Cybersecurity Risk Calculator v7

Layer 1 · Formula 1

CVE-Based Risk Calculator v7

R_CVE = [ w1(F×T×M) + w2(IRM_term) + w3(C_{norm_v7}) + w4(E) + w5(E_a) + w6(R_data) ] × S
C_{norm_v7} = [20×(C_raw/C_max)] × √(Unpatched/Total) · R_data = 20×(Unpatched/Total)×(MTTR_org/MTTR_bench) · IRM_term = (6−IRM)/5×20

Judgment-Derived Inputs

Framework Age (years) Years since last major framework revision

Audit Age (years) Years since last comprehensive security audit · F = 0.3×(Framework+Audit age)

Third-Party Security Services T = 1 − (presence × 0.2)

Management Capability 0=Expert · 1=Adequate · 2=Limited · 3=None

Years Since Last Training M = Capability + (0.5 × years)

IR Maturity (IRM) 1–5 1=No plan · 2=Informal · 3=Defined (annual tabletop, basic playbooks) · 4=Managed · 5=Optimized · IRM_term = (6−IRM)/5×20

Exploitation Factor (E) · DC-5 From threat intelligence and CISA KEV catalog

Sector Adjustment (S) 1.0=Low · 1.2=Medium · 1.4=Finance/Tech/Telecom · 1.5=Healthcare/Gov/Energy

Instrument-Derived Inputs · DC-1 DC-2 DC-5

C_raw — Cumulative CVE Relevance ∑(CVSS Exploit × Impact × CVE Weight) · Weight: 1.0=Moderate, 1.1=High, 1.2=Critical

C_max — Theoretical Maximum Highest possible C_raw for your inventory (e.g. 10×10×1.2 × critical CVE count)

Unpatched Hosts for this CVE DC-1: hosts currently unpatched for this specific CVE

Total Managed Hosts DC-1: total host count in scope · Host_Exposure_Factor = √(Unpatched/Total)

Org MTTR (days) DC-2: mean time to remediate, rolling 90-day window

Industry MTTR Benchmark (days) DC-2: sector average · Qualys TruRisk 2023: 30 days · R_data = 20×(Unpatched/Total)×(MTTR_org/MTTR_bench)

Observed TTE (days) DC-5: days from CVE disclosure to first observed exploitation

Average TTE (days) DC-5: industry baseline · E_a = min(20, Avg_TTE/Obs_TTE × 1.5)

Term Weights — w1 through w6 must sum to 1.0 Sum: 1.00

w1 — Management cluster (F×T×M) Default: 0.15

w2 — IR Maturity (IRM_term) Default: 0.10 (raised from v4's 0.05)

w3 — CVE severity (C_{norm_v7}) Default: 0.30 (reduced from v4's 0.35)

w4 — Active exploitation (E) Default: 0.20

w5 — Exploit acceleration (E_a) Default: 0.10

w6 — ECR exposure (R_data) Default: 0.15

⚠ Weights do not sum to 1.0 — score will reflect actual sum

Layer 2 & 3 — P(breach) and Expected Loss (optional)

Asset Value ($) Dollar value of affected assets

Exposure Window (years) Time horizon — typically 1.0 for annual EL

— —

Component Breakdown

Layer 1 · Formula 2

Non-CVE Infrastructure Risk Calculator v7

R_Non-CVE = [ ln(1 + A×C×D) + I + F_{c_weighted} ] × S
F_{c_weighted} = [∑(Fail_i×C_i) / ∑C_i] / Benchmark × 2.0 · ln() prevents saturation at extreme A×C×D values

System Characteristics · DC-4

Years Since Last Major Upgrade Architectural revision, OS replacement, or vendor-supported migration — not a routine patch · A = 1.2 × years

Criticality (C) 1–5 1=Non-essential · 3=Important, workarounds exist · 5=Mission-critical, halts operations

Dependency (D) 1–5 1=Isolated · 3=Several systems depend on it · 5=Foundational, cascading failure

Compensating Controls Present? Segmentation, access controls, redundancy, anomaly monitoring · I = 2.0 × (1 − presence)

Sector Adjustment (S) 1.0=Low · 1.2=Medium · 1.4=Finance/Tech/Telecom · 1.5=Healthcare/Gov/Energy

Control Failure Factor (F_{c_weighted}) · DC-3 — Asset Groups

v7 weights failures by the criticality of affected systems. Add up to 3 asset groups. Each group needs a failure rate (%) and criticality score. Industry benchmark is the sector-average failure rate.

