Calculate risk score from likelihood and impact ratings (1-5 scale). Visualize results in a risk matrix heatmap with severity levels.
Risk assessment is the foundation of security decision-making. The classic likelihood × impact model provides a simple but effective framework for evaluating and prioritizing threats. Each risk is rated on two dimensions: how likely it is to occur (1–5) and how severe the consequences would be (1–5). The product gives a risk score from 1 to 25.
This calculator computes the risk score and maps it to severity categories using industry-standard thresholds. It produces a visual risk matrix that shows where each risk falls in the heat map, making it easy to identify and communicate critical risks. Use it for security risk assessments, project risk management, compliance reporting, or any scenario where risks need to be evaluated systematically.
This analytical approach supports proactive infrastructure management, helping teams avoid costly outages and maintain the service levels that users and business stakeholders depend on. By calculating this metric accurately, DevOps and engineering professionals gain actionable insights that drive system reliability, scalability, and operational excellence across environments.
Structured risk assessment turns subjective security concerns into quantifiable, comparable scores. This enables evidence-based prioritization of security investments and helps communicate risk to non-technical stakeholders using a universally understood matrix format. Consistent measurement creates a reliable baseline for tracking system health over time and identifying degradation before it impacts users or triggers costly production outages.
Risk Score = Likelihood (1–5) × Impact (1–5). Low: 1–4, Medium: 5–9, High: 10–15, Critical: 16–25.
Result: Risk Score: 16 — Critical
A likelihood of 4 (Likely) and impact of 4 (Major) produces a risk score of 16, which falls in the Critical range. This risk requires immediate attention, dedicated mitigation resources, and executive visibility. Typical examples include unpatched internet-facing systems with known exploits.
The 5×5 risk matrix is the most widely used qualitative risk assessment method. It's adopted by ISO 27005, NIST 800-30, and most enterprise risk management frameworks. Its simplicity makes it accessible to all stakeholders while providing sufficient granularity for prioritization.
The quality of a risk assessment depends entirely on consistent, well-calibrated ratings. Establish clear definitions for each level of both likelihood and impact, using concrete examples relevant to your organization. Review and update these definitions annually.
Risk scores should drive specific actions: Critical (16–25) — immediate remediation required. High (10–15) — near-term remediation planned. Medium (5–9) — monitor and address in regular cycle. Low (1–4) — accept or address opportunistically.
The multiplicative model can produce the same score for very different risks (e.g., 2×5=10 vs 5×2=10). Consider both the individual ratings and the product when making decisions. A low-likelihood/catastrophic-impact risk may need different treatment than a high-likelihood/moderate-impact risk.
Inherent risk is the risk level before any controls are applied. Residual risk is what remains after mitigations are in place. Both should be assessed: inherent risk shows the potential without controls, while residual risk shows the current actual exposure.
Use a standardized scale: 1=Rare (< 5% chance/year), 2=Unlikely (5–20%), 3=Possible (20–50%), 4=Likely (50–80%), 5=Almost Certain (> 80%). Calibrate against actual incident data when available.
Define impact in terms relevant to your organization: 1=Insignificant (< $10K loss), 2=Minor ($10K–$100K), 3=Moderate ($100K–$1M), 4=Major ($1M–$10M), 5=Catastrophic (> $10M or existential). Customize dollar values to your organization's scale.
A 5×5 matrix provides more granularity, which is useful when you have many risks to differentiate. A 3×3 matrix (3=Low/Medium/High) is simpler and sufficient when fewer risks are being assessed or when rapid triage is needed.
Start with qualitative (likelihood × impact matrix) for initial triage and prioritization. Use quantitative methods (annualized loss expectancy, Monte Carlo simulation) for the highest-priority risks where precise dollar estimates justify the additional effort.
Focus on the top 20–50 risks for a meaningful assessment. Trying to assess hundreds of risks leads to assessment fatigue and inconsistent ratings. Consolidate related risks and focus on those most relevant to your organization's threat landscape.