top of page

Cybersecurity Assessment and ROI Calculator
Technical Overview

Technical Details

Purpose

 

Our FREE Cybersecurity Assessment and ROI Calculator enable small and medium sized businesses (SMBs) to measure cybersecurity risks and prioritize CIS Implementation Group 1 (IG1) controls. Designed for SMBs not yet IG1-ready—often lacking IT staff or robust defenses—these tools transform complex risk analysis into actionable insights. This technical page outlines our inputs, processes, outputs, industry sources, and how our methodology withstands scrutiny from frameworks like FAIR, Hubbard, and Seiersen.

The Tools

 

  1. Cybersecurity Assessment Quiz: A 20-question self-assessment aligned with CIS IG1 controls and key regulations (e.g., IRS, HIPAA, PCI DSS), delivering a readiness score from 0-58.

  2. ROI Calculator: Combines quiz results with business impact data to estimate risk reduction, loss ranges, and return on investment (ROI) for selected controls.

  3. Checklist: A free checklist for documenting and tracking progress.

Inputs
Assessment Quiz

 

What: 20 questions (e.g., "Do you have multi-factor authentication on all critical accounts? Yes/Some/No") linked to CIS IG1 controls (e.g., MFA, backups, incident response) and essential compliance requirements.

Sources: Built on the CIS IG1 framework, enhanced with SMB-relevant regulations such as IRS Publication 4557 (Safeguarding Taxpayer Data), HIPAA Security Rule (45 CFR Parts 160 and 164), and PCI DSS (Payment Card Industry Data Security Standard).

 

Logic:

  • Each question corresponds to a specific CIS IG1 control or compliance requirement, designed to assess the presence and effectiveness of foundational cybersecurity measures. Answers are structured as yes/no or tiered options (e.g., "Yes, all accounts" / "Some accounts" / "No" for MFA) to capture varying levels of implementation. Points are assigned based on each control’s relative effectiveness in reducing risk—e.g., MFA earns a higher score (up to 9 points) due to its significant impact on preventing unauthorized access (per CIS IG1 v8 Metrics and NIST SP 800-63B), while training earns fewer points (e.g., 2) as a foundational but less direct risk mitigator (CIS Control 14). A "No" response or partial implementation (e.g., "Sometimes" for patching) earns zero or reduced points, reflecting incomplete protection. The maximum score of 58 represents full IG1 readiness, aggregating points across all 19 controls (e.g., 9 for MFA, 5 for encryption, 4 for endpoint protection, most at 2), as derived from CIS efficacy studies and NIST guidelines.

  • The scoring system is calibrated to prioritize controls with the greatest risk reduction potential, informed by industry data showing common SMB vulnerabilities—e.g., 99% of account compromise attacks are thwarted by MFA (Microsoft Security Intelligence Report), justifying its higher weight, while training reduces phishing success by 20-30% (KnowBe4 2023), supporting a lower but still significant score. This ensures the assessment reflects real-world cybersecurity priorities for SMBs.

  • Reasoning: This approach quickly captures an SMB’s current cybersecurity posture, spotlighting critical weaknesses without requiring advanced technical knowledge. It’s validated by industry findings: 86% of SMBs lack basic defenses (GetAstra, 2025), 27% fail to protect sensitive data (StrongDM, 2025), and over 50% lack IT support (NinjaOne, 2025), making a simple, control-focused quiz an effective starting point for resource-constrained businesses to identify gaps and align with CIS IG1 standards.

ROI Calculator

 

What:

  • Quiz Score: Current readiness level (0-58).

  • Attack Odds Before: Annual risk percentage (user-provided or 70% default).

  • Impact Costs: Financial stakes, including assets, downtime (hours × cost/hour), labor (hours × cost/hour), legal fees, recovery expenses, and lost business revenue.

  • Controls: CIS IG1 options (e.g., encrypt data, monitor threats) selected for testing.

  • Fix Costs: Investment amount for chosen controls (e.g., $500 to $50K range).

 

Sources: Loss estimates drawn from Verizon DBIR 2023 ($25K average SMB loss), IBM Cost of a Data Breach 2024 ($4.88M average breach cost), Hiscox Cyber Readiness Report 2023 ($25K-$1M+ SMB losses); controls from CIS IG1 framework; user inputs provide business-specific context.

 

Logic:

  • Quiz Score: The score from the assessment quiz serves as a baseline measure of current CIS IG1 readiness, directly influencing the starting risk level—e.g., a low score (0-10) indicates minimal controls and higher vulnerability, while a higher score (e.g., 50) suggests stronger defenses, reducing the baseline risk adjustment in the simulation.

  • Attack Odds Before: Users can input their perceived annual risk (e.g., based on prior incidents), or we default to 70%, a midpoint derived from industry data (detailed below), representing SMBs with no controls. This odds value sets the initial probability of a breach occurring within a year, which the simulation then modifies based on selected controls.

