Critical Infrastructure Vulnerability Assessment Calculator
Quantifies the composite vulnerability risk score for critical infrastructure assets by combining threat likelihood, asset criticality, control effectiveness, and exposure factors using the NIST SP 800-30 and DHS CARVER-inspired methodology.
Probability that a threat actor will attempt to exploit a vulnerability (1 = very unlikely, 10 = near certain).
Importance of the asset to operations and public safety (e.g., power grid node = 9–10, auxiliary system = 1–3).
Inherent severity of the identified vulnerability (align with CVSS base score ÷ 10 × 10 for consistency).
Percentage effectiveness of existing security controls (physical, cyber, procedural) in reducing exploitation risk.
Degree to which the asset is exposed to potential threat actors (0 = isolated, 1 = fully accessible).
Estimated consequence magnitude if the vulnerability is successfully exploited (consider safety, economic, and societal impact).
Fill in all fields and click Calculate to see the Composite Vulnerability Risk Score.
Formula
Step 1 — Residual Threat Score:
Residual Threat = Threat Likelihood × Exposure Factor × (1 − Control Effectiveness / 100)
Captures how much of the raw threat remains after existing controls and exposure are factored in. Range: 0–10.
Step 2 — Normalised Inherent Risk:
Inherent Risk = (Vulnerability Severity × Asset Criticality × Impact Magnitude) / 100
Combines the three consequence-side dimensions. Dividing by 100 normalises the maximum (10 × 10 × 10 = 1000 → 10). Range: 0–10.
Step 3 — Composite Vulnerability Risk Score (CVRS):
CVRS = (Residual Threat × Inherent Risk) / 10
Multiplying the two normalised sub-scores (max product = 10 × 10 = 100) and dividing by 10 yields a final score on a 0–10 scale.
Risk Bands:
| CVRS Range | Rating |
|---|---|
| 8.00 – 10.00 | Critical |
| 6.00 – 7.99 | High |
| 4.00 – 5.99 | Medium |
| 2.00 – 3.99 | Low |
| 0.00 – 1.99 | Minimal |
Assumptions & References
- The formula is inspired by NIST SP 800-30 Rev. 1 (Guide for Conducting Risk Assessments) and the DHS CARVER+Shock methodology for critical infrastructure prioritisation.
- Threat Likelihood should be estimated using historical incident data, threat intelligence feeds (e.g., CISA advisories, ICS-CERT), or expert elicitation on a 1–10 ordinal scale.
- Asset Criticality reflects the asset's role in mission continuity; align with your organisation's Business Impact Analysis (BIA) or the NERC CIP asset classification for energy sector assets.
- Vulnerability Severity can be mapped directly from a CVSS v3.1 base score (0–10) for cyber vulnerabilities, or from a physical/procedural expert assessment for non-cyber vulnerabilities.
- Control Effectiveness should be derived from security control assessments (e.g., NIST SP 800-53A, IEC 62443 security level verification) and penetration test outcomes.
- Exposure Factor accounts for network connectivity, physical accessibility, and supply-chain exposure. An air-gapped OT system with no remote access scores near 0; an internet-facing SCADA HMI scores near 1.
- Impact Magnitude should consider cascading effects across interdependent systems (e.g., power outage affecting water treatment), economic loss, public safety consequences, and national security implications.
- All inputs are treated as point estimates. For formal risk assessments, consider Monte Carlo simulation over probability distributions for each parameter.
- This calculator does not replace a full risk assessment conducted by qualified security professionals and should be used as a screening and prioritisation tool only.
- References: NIST SP 800-30 Rev. 1 (2012); DHS CARVER+Shock Methodology; IEC 62443-3-2 (Security Risk Assessment for System Design); NERC CIP-014-3 (Physical Security).