of your organization, the type of data you process, your technical and organizational security controls, your compliance status, and your incident history. Based on your answers, a weighted risk score is calculated from 0 (lowest risk) to 100 (highest risk), with a clear color coding:
- 0-30 (green): Low risk — strong security posture with few areas of concern.
- 31-60 (orange): Medium risk — there are areas for improvement that deserve attention.
- 61-100 (red): High risk — there are significant vulnerabilities that require immediate action.
All calculations run entirely in your browser. No data is sent to a server, so you can use the calculator safely without concerns about confidentiality.
Methodology
The Risk Calculator uses a weighted scoring model derived from two internationally recognized frameworks: the NIST Cybersecurity Framework (CSF) and the ISO 27001 standard for information security. These frameworks represent the gold standard for risk assessment in cybersecurity.
The model evaluates five domains that together provide a complete picture of your security posture:
- Organization profile — your sector, size, and data types determine the inherent risk your organization faces. A healthcare institution that processes medical records, for example, has a fundamentally different risk profile than a retail company.
- Technical controls — the defense-in-depth layers you have implemented, from firewalls and endpoint detection to encryption and backups.
- Organizational controls — the human and process side of security, including security awareness, incident response planning, and vendor management policies.
- Compliance — certifications and formal registrations that demonstrate a structured security policy.
- Incident history — previous security incidents and recovery times, which reveal patterns in vulnerability.
Each domain receives its own weight in the total score. Technical and organizational controls carry the most weight, as they have the most direct impact on your actual security posture. The organization profile determines the context within which the other scores are interpreted — a high score on technical controls carries more weight if your organization operates in a sector with high inherent risk.
Step-by-step guide
Organization Profile
In the first step, we determine the inherent risk profile of your organization. You select your sector (healthcare, finance, government, retail, technology, or other), your organization size (1-10, 10-50, 50-250, or 250+ employees), and the type of data you process (personal data, financial data, medical records, intellectual property).
Why is this important? Risk profiles differ significantly by sector and data type. A healthcare organization that manages medical records faces strict regulations and is an attractive target for ransomware. A technology company with significant intellectual property is exposed to different threats, such as corporate espionage. By understanding your context, the calculator can place your score in the right perspective.
Technical Controls
The second step inventories your technical defense layers. We ask about the presence and configuration of: firewall (network and/or application level), EDR/antivirus (endpoint detection and response), multi-factor authentication (MFA), encryption (data-at-rest and in-transit), backup strategy (3-2-1 method: 3 copies, 2 media, 1 offsite), and patch management policy (how quickly updates are deployed).
These controls together form your defense-in-depth: multiple security layers that ensure the failure of a single control does not lead to a complete compromise. The absence of MFA, for example, is one of the most common causes of successful attacks, while a good backup strategy can make the difference between hours and weeks of recovery after a ransomware attack.
Organizational Controls
Technology alone is not enough. The third step assesses the human and process side of your security: security awareness training (are employees regularly trained?), incident response plan (is there a documented and tested plan?), CISO or security officer (is someone ultimately responsible?), and vendor management policy (are third parties assessed on security?).
Research consistently shows that the human factor plays the largest role in security incidents. More than 80% of data breaches begin with social engineering or human error. An organization with excellent technology but without security awareness training is more vulnerable than one with basic technology and well-trained employees. Moreover, a good incident response plan determines the difference between a controlled reaction and chaos when things go wrong.
Compliance
The fourth step inventories your formal certifications and compliance registrations: ISO 27001, NEN 7510 (specific to healthcare), SOC 2, GDPR processing register, and DPIAs (Data Protection Impact Assessments).
Certifications are not a guarantee of security, but they demonstrate that an organization is structurally and demonstrably engaged in information security. An ISO 27001 certification, for example, requires a complete Information Security Management System (ISMS) with continuous improvement. The absence of basic compliance registrations such as a GDPR processing register may indicate a broader gap in security maturity.
Incident History
The final step looks at your past: have you previously dealt with ransomware, phishing incidents, or a data breach? And how long was the recovery time?
Incident history is a strong predictor of future vulnerability. Organizations that have been successfully attacked before have an elevated risk of being targeted again — especially if the underlying causes have not been structurally addressed. Long recovery times indicate insufficient preparation and inadequate incident response capacity. However, honest reporting yields the most benefit here: an organization that has been affected and learned from it can actually emerge stronger from the situation.
Interpreting Results
After completing all five steps, you receive a comprehensive results overview. This consists of multiple components that together provide a complete picture of your security posture:
- Total risk score (0-100) — your overall score with color coding (green, orange, or red). The lower the score, the better your security posture.
- Radar chart — a visual representation with five axes, one for each domain. This allows you to see at a glance where you score well and where the biggest gaps are.
- Category scores with progress bars — an individual score per domain, so you know exactly which areas need the most attention.