  • Impact Costs: Financial inputs represent direct and indirect losses from a breach. Assets (e.g., equipment, data value) and downtime (hours lost × hourly cost, like operational delays) are user-estimated, while labor (response hours × hourly rate), legal fees (e.g., fines, lawsuits), recovery (e.g., system restoration), and lost business (e.g., customer churn) quantify tangible impacts. These are guided by industry averages—e.g., $25K median loss (Verizon DBIR 2023) or $212K average ransomware cost (Sophos 2024)—to ensure realism, with users encouraged to adjust based on their operations (e.g., a retail SMB might estimate higher downtime costs).

  • Controls: Users select from 19 CIS IG1 controls (e.g., "Add Login Protection" for MFA, "Develop Response Plan" for incident response), each tied to a specific risk reduction weight (e.g., 11.25% for MFA, 2.5% for training), sourced from CIS IG1 v8 Metrics and NIST SP 800-53 efficacy data, reflecting their real-world impact on breach prevention or mitigation.

  • Fix Costs: Users input the estimated cost of implementing selected controls, ranging from low-cost options (e.g., $500 for email security software) to higher investments (e.g., $50K for endpoint protection across devices), based on ManaSec’s industry-aligned cost estimates and typical SMB budgets (e.g., NIST Cybersecurity Framework implementation costs).

  • Reasoning: This structure quantifies financial exposure for SMBs facing real breach scenarios—e.g., an SMB with 20 employees and $800K revenue might face a $300K ransomware hit (37.5% revenue, over 60% closure risk per VikingCloud)—while tying controls to CIS IG1 efficacy ensures actionable risk reduction. Costs reflect SMB realities (Verizon, IBM), and user inputs are contextualized by industry benchmarks, making the calculator both practical and data-driven for prioritizing investments.

 

Processes
Risk Distribution and Baseline

 

What: A 70% attack odds baseline for SMBs with no controls, reducing to 24.5% with IG1, 13.65% with IG2, and 9.56% with IG3.

 

Source:

  • Attack Frequency: Verizon DBIR 2023 (43% reported), BKA Cybercrime Report, Upfort 2025, Sophos 2024 (50% ransomware), Accenture Cybercrime Study (43% attacked), Cybersecurity Ventures 2025 (60-75% attacked), Ponemon Institute 2023 (54% attacked).

  • Preparedness: GetAstra 2025 (86% unprepared), Positive Technologies 2025 (93% penetrable), NinjaOne 2025 (>50% no IT), StrongDM 2025 (27% unprotected data).

  • Risk Reduction: NIST SP 800-53, CIS IG1 v8 Metrics, IBM 2024 (control efficacy), Ponemon Institute 2023 (control impact).

 

Logic:

  • Attack Odds Baseline: Industry data consistently shows 60-75% of SMBs face at least one cyber attack annually. Verizon DBIR 2023 reports 43% confirmed breaches among SMBs under 1,000 employees, while BKA and Upfort estimate an additional 20-30% unreported due to detection gaps or non-reporting, totaling a 60-75% attack rate. Sophos 2024 finds 50% of SMBs hit by ransomware alone, Accenture’s Cybercrime Study aligns with 43% attacked, Cybersecurity Ventures projects 60-75%, and Ponemon Institute 2023 reports 54% attacked, all reinforcing this range. We select 70% as a midpoint for SMBs with no controls, reflecting their heightened vulnerability: 86% lack basic defenses (GetAstra, 2025), 93% have penetrable networks (Positive Technologies, 2025), over 50% lack dedicated IT support (NinjaOne, 2025), and 27% fail to protect sensitive data (StrongDM, 2025). This isn’t an arbitrary figure—it’s a synthesis of attack frequency and vulnerability data tailored to the 2025 SMB threat landscape.

  • Risk Distribution: We categorize SMB cybersecurity maturity as follows: 75% of SMBs have no controls, averaging 65% risk—split evenly with half at 90% risk (completely exposed, e.g., no MFA or backups) and half at 40% risk (some informal measures like basic antivirus)—informed by 86% unpreparedness (GetAstra), 93% penetrability (Positive Technologies), over 50% lacking IT support (NinjaOne), and 27% unprotected sensitive data (StrongDM). Then, 20% have implemented IG1 controls (22.75% risk), 3% have IG2 (13.65%), and 2% have IG3 (9.56%), based on observed CIS adoption trends and Ponemon Institute’s data on control uptake among SMBs. This weighted distribution (75% × 65% + 20% × 22.75% + 3% × 13.65% + 2% × 9.56% ≈ 43%) aligns with Verizon’s 43% reported average attack rate across all SMBs, validated by penetration testing trends showing a bimodal vulnerability split between fully exposed and minimally protected firms.

  • Risk Reductions: IG1 reduces risk by 65%, from 70% to 22.75%, derived from NIST SP 800-53 and CIS IG1 v8 Metrics, which estimate foundational controls (e.g., MFA, backups, encryption) collectively reduce risk by 60-70%; we use the midpoint of 65% as a balanced estimate, supported by IBM 2024 data on control-specific impacts (e.g., MFA reducing breaches significantly) and Ponemon Institute 2023 findings on basic control efficacy. IG2 adds a further 40% reduction (to 13.65%) through advanced measures like threat hunting, and IG3 adds 30% (to 9.56%) with AI-driven analytics, per CIS benchmarks and IBM’s control effectiveness studies. These reductions are applied sequentially—e.g., 70% × (1 - 0.65) = 24.5%, then 24.5% × (1 - 0.40) = 14.7% (adjusted to 13.65% for precision)—reflecting cumulative risk mitigation consistent with industry standards.

