NIST Risk Calculator
Likelihood of Occurrence
Likelihood of Adverse Effect
Overall Likelihood
Select occurrence + adverse effect
Impact
Risk
Select all inputs
Risk Assessment
Likelihood
Select Occurrence and Adverse Effect.
Overall Likelihood represents the combined assessment of (1) the likelihood that a threat event occurs and (2) the likelihood that the event results in an adverse effect.
Likelihood is expressed as a score rather than a statistical probability. Scores are assigned based on available evidence, experience, and expert judgment. Factors such as intent, capability, and targeting inform the likelihood of occurrence, while capability and vulnerability severity inform the likelihood of adverse effect. These assessments are combined to produce an overall likelihood score.
Likelihood of Occurrence Scale
| Qualitative | Semi-Quantitative |
Description
|
||
|---|---|---|---|---|
| Very High | 10 | 96-100 | Error, accident, or act of nature is almost certain to occur; or occurs more than 100 times a year. | Adversary is almost certain to initiate the threat event. |
| High | 8 | 80-95 | Error, accident, or act of nature is highly likely to occur; or occurs between 10-100 times a year. | Adversary is highly likely to initiate the threat event. |
| Moderate | 5 | 21-79 | Error, accident, or act of nature is somewhat likely to occur; or occurs between 1-10 times a year. | Adversary is somewhat likely to initiate the threat event. |
| Low | 2 | 5-20 | Error, accident, or act of nature is unlikely to occur; or occurs less than once a year, but more than once every 10 years. | Adversary is unlikely to initiate the threat event. |
| Very Low | 0 | 0-4 | Error, accident, or act of nature is highly unlikely to occur; or occurs less than once every 10 years. | Adversary is highly unlikely to initiate the threat event. |
Likelihood of Adverse Effect Scale
| Qualitative | Semi-Quantitative | Description | |
|---|---|---|---|
| Very High | 10 | 96-100 | If the threat event is initiated or occurs, it is almost certain to have adverse impacts |
| High | 8 | 80-95 | If the threat event is initiated or occurs, it is highly likely to have adverse impacts. |
| Moderate | 5 | 21-79 | If the threat event is initiated or occurs, it is somewhat likely to have adverse impacts. |
| Low | 2 | 5-20 | If the threat event is initiated or occurs, it is unlikely to have adverse impacts. |
| Very Low | 0 | 0-4 | If the threat event is initiated or occurs, it is highly unlikely to have adverse impacts. |
Overall Likelihood Matrix
Likelihood of Occurrence
Likelihood of Adverse Impact
Very Low
Low
Moderate
High
Very High
Very High
High
Moderate
Low
Very Low
Impact
Select Impact.
Impact represents the magnitude of harm resulting from unauthorized disclosure, modification, or destruction of information, or from loss of information or information system availability.
Impact may affect one or more domains, including:
- Operations: Disruption of missions or business functions; delayed or incorrect execution; regulatory or contractual noncompliance; financial loss; loss of trust or reputation.
- Assets: Damage to or loss of facilities, systems, equipment, supplies, data, or intellectual property.
- Individuals: Injury or loss of life; physical or psychological harm; identity theft; exposure of personally identifiable information; reputational damage.
- Other Organizations: Contractual or regulatory impacts; financial loss; sanctions or liability; damage to trust or reputation.
- The Nation: Disruption of critical infrastructure; loss of continuity of operations; harm to national security; reduced ability to achieve national objectives; damage to international trust.
| Qualitative | Semi-Quantitative | Description | |
|---|---|---|---|
| Very High | 10 | 96-100 | The threat event could be expected to have catastrophic adverse effects on organizational operations, organizational assets, individuals, other organizations, or the Nation. |
| High | 8 | 80-95 | The threat event could be expected to have a severe adverse effect on organizational operations, organizational assets, individuals, other organizations, or the Nation. A severe adverse effect means that, for example, the threat event might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe harm to individuals involving loss of life or serious life-threatening injuries. |
| Moderate | 5 | 21-79 | The threat event could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals other organizations, or the Nation. A serious adverse effect means that, for example, the threat event might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life-threatening injuries. |
| Low | 2 | 5-20 | The threat event could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals other organizations, or the Nation. A limited adverse effect means that, for example, the threat event might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals. |
| Very Low | 0 | 0-4 | The threat event could be expected to have a negligible adverse effect on organizational operations, organizational assets, individuals other organizations, or the Nation |
Risk
Select likelihood and impact to assess risk.
Risk measures the extent to which an entity is threatened by a potential event, based on both the likelihood of the event occurring and the severity of the adverse impact if it does.
| Qualitative | Semi-Quantitative | Description | |
|---|---|---|---|
| Very High | 10 | 96-100 | Very high risk means that a threat event could be expected to have catastrophic adverse effects on organizational operations, organizational assets, individuals, other organizations. |
| High | 8 | 80-95 | High risk means that a threat event could be expected to have a severe adverse effect on organizational operations, organizational assets, individuals, other organizations. |
| Moderate | 5 | 21-79 | Moderate risk means that a threat event could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals, other organizations. |
| Low | 2 | 5-20 | Low risk means that a threat event could be expected to have a limited adverse effect on organizational operations, organizational assets, individuals, other organizations. |
| Very Low | 0 | 0-4 | Very low risk means that a threat event could be expected to have a negligible adverse effect on organizational operations, organizational assets, individuals, other organizations. |
Risk Matrix
Overall Likelihood
Level of Impact
Very Low
Low
Moderate
High
Very High
Very High
Very Low
Low
Moderate
High
Very High
High
Very Low
Low
Moderate
High
Very High
Moderate
Very Low
Low
Moderate
Moderate
High
Low
Very Low
Low
Low
Low
Moderate
Very Low
Very Low
Very Low
Very Low
Low
Low