Portfolio Avg Score
Enter KPIs to score
Target Avg
Revenue tier baseline
Critical Domains
0
Score ≥ 16
Elevated Domains
0
Score 10–15
Domain LIScoreTargetZone Evidence / KPI Signal

Scoring Model

CALIBR uses an urgency-based model. Findings ≥ 70 are "Urgent"; findings < 70 need attention but are not immediately urgent.

Risk Score = Likelihood × Impact Likelihood = base_L × urgency_multiplier Urgency multiplier: Any findings ≥ 70 present → 1.5× Only <70 findings present → 1.0× No findings → 0×

Risk Zone Heat Map

ScoreZoneResponse
≥ 16CriticalImmediate escalation; executive sponsor; 30-day plan
10–15ElevatedActive remediation; monthly tracking
5–9ModerateManaged mitigation; quarterly review
1–4LowMonitor; annual review sufficient
0NoneNo open findings — maintain controls

Revenue Tier — Target Baselines

RevenueTarget AvgRationale
Under $100M6Emerging program
$100M – $500M7Mid-market; formalized program expected
$500M – $1B8Enterprise; board-level oversight required
$1B – $5B9Large enterprise; regulatory scrutiny high
$5B+10Global enterprise; continuous monitoring standard

KPI Threshold Reference

KPIGreenAmberRed
MFA Enrollment %≥ 98%95–97%< 90%
Privileged Accts Managed %≥ 100%95–99%< 85%
Domain Admin Managed %≥ 100%95–99%< 85%
Service Accts Vaulted %≥ 95%85–94%< 70%
Servers Onboarded %≥ 95%85–94%< 70%
SSO Coverage %≥ 95%85–94%< 75%
IGA/RBAC Coverage %≥ 90%75–89%< 60%
Vuln MTTR — Internal≤ 60 days61–90 days> 90 days
Vuln MTTR — External≤ 30 days31–60 days> 60 days
Int Avg Days Open≤ 60 days61–120 days> 120 days
Ext Avg Days Open≤ 30 days31–90 days> 90 days
Phish Prone %< 5.2%5.3–10.6%> 10.6%
Phish Reporting %≥ 15%5–14%< 5%
Security Stack Coverage %≥ 95%85–94%< 85%
Asset Visibility %≥ 95%85–94%< 85%
Incident SLA Compliance %≥ 95%90–95%< 80%
Contractor Access %≥ 95%85–94%< 70%
3rd Party External Score≥ 9070–89< 60
CALIBR — KPI-Driven Cyber Risk Framework  |  calibrframework.com  |  Revenue-scaled · Urgency-driven · Audit-defensible