IT Management

Fighting Cybercrime: How To Calculate the Risk of Cybersecurity Threats

Jun 22, 2022

Cybercriminals are more sophisticated than ever before, and their ability to infiltrate computer/internet systems is alarming, especially to SMBs.

Beth Weber - Guest Contributor
Fighting Cybercrime: How To Calculate the Risk of Cybersecurity Threats

What we'll cover

Experts predict global cybercrime damages will reach around 10.5 trillion USD each year by 2025. Attacks on corporations make the news, but 50% of SMBs have been the target of cybercrime, and over 60% of those attacked businesses have failed. Just one successful breach can kill a smaller business by draining its resources and ruining its reputation. The need for effective cybersecurity cannot be overstated.

To properly prepare for security issues, you must routinely calculate the impact/risk that they can have on your business. Analyze multiple security issues and use a cybersecurity risk formula to better calculate your data management decisions. You can also find risk assessment and management software programs on GetApp that will aid you in your security efforts. 

The basics of cybersecurity risk assessment

Cybercrime is now ubiquitous—it's the stranger danger of the business world. The National Institute of Standards and Technology (NIST) states that evaluating your company’s vulnerability in a “threat environment” means you must consider three particular factors:

1. Threat source motivation and capability.

Is the threat source interested in your information and can they make money from it? Do they have tools that will allow them to attack your system?

2. The nature of the vulnerability.

Is your company’s data security weakness due to human nature or coding issues? Are cyberthieves currently exploiting this weakness elsewhere?

3. The presence and effectiveness of controls.

Do you have security systems in place that can thwart bad actors from detecting and/or exploiting this weakness? Have other companies been able to address and correct this vulnerability?

These are general questions to ask and answer when you begin a threat assessment. You can accurately calculate risk based on your answers to the above. They will give you a sense of your company’s weaknesses. But if you want a more quantitative analysis, you should use a cybersecurity risk formula. 

How to calculate your risk using the cybersecurity risk formula

These calculations may look complicated, but they are pretty straightforward. The cybersecurity risk formula is:

 Risk = (Threat x Vulnerability x Probability of occurrence x Impact)/Controls in place

Applying concrete values to this formula is the most difficult part, but NIST has provided suggestions on how to proceed and simplify the process.

Determine your risk likelihood

You will choose from high, medium, or low-risk categories that analyze the motivation of the threat and the current level of your security toward these threats to determine your company's likelihood of being attacked. In short, what do you have that cybercriminals want and how much protection do you already have?

Determine the impact potential

Some data breaches are more harmful than others. You can use the NIST chart to determine the magnitude of a breach impact.

  • High impact means that a breach may cost your company major assets and resources, damage your reputation or mission, and cause serious harm to humans.

  • Medium Impact means you may experience a “costly loss” of assets or resources, have your company’s mission and reputation harmed, or experience human injury.

  • Low Impact means your company may lose some assets or resources and have your reputation or mission “noticeably” damaged.

For most SMBs, anything above low impact can severely damage your bottom line. If you identify high or medium risk, you can use GetApp to find the best risk assessment and management software for your needs. 

Use the NIST matrix

The NIST matrix lists numerical “scores” for both likelihood and impact so that you can determine your risk. 

For instance, if you have a medium threat likelihood and a high impact probability, you would multiply 100 x 0.5 for a score of 50. This score means that your company is classified as a medium risk under the scoring scale: High (>50 to 100); Medium (>10 to 50); Low (1 to 10). Any score of 10 means you need to up your security measures.

Why you need to know your cybersecurity risk

This information will guide you toward the necessary next steps needed to secure your company's computer systems and data. The NIST categories for action are:

  • High risk: You must take steps to correct your vulnerabilities, including an action plan that will be implemented ASAP.

  • Medium risk: You will also need to create an action plan but you can take a reasonable amount of time to develop and implement that plan.

  • Low risk: Management can determine if the risk presented is high enough to warrant corrective measures or if the current risk level is acceptable. 

How to address your company’s vulnerabilities

For SMBs, one of the most effective ways to lower your cybersecurity risk is to implement advanced software solutions. is the premier online site for SMBs looking to expand their investment in software as a service (SaaS). 

Trust GetApp with the latest trends in business software and consult research backed by user reviews. When you use GetApp, you are getting the latest and best information and recommendations in the industry. 

Signing up is simple and can be done in a few minutes. With only two clicks, you can join the GetApp community today and promptly lower your cybercrime risk. 

About the author

Beth Weber - Guest Contributor

Beth Weber is an experienced writer with a rich background in teaching, ad creation, and healthcare publications. She has served as editor of the historic Monroe County Appeal newspaper and a contributing editor to Maine St. Magazine, and written articles for publications such as Doctor Wise and She earned her MFA in creative writing from Spalding University and my MA and BA in English from Truman University.
Visit author's page