Phishing Risk Score Calculator
Estimate your organization's phishing risk score (0–100) based on employee exposure, existing security controls, and environmental threat factors. A higher score indicates greater risk.
Formula
Exposure Score (0–40)
= [log₁₀(Employees) / log₁₀(1,000,000)] × 20 + (Click Rate / 100) × 20
Control Gap Score (0–40)
= 40 − (MFA% / 100 × 15) − ((1 − Email Filter Factor) × 15) − ((1 − Awareness Factor) × 10)
Privilege Amplifier (0–10)
= (Privileged Users% / 100) × 10
Final Phishing Risk Score (0–100)
= min(100, (Exposure + Control Gap + Privilege) × Industry Multiplier)
Estimated Victims per Campaign
= Employees × (Click Rate / 100) × (1 − MFA / 100) × Email Filter Factor × Awareness Factor
Risk Bands: <25 = Low | 25–49 = Moderate | 50–74 = High | 75–100 = Critical
Assumptions & References
- Employee count is log-scaled (base 10, max reference 1,000,000) to reflect diminishing marginal exposure growth in large organizations.
- Click rate reflects the percentage of employees who click a phishing link; industry benchmark is ~15% without training (Proofpoint State of the Phish, 2023).
- MFA reduces successful credential compromise post-click; CISA reports MFA blocks ~99.9% of automated attacks but is modeled conservatively here at up to 15 pts.
- Email filtering factors: None=1.0, Basic=0.7, Advanced SEG=0.45, Enterprise AI=0.2 — reflecting typical catch rates of 0%, 30%, 55%, and 80% respectively (Gartner, Forrester).
- Awareness training factors: None=1.0, Basic=0.75, Moderate=0.5, Advanced=0.25 — aligned with SANS Security Awareness Report benchmarks.
- Industry multipliers reflect relative targeting frequency per Verizon DBIR 2023 (Finance 1.5×, Healthcare 1.4×, Government 1.6×, etc.).
- Privileged users (admins, executives) represent higher-value targets; compromise of one privileged account can have outsized organizational impact.
- This model is a risk-scoring heuristic, not a probabilistic attack simulation. Results should inform prioritization, not replace a formal threat assessment.
- References: Proofpoint State of the Phish (2023), Verizon DBIR (2023), CISA Phishing Guidance, NIST SP 800-177, SANS Security Awareness Report (2023).