NIST Risk Calculator

When we describe a risk as high or low, it sounds precise, even settled. But those words often do more to signal agreement than to create it. What looks like alignment on the surface can mask very different assumptions about risk underneath.

In Noise by Daniel Kahneman, this problem is described as level noise: different people apply different internal rating scales. It’s why one person’s five-star rating means exceptional while another’s means acceptable. In risk and security work, level noise is pervasive. Two practitioners—let alone stakeholders—can evaluate the same scenario and reach different conclusions without realizing they are using different scales.

To address this, and to make the NIST SP 800-30 R1 risk framework easier to use day to day, I built a small NIST-style risk calculator. Its purpose is to reduce noise and make risk conversations more concrete, repeatable, and easy to share.

Why this exists

NIST SP 800-30 provides an excellent framework for thinking about risk. At its core, it’s simple: risk = likelihood x impact.

The problem is accessibility and ease of use. The parts you actually need in practice are buried 80-plus pages deep in the appendices. If you want to sanity check a risk or ground your reasoning, you have to dig up the document and flip between various pages, tables, and definitions to regain your footing.

This tool pulls that framing forward into something you can look at quickly and share as a simple link. It forces explicit choices around likelihood and impact, grounded in NIST’s own descriptions, which helps narrow the range of interpretation. The goal isn’t to eliminate judgment or create fake precision. It’s to reduce avoidable noise, so disagreements are about assumptions, not vocabulary.

How I use it

I use the tool as a quick pre-analysis aid:

• Sanity check assumptions and establish a shared baseline before deeper analysis
• Align stakeholders on a common language
• Pressure-test whether a risk labeled “high” is genuinely high—or simply uncomfortable

It is intentionally lightweight. The value is the shared framing and the visible tradeoffs, not a false sense of accuracy.

What it does not do

The calculator does not replace a full risk assessment or a mature risk register. It has no concept of organizational context. It does not model asset value, threat capability, control effectiveness, or control maturity. It produces no governance-grade output and makes no claim to authority.

It is a starting point.

If you need a quick, consistent way to ground a risk discussion, this should help. If you need defensible artifacts for audit, compliance, or reporting, treat this as a first pass and build from there.