Skip to content
FortaRisks
All toolsFree tool

Cyber risk score calculator

Estimate your organization's cyber risk across nine domains in about five minutes, and get a score, a grade and prioritized actions.

≈ 5 minutes · no sign-up

Answer two quick questions per domain. Higher scores mean lower risk. Your result mirrors how the FortaRisks platform scores enterprise cyber risk, so you can see where you stand today. Nothing you enter leaves your browser.

Answer each statement based on your real situation. Your score and priorities appear instantly in your browser. Nothing is sent anywhere.

Progress0 / 18 answered

1.Financial Risk (IT Perspective)

Your cybersecurity budget is planned against identified risks, and its adequacy is reviewed regularly.

Your cybersecurity budget is planned against identified risks, and its adequacy is reviewed regularly.

You have estimated the financial impact of a major cyber incident (downtime, response, notification, liability).

You have estimated the financial impact of a major cyber incident (downtime, response, notification, liability).

2.Project Risk (IT Projects)

Security and risk requirements are built into your IT projects from the design stage (secure by design).

Security and risk requirements are built into your IT projects from the design stage (secure by design).

IT projects are generally delivered without major security, scope or continuity failures.

IT projects are generally delivered without major security, scope or continuity failures.

3.Regulatory Risk

You have identified which regulations and standards apply to you (Law 25, GDPR, NIS2, DORA, sector-specific).

You have identified which regulations and standards apply to you (Law 25, GDPR, NIS2, DORA, sector-specific).

You maintain a documented view of your compliance posture and gaps against those obligations.

You maintain a documented view of your compliance posture and gaps against those obligations.

4.Information Security Risk

Baseline security controls are in place and enforced (MFA, patch management, endpoint protection, access control).

Baseline security controls are in place and enforced (MFA, patch management, endpoint protection, access control).

You manage information security against a recognized framework (ISO 27001, NIST CSF), with regular risk assessment.

You manage information security against a recognized framework (ISO 27001, NIST CSF), with regular risk assessment.

5.Operational Resilience

You have isolated, regularly tested backups and a documented incident response plan.

You have isolated, regularly tested backups and a documented incident response plan.

A business continuity plan defines RTO/RPO targets for your critical services and is exercised.

A business continuity plan defines RTO/RPO targets for your critical services and is exercised.

6.Third-Party Risk

You maintain an inventory of suppliers, tiered by criticality and data access.

You maintain an inventory of suppliers, tiered by criticality and data access.

Critical vendors undergo security due diligence and are monitored beyond a one-time questionnaire.

Critical vendors undergo security due diligence and are monitored beyond a one-time questionnaire.

7.Data & AI Risk

Your data is classified and you know where your sensitive information resides.

Your data is classified and you know where your sensitive information resides.

You govern how AI and LLM tools are used, to prevent data leakage and shadow AI.

You govern how AI and LLM tools are used, to prevent data leakage and shadow AI.

8.Talent & Culture Risk

Employees receive regular security awareness training and phishing simulations.

Employees receive regular security awareness training and phishing simulations.

Your security operations do not depend on a single person, and key skills are covered.

Your security operations do not depend on a single person, and key skills are covered.

9.Physical Security Risk

Physical access to your premises and sensitive areas is controlled and logged.

Physical access to your premises and sensitive areas is controlled and logged.

On-premises and operational technology (OT) assets are protected against theft and tampering.

On-premises and operational technology (OT) assets are protected against theft and tampering.

Answer every statement to reveal your score.

FAQ

What is a cyber risk score?

A cyber risk score summarizes your organization's exposure into a single number and grade, broken down by domain. It turns a diffuse notion of risk into a comparable, prioritizable view that leadership can act on.

How is this score calculated?

You answer two questions across each of nine risk domains. Each answer is weighted, domains are combined into an overall score from 0 to 100 and a letter grade. Higher means lower risk. Everything runs in your browser and nothing is sent anywhere.

Why nine domains?

Cyber risk is not only IT security. It spans financial, project, regulatory, information security, resilience, third-party, data & AI, talent and physical risk. These nine domains mirror how the FortaRisks platform scores enterprise cyber risk.

Is this the same as the FortaRisks platform score?

No. This is a one-time self-assessment with Low confidence. The FortaRisks AI Risk Engine computes a continuous, evidence-based score, with confidence levels and a trend once it has enough data, and lets you decompose it down to individual findings.

Is this a substitute for a full risk assessment?

No. It is an indicative snapshot to help you see where you stand and prioritize. It does not constitute legal, audit or professional risk advice.