Cybersecurity Risk Calculator
Calculate your Cyber Risk and Breach Cost.
The Cyber Reality
Cybersecurity Is Not Static
Cybersecurity is no longer a question of whether your organization has risk. It is a question of how much risk, where that risk sits, and what you should fix first.
This calculator gives you a directional cyber-risk score based on your industry, size, attack surface, remote workforce, third-party exposure, security controls, backup readiness, network posture, and internal processes.
Your result is not a penetration test, audit, or guarantee. It is a practical starting point for understanding your residual cyber risk and identifying the next few improvements that could meaningfully reduce your exposure.
Ransomware hits smaller organizations hard
In 2025, ransomware was involved in 88% of SMB breaches, compared with 39% of breaches in larger organizations.
Third-party risk is growing
Third-party involvement in breaches doubled to 30%, while exploitation of vulnerabilities increased by 34%.
What Your Cyber Risk Score Means
Your score is a directional risk index, not a percentage.
A score of 45 does not mean you have a 45% chance of being breached. It means your answers place your organization at 45 points on Fidalia’s cyber-risk index after considering both your inherent exposure and your current risk-reducing controls.
The calculator starts with your baseline risk, then adjusts for:
- Your industry
- Your employee count
- Your number of internet-facing systems
- Your remote workforce
- Your third-party integrations
It then subtracts credit for safeguards such as MFA, managed endpoint protection, email security, firewall maturity, DDoS protection, SOC/SIEM monitoring, backup immutability, DR testing, secure remote access, security awareness training, patch cadence, and incident-response planning.
In plain English:
A lower score suggests stronger cyber resilience.
A higher score suggests more residual risk and a stronger case for immediate remediation.
Recommended Risk Ranges
Score Range
0–24
25–49
50–74
75+
Risk Level
Strong / Lower Risk
Moderate Risk
Elevated Risk
Critical Risk
What it Means
Your organization appears to have many foundational controls in place. You are not breach-proof, but your residual risk is lower and your recovery posture is likely stronger.
You have some meaningful safeguards in place, but important gaps may still increase the cost, duration, or disruption of an incident
You may have significant exposure, incomplete controls, limited monitoring, or untested recovery processes. A prioritized remediation plan is recommended.
Your organization has a high level of residual risk based on the information provided. Immediate attention is recommended.
What a High Score Means
A high score usually means one of three things.
First, your organization may have a larger attack surface than it realizes. This can include exposed remote-access systems, internet-facing applications, third-party integrations, remote users, cloud platforms, or systems that are difficult to monitor consistently.
Second, the organization may have important security tools in place, but not enough operational maturity around them. Alerts without response, backups without restore testing, policies without ownership, and incident plans that have never been rehearsed all create risk.
Third, the organization may be more difficult to recover than expected. In a real incident, the technical question is not only “were we attacked?” It is also “how quickly can we isolate the issue, restore clean systems, maintain access, and keep the business operating?”
This is where cybersecurity and disaster recovery overlap. A high score does not mean failure is inevitable, but it does mean the organization should prioritize controls that reduce blast radius, improve detection, and make recovery more predictable.
What a Low Score Means
A low score is a positive signal, but it is not a finish line.
It suggests that your organization has stronger controls, better recovery readiness, and fewer obvious gaps based on the answers provided. You may have good coverage across MFA, endpoint protection, email security, backups, monitoring, patching, and incident-response planning.
But cybersecurity is not static. New users, new applications, new vendors, new cloud services, and new attacker techniques can change your risk profile quickly.
For organizations with lower scores, the focus should shift from “closing obvious gaps” to validation and cadence:
- Test restores quarterly.
- Review access regularly.
- Run tabletop exercises.
- Validate alerts and escalation paths.
- Reassess third-party and remote-access exposure.
- Keep security documentation current.
In cybersecurity, boring is good. If your restore tests, incident-response exercises, and monitoring reviews feel routine, you are moving in the right direction.
Why "Partial Coverage" Still Matters
One of the most common cybersecurity mistakes is assuming that mentioning a control means the control is actually mature.
For example, an organization may say it has an incident-response plan, but if the plan does not define ownership, escalation steps, communication roles, testing frequency, or post-incident review, the plan is only partially useful.
Cybersecurity policy research makes this distinction clearly. In control-level assessments, policies are often categorized as fully covered, partially covered, or not covered. A control is only fully covered when the evidence clearly addresses the objective and includes details such as responsibility, scope, process, review, or enforcement. If a policy mentions the topic but leaves out ownership, review frequency, procedure, enforcement, or exception handling, it is considered partially covered.
That concept applies direction to operational cybersecurity:
Cybersecurity Area
MFA
Backups
Incident Response
Monitoring
Patching
Email Security
Weak / Partial Coverage
MFA used by some users
Backups exist
Plan exists
Alerts are generated
Patches happen ad-hoc
Basic spam filtering
Stronger Coverage
MFA required for all users, admins, and remote access
Backups are immutable, offsite, and regularly restore-tested
Plan is documented, assigned, tested, and reviewed
Alerts are monitored, triaged, escalated, and acted on
Patches follow a defined cadence with ownership
Phishing, impersonation, malware, and BEC protections
Why Cybersecurity Planning Needs Prioritization
Not every business can fix everything at once. That is normal.
Cybersecurity is a prioritization problem. The right question is not, “Are we perfectly secure?” The better question is, “Which few improvements would reduce the most risk for the least operational disruption?”
