Overview
SecurAtlas produces risk scores from real control data — not surveys alone.
Every number on the Risk Assessment page traces directly to how mature your
security controls are relative to the inherent threat level of each risk category.
There are four layers:
- Base Threat Level — how dangerous is this category by default
- Maturity Coverage — how well your controls mitigate that threat
- Residual Risk Score — unmitigated exposure after controls
- Severity Label — plain-English rating derived from the residual score
Layer 1 — Base Threat Level
Each risk category has a base_band (1–5) set platform-wide based on industry
threat intelligence. This is the maximum possible score if zero controls are in place.
base_max_score = (base_band / 5) × 100
| Risk Category | Base Band | Base Max Score | Rationale |
|---|
| Ransomware | 4 / 5 | 80 | High-frequency, high-impact threat for all orgs |
| Identity Compromise | 4 / 5 | 80 | Credential attacks are the #1 initial vector |
| Data Breach | 3 / 5 | 60 | Significant but requires prior access |
| Service Outage | 3 / 5 | 60 | Business continuity impact |
| Third-Party Risk | 3 / 5 | 60 | Supplier chain exposure, varies by org size |
| Compliance Failure | 2 / 5 | 40 | Regulatory risk, lower direct operational impact |
Base bands are identical for all tenants. They reflect the inherent threat landscape,
not your specific environment. Your controls are what changes your score.
Layer 2 — Maturity Coverage
For each risk category, SecurAtlas calculates how well your implemented controls
reduce the threat. Every control mapped to a category carries a reduction_weight
(0–1.0) representing its relative importance.
maturity_coverage_pct =
Σ ( effective_maturity / 5 × reduction_weight ) [non-N/A controls only]
─────────────────────────────────────────────────
Σ ( reduction_weight ) [non-N/A controls only]
× 100
Maturity priority chain (highest wins):
| Source | When Used |
|---|
effective_maturity | Set automatically by integration evidence |
maturity (if > 0) | Manually assigned maturity score |
| Status synthetic | implemented → 3.0 · in_progress → 1.0 · else 0 |
not_applicable | Excluded from weight pool entirely |
Worked Example — Service Outage
| Control | Weight | Maturity | Weighted Contribution |
|---|
| Business Continuity Planning | 0.85 | 0 | 0 |
| DR Testing | 0.80 | 0 | 0 |
| Backup Restore Testing | 0.80 | 0 | 0 |
| Backups | 0.90 | 0 | 0 |
| Change Management | 0.65 | 2 | 0.26 |
| Network Segmentation | 0.70 | 1 | 0.14 |
| Incident Response Plan | 0.60 | 0 | 0 |
| Incident Tabletop Exercises | 0.55 | 0 | 0 |
| maturity_coverage_pct = (0.26 + 0.14) / (0.85+0.80+0.80+0.90+0.65+0.70+0.60+0.55) × 100 | | | |
| = 0.40 / 5.85 × 100 | | | |
| ≈ 10.37% | | | |
Layer 3 — Residual Risk Score
Residual score is the unmitigated exposure remaining after control maturity.
residual_score = base_max_score × (1 − maturity_coverage_pct / 100)
Service Outage continued:
residual_score = 60 × (1 − 10.37 / 100)
= 60 × 0.8963
= 53.78
Overall Risk Score
The overall tenant score inverts the average residual. Higher = better posture.
overall_risk_score = 100 − AVG(residual_score across all categories)
A score of 49 means the average residual across all six categories is 51 —
roughly half of all threat exposure is unmitigated.
Full Tenant Example
| Category | Base Max | Coverage | Residual | Severity |
|---|
| Ransomware | 80 | 10.67% | 71.46 | Critical |
| Third-Party Risk | 60 | 7.59% | 55.45 | High |
| Service Outage | 60 | 10.37% | 53.78 | High |
| Data Breach | 60 | 24.17% | 45.50 | Medium |
| Identity Compromise | 80 | 50.23% | 39.82 | Medium |
| Compliance Failure | 40 | 11.55% | 35.38 | Medium |
Layer 4 — Severity Labels
Severity labels are derived from where the residual score falls on a fixed scale:
| Residual Score | Label | Color |
|---|
| ≥ 70 | Critical | Red |
| ≥ 50 | High | Orange |
| ≥ 30 | Medium | Yellow |
| ≥ 15 | Moderate | Light green |
| < 15 | Low | Green |
Coverage Bar
The coverage bar under each category shows what fraction of mapped controls
the tenant has configured at all — regardless of maturity level.
coverage_display_pct = (controls_set / mapped_controls) × 100
This is not the same as maturity_coverage_pct. A tenant can have 100% controls
configured but still score high if every control is at maturity 0 or 1.
Risk Improvement Path
Controls are ranked by potential score reduction — how many points the residual
score drops if that control reaches full maturity (5/5).
potential_score_reduction =
(control_reduction_weight / total_category_weight)
× residual_risk_score
× (1 − current_maturity / 5)
The panel shows the highest-leverage actions available right now, ranked
highest-to-lowest within each category.
An empty improvement path does not mean all controls are implemented.
It can also mean no controls have been mapped to risk categories yet.
If you see “No controls configured”, complete the baseline assessment first.
Financial Exposure
Financial exposure translates the risk score into annualized dollar impact
using your organization’s revenue range and industry breach cost benchmarks.
probability = 0.80 − (risk_score / 100 × 0.75) [range: 5% – 80%]
impact = MIN(avg_breach_cost, annual_revenue × 30%)
EAL_expected = probability × impact
EAL_low = EAL_expected × 0.40
EAL_high = EAL_expected × 2.50
avg_breach_cost defaults to $4.45M (IBM Cost of a Data Breach 2024) unless
an industry-specific benchmark is configured.
Example at risk score 49:
probability = 0.80 − (49/100 × 0.75) = 43.25%
At this probability, an org with a 500Kimpactcapexpectsroughly∗∗215K/year**
in annualized breach exposure.
Score Refresh Schedule
| Trigger | Source Tag | Frequency |
|---|
| Nightly cron job | cron_nightly | Every 24 hours at midnight UTC |
| Manual control update | controls | On-demand, triggered by user action |
| Baseline assessment submit | controls | On assessment completion |
To immediately reflect a control change without waiting for the nightly cron,
trigger a manual recompute from the Controls page.
Frequently Asked Questions
Why is my score different from last week?
Scores change when control maturity is updated, new controls are added via framework
selection, or integration evidence refreshes effective maturity values automatically.
Why is Third-Party Risk High even though I have a vendor policy?
A policy document maps to low maturity. The score reflects whether you have implemented
controls across all five domains: vendor assessment, contractual requirements, cloud
provider security, vendor access reviews, and data handling — and whether those controls
are evidenced.
What does 0% coverage mean?
Zero controls in that category have any maturity score set. They exist in your control
list but none have been implemented, marked in-progress, or validated with evidence.
How do I reduce my Ransomware score fastest?
Check the Risk Improvement Path panel. Backups, Backup Restore Testing, and Endpoint
Protection carry the highest reduction weight for Ransomware. Moving any of these from
maturity 0 to 3 produces an immediate score drop.
Is a higher overall score better or worse?
Higher is better. 100 means all residual risk is fully mitigated. 0 means no controls
are in place. Most organizations in early GRC programs score between 35–65.