- Benchmark vs. sector — your score is compared with the average of organizations in the same sector and of comparable size. This tells you whether you score above or below the level of your peers.
- Top 3-5 recommendations — concrete, prioritized actions that have the greatest impact on your risk score. Each recommendation includes a brief explanation of why this control is important.
It is important not to view the score as an absolute number, but as a directional instrument. The real value lies in the relative scores per category and the specific recommendations. A score of 45 is not a disaster, but a clear signal that there are areas for improvement that deserve attention.
Free report by email
After completing the calculator, you can receive your results as a PDF report by email. This report includes:
- Your total risk score with visual explanation
- Scores per category with radar chart
- Sector benchmark
- Top recommendations with priority
The report is sent directly to your inbox and is ideal for sharing with your team, IT department, or management. Together you can determine which improvements should take priority. The report is clearly formatted and ready to use as a basis for internal discussions.
Premium Assessment
The Premium Assessment elevates the analysis to a professional level. Instead of 5 steps, you complete 7 comprehensive steps with granular questions that provide a much more detailed picture of your security posture.
Where the free calculator simply asks whether you use MFA, the premium assessment asks which type of MFA (SMS, authenticator app, hardware token), on which systems, and with what coverage percentage. For patching, it asks about the average patch frequency, the distinction between critical and non-critical updates, and whether there is a test environment. For network security, segmentation is assessed: are production, development, and office environments separated?
The premium assessment delivers a professional report of 15 to 30 pages specifically designed for decision-making at board level. This report includes:
- Sector-specific benchmarks — comparison with organizations in the same industry and of comparable size, based on current market data.
- Prioritized action plan — concrete measures ranked by impact and implementation effort, so you know where to start.
- Cost-benefit analysis per measure — for each recommended measure, an estimate of the investment versus the risk reduction it delivers.
- Boardroom-ready PDF — professionally designed with an executive summary, charts, and a clear structure that is ready to present to directors or the board.
Free vs. Premium
| Feature | Free | Premium |
|---|---|---|
| Number of steps | 5 | 7 |
| Risk score 0-100 | ✓ | ✓ |
| Radar chart | ✓ | ✓ |
| Category scores | ✓ | ✓ |
| Top recommendations | 3-5 basic | Fully prioritized action plan |
| Granular questions (MFA type, patch frequency, segmentation) | ✗ | ✓ |
| Sector-specific benchmarks | Basic | Detailed with market data |
| Cost-benefit analysis per measure | ✗ | ✓ |
| Report size | 2-3 pages | 15-30 pages |
| Boardroom-ready PDF | ✗ | ✓ |
Frequently Asked Questions
Is my data safe when using the Risk Calculator?
Yes. All calculations are performed entirely in your browser. No data is sent to our servers unless you choose to receive the report by email. In that case, only the results are temporarily processed to generate the report.
How is the risk score calculated?
The score is based on a weighted model across five domains: organization profile, technical controls, organizational controls, compliance, and incident history. The methodology is derived from the NIST Cybersecurity Framework and ISO 27001. Technical and organizational controls carry the most weight, while the organization profile determines the context for interpreting your score.
What if I don't know all the answers?
No problem. For most questions, you can choose 'Unknown' or a conservative option. The score will then be more cautious, which tends to overestimate the risk. This is a safe assumption: if you don't know whether a control is in place, it's wise to assume it is an area for improvement. Tip: involve your IT team or administrator when filling it in for the most accurate result.
What is the difference between the free calculator and the premium assessment?
The free calculator provides a high-level assessment in 5 steps with basic recommendations. The premium assessment (one-time €79) goes deeper with 7 steps, granular questions about specific configurations, sector-specific benchmarks, and a professional report of 15-30 pages. The premium report also includes a prioritized action plan with cost-benefit analysis per measure and is ready to present to directors.
How often should I run the risk check?
We recommend at least a quarterly assessment, or immediately after significant changes: a migration to the cloud, the introduction of a new system, an acquisition or merger, or after a security incident. The threat landscape is constantly evolving, and your security controls need to keep pace. By testing regularly, you maintain control over your risk profile.
What types of organizations is this suitable for?
The Risk Calculator is designed for organizations of any size and sector. The questions and weighting adapt based on your profile. SMBs use the tool to quickly gain insight into their security posture, while larger organizations use the results as a starting point for in-depth assessments or as a quick benchmark alongside their existing security program.
Can I share the report with my team or management?
Absolutely. The free report is sent as a PDF to your email and can be shared immediately. The premium report is specifically designed for presentation to directors and the board, with an executive summary, visual charts, and a clear action plan. Many customers use the premium report as justification for budget requests or as a starting point for a broader security improvement program.
Calculate your risk score in 5 steps and receive a free report by email with recommendations.
Start the free calculator7 steps, granular analysis, sector-specific benchmarks, and a boardroom-ready report of 15-30 pages.
Start the premium assessment