Recent cybersecurity governance research frames this as a resource-constrained planning problem. Defenders must allocate limited people, time, and budget against adversaries who change tactics quickly. The paper notes that defenders “cannot protect everything at all times,” making cybersecurity a problem of prioritization and optimization.
That is why this calculator focuses on practical controls that apply to small and large organizations alike:
- MFA
- Managed EDR/XDR
- Email security
- DDoS protection
- SOC/SIEM monitoring
- Immutable backups
- Disaster recovery testing
- Secure remote access
- Security awareness training
- Patch management
- Incident-response planning
A 20-person organization and a 2,000-person organization may implement these differently, but the underlying priorities are similar: reduce entry points, limit attacker movement, detect sooner, and recover faster.
Comparison: Tool-Based Security vs. Resilience-Based Security
Old Question
Do we have antivirus?
Do we have backups?
Do we have a firewall?
Do we have a policy?
Do we monitor alerts?
Do we have a DR plan?
Weak / Partial Coverage
Do we have managed endpoint detection and response?
Have we tested clean recovery from immutable backups?
Can we detect, block, and respond at the edge?
Is ownership, enforcement, review, and procedure clearly defined?
Who responds, how fast, and what happens next?
Can users access recovered systems without confusion or major network changes?
Why Fidalia Looks at Cybersecurity Differently
Fidalia views cybersecurity as a resilience problem, not just a tools problem.
Prevention matters. But over a long enough timeline, organizations should assume that something will eventually get through: a compromised credential, a phishing email, an exposed service, a vendor issue, a misconfiguration, or a ransomware attempt.
The goal is to make incidents less likely, less damaging, and easier to recover from.
That requires layered controls, but it also requires a network and recovery strategy that works under pressure. As an ISP and managed technology provider, Fidalia brings together cybersecurity, connectivity, monitoring, backup readiness, DDoS protection, and disaster recovery planning.
That combination matters because many incidents become business disasters when teams cannot isolate systems, preserve access, restore clean data, or maintain service continuity.
Comparison: Tool-Based Security vs. Resilience-Based Security
| Stage | What It Looks Like | Main Risk | Next Best Step |
|---|---|---|---|
| Reactive | Basic tools, informal processes, little testing | Slow response and unclear ownership | Start with MFA, backups, and patch cadence |
| Developing | Some controls in place, inconsistent monitoring/testing | Gaps between tools and response | Add managed EDR/XDR, email security, and restore testing |
| Managed | Controls are documented, monitored, and reviewed | Third-party, remote access, and recovery complexity | Add tabletop exercises and improve incident runbooks |
| Resilient | Controls, monitoring, recovery, and communications are tested | Continuous improvement and changing threats | Validate quarterly and refine based on new exposure |
Start with a Baseline.
Know Your Score. Then Close the Right Gaps.
This calculator takes about five minutes. You will answer questions about your company profile, current security controls, backup and recovery readiness, network posture, and internal processes.
At the end, you will receive a cyber-risk index, a risk range, and an optional breach-cost estimate.
Lower is better. The score is not a guarantee or a formal audit. It is a practical baseline to help you decide what to do next.
What are you going to get out of this calculator?
- Quantify Your Cyber Risk 76%
- Actionable Roadmap to Remediation 85%
- Budget-Ready Costing
About this Calculator
This Cybersecurity Risk Calculator estimates your cyber risk and potential breach impact using your industry, headcount, attack surface, and control maturity. The calculator scores your inputs on an index to show you your risk level against other businesses of similar size and from the same industry.
Can you put a price on Cybersecurity Risk?
It’s not a penetration test; this calculator is a decision aid that translates cybersecurity posture into dollars and clear next steps. Results include a prioritized roadmap and the option to schedule a Mississauga/GTA readiness assessment with Fidalia’s engineers.
How is my cyber risk score calculated?
The calculator derives an inherent risk using industry, size, and attack-surface multipliers, then subtracts deductions for controls such as MFA, EDR/XDR, email security, NGFW/IDS, DDoS, SOC/SIEM, backups with immutability, DR testing, training, patching, and an IR plan. The final score is indexed and mapped to Low/Moderate/Elevated/Critical tiers.
What does Expected Annual Loss (EAL) mean?
EAL is a probabilistic estimate of yearly loss based on your organization size, industry uplift, compliance uplift, and risk-tier probability. It complements the single-incident impact range to support budgeting and planning.
Do you store my answers?
Your responses are used to calculate results and, if you consent, to follow up with recommendations. Data handling follows Fidalia’s privacy policy.
Can I book an on-site assessment?
Yes. You can schedule an on-site or virtual assessment with Fidalia’s local team to validate the findings and build a prioritized remediation plan.
How to Make a Button Open the 3CX Chat Widget on Your WordPress Website
If you're running the 3CX live chat widget on your WordPress site, you've probably noticed it places a floating chat bubble in the bottom corner of the page. That's great, but what if you want a button, icon, or link elsewhere on the page to open the same chat window...
VoIP Implementation Checklist: Ensure a Pain-Free Transition from Traditional Phone Systems.
Modernizing your phone system doesn’t need to be a headache. Our VoIP Implementation Checklist can help you keep your head while building for the future.
3CX vs Traditional Phone Systems
Why More Businesses Are Choosing 3CX Over Traditional Phone Systems As businesses rethink their communication systems, many are moving away from costly, inflexible landline setups. Legacy PBX systems (traditional phone systems) often require expensive hardware,...
What are our thoughts on cybersecurity?
Breaches are inevitable over long horizons; resilience is choice. Fidalia treats cybersecurity as continuous risk management – layered controls, rapid detection, immutable recovery, and network-first continuity to protect public-facing services.