Group Name (optional)

Failure Rate (%)

Criticality (1–5)

Industry Benchmark Failure Rate (%) Sector-average control failure rate for comparison (Control Weight: 2.0)

Layer 2 & 3 — P(breach) and Expected Loss (optional)

Asset Value ($) Dollar value of the infrastructure system

Exposure Window (years) Time horizon — typically 1.0 for annual EL

— —

Component Breakdown

Reference

CVE-Based Risk Score Tiers

Score	Risk Level	Description	Recommended Action
0 – 10	Minimal	Negligible exposure; current practices effective	Continue monitoring; no immediate action
11 – 25	Low	Low-level vulnerabilities; limited impact potential	Regular monitoring; optimize existing controls
26 – 40	Moderate	Moderate vulnerabilities; early action prevents escalation	Schedule remediation; proactive mitigation
41 – 60	Elevated	Significant vulnerabilities requiring prompt attention	Address within sprint cycle; focused action
61 – 75	High	High-priority with active exploitation potential	Immediate remediation; patch within 72 hours
76 – 100	Severe	Critical with confirmed exploitation vectors	Comprehensive response; executive notification
100+	Grave	Extreme exposure with active exploitation	Emergency response; escalate immediately

Reference

Non-CVE Infrastructure Risk Score Tiers

v7 uses ln(1 + A×C×D) compression — scores are significantly lower than prior versions.

Score	Risk Level	Description	Recommended Action
0 – 2	Minimal	Low infrastructure risk; no significant issues	Continue monitoring
2 – 5	Moderate	Minor issues or isolated outdated systems	Plan minor upgrades; monitor trends
5 – 8	Elevated	Outdated systems or control weaknesses present	Proactive upgrades; prioritize key systems
8 – 12	High	Significant infrastructure vulnerabilities	Immediate improvement plan; resource allocation
12 – 18	Severe	Severe issues; high operational and security risk	Comprehensive overhaul; executive visibility
18+	Grave	Critical dependencies or failing controls; continuity at risk	Emergency action; complete remediation program

Exploitation Factor (E) Scale

DC-5: threat intelligence and CISA KEV catalog

0	None — no evidence of exploitation
5	Targeted — isolated cases
10	Moderate — limited regional or industry
15	Widespread — global, multi-industry
20	Critical — pervasive, automated, ransomware

Layer 2 · P(breach) Lookup

Interim values — calibrate with org incident data (20+ events)

0–10	P(breach) ≈ 0.02–0.04 (Minimal)
11–25	P(breach) ≈ 0.04–0.09 (Low)
26–40	P(breach) ≈ 0.09–0.15 (Moderate)
41–60	P(breach) ≈ 0.15–0.27 (Elevated)
61–75	P(breach) ≈ 0.27–0.45 (High)
76–100	P(breach) ≈ 0.45–0.65 (Severe)
100+	P(breach) ≈ 0.65–0.85 (Grave)

Sector-Specific Adjustment (S) Weights

Applied to both CVE and Non-CVE formulas

Weight	Risk Level	Sectors
1.0	Low	Agriculture, Education, Non-digital Retail
1.2	Medium	Legal, Real Estate, Construction, Utilities, Nonprofit
1.4	High	Finance, Technology, Telecommunications
1.5	Critical	Healthcare, Government, Energy

About this framework — Version 7.0

This calculator implements Version 7 of the quantitative risk framework developed by Aubrey Perin in A Quantitative Framework for Holistic Cybersecurity Risk Evaluation Using Actuarial Principles. Version 7 introduces a vendor-neutral Data Integration Layer (Layer 0), replaces analyst-rated R with the Exposure Coverage Ratio (ECR), upgrades the Non-CVE Control Failure Factor to a criticality-weighted formulation, scales C_norm by deployment breadth (unpatched host ratio), and adds Layers 2–3 P(breach) and Expected Loss outputs.

The canonical proof in Section 9 of the white paper re-evaluates CVE-2023-21716 end-to-end: the v3 score of 182.79 (Grave) becomes 8.46 (Minimal) under v7 — correctly reflecting that only 15% of the fleet was exposed and remediation lag was moderate. Full derivations, calibration guidance, limitations, and Python Monte Carlo reference implementation are in the white paper PDF. This framework underpins the ALE Standard in Ethical Business: Restoring Philosophical Integrity.