  • Reasoning: The 70% baseline captures the dire reality for SMBs with no controls—99.9% of U.S. firms are SMBs, 86% are defenseless, and 60-75% are attacked yearly—while the distribution reflects varying preparedness levels, tested against Verizon’s 43% to ensure accuracy. Reductions are grounded in CIS and NIST efficacy data, providing a realistic progression that avoids speculative precision.

Monte Carlo Simulation

 

What: Runs 1,000 breach scenarios to estimate attack odds, Single Loss Expectancy (SLE), and Annualized Loss Expectancy (ALE), capturing variability in risk and impact.

 

Source:

  • Loss Data: IBM Cost of a Data Breach 2024 ($4.88M average breach cost), Hiscox Cyber Readiness Report 2023 ($25K-$1M+ SMB losses), FBI IC3 2023 ($12.5B U.S. losses, SMBs dominant), Verizon DBIR 2023 ($25K average SMB loss).

  • Variability: Ponemon Institute 2023 (cost variability), Sophos 2024 (ransomware impact), Cybersecurity Ventures 2025 (loss ranges).

Logic:

  • Odds: Each CIS IG1 control reduces the baseline attack odds by a specific, scaled weight—e.g., multi-factor authentication (MFA) contributes a higher reduction (11.25%) due to its proven effectiveness against credential theft (99% prevention per Microsoft Security Intelligence Report), while training contributes less (2.5%) as a foundational awareness step (20-30% phishing reduction per KnowBe4 2023)—drawn from CIS IG1 v8 Metrics and NIST SP 800-63B efficacy data. These weights are adjusted with a random factor between 80-120% in each scenario to reflect real-world variability in control implementation—e.g., differences in MFA setup quality or training engagement—capped at a 24.5% risk level for full IG1 adoption to align with CIS benchmarks, and further tweaked by an additional ±10% to account for external uncertainties like evolving threat tactics or user errors, ensuring the simulation captures a realistic range of outcomes.

  • SLE: User-provided impact costs—such as assets (e.g., equipment or data value), downtime (hours lost multiplied by hourly operational cost), labor (response hours × hourly rate), legal fees (e.g., fines or lawsuits), recovery expenses (e.g., system restoration), and lost business revenue (e.g., customer churn)—fluctuate by ±10% in each scenario to mimic natural variations in breach impact, such as shorter or longer downtime or varying legal penalties. An additional fixed cost, ranging from $300K to $1M and scaled by asset size (e.g., $300K for assets ≤ $100K, up to $1M for >$1M), represents indirect losses like reputation damage, lost productivity, or regulatory fines, informed by IBM 2024’s indirect cost estimates and Hiscox 2023’s SMB loss ranges. A severity multiplier (1x to 5x, drawn from a uniform distribution) then amplifies this total in each scenario to simulate the range of breach outcomes—from minor incidents (e.g., 1x for a contained breach) to catastrophic events (e.g., 5x for a full ransomware lockdown)—ensuring the model captures extremes like a $1.5M loss from a $300K base impact at maximum severity, consistent with Sophos 2024’s $1M+ ransomware data.

  • ALE: The annual expected loss is calculated by multiplying the attack odds by the SLE for both pre-control (baseline) and post-control scenarios across the 1,000 iterations—for example, a 70% odds with a $500K SLE yields a $350K ALE before controls, reduced after applying controls. The simulation averages these results to provide a stable estimate, with ranges derived from the variability in odds and severity, offering a comprehensive before-and-after risk profile.

Scaling Concepts:

  • Control weights are tailored to their real-world risk reduction impact (e.g., MFA’s higher weight reflects its critical role in access security), sourced from CIS and NIST data.

  • Random scaling (±20%) introduces variability in control effectiveness, acknowledging differences in execution across SMBs (e.g., robust vs. basic MFA).

  • Asset-based scaling (1-3x) adjusts the fixed additional cost to align with business size, ensuring larger SMBs face proportionally higher indirect losses.

  • Severity scaling (1-5x) captures the full spectrum of breach impacts, from minor disruptions to million-dollar ransomware events, consistent with industry loss distributions.

  • Reasoning: This process mirrors SMB breach patterns—$25K average losses escalating to $1M+ in severe cases (Verizon DBIR 2023, Hiscox 2023)—and attack frequencies of 60-75% (Sophos 2024, FBI IC3 2023), with scaling ensuring both statistical rigor and practical usability for SMBs without deep expertise. The simulation’s variability aligns with Ponemon Institute 2023 findings on cost fluctuations and Cybersecurity Ventures 2025’s loss range projections, providing a realistic yet simplified risk profile grounded in industry data.

Loss Percentiles and Closure

What: The average SLE from the Monte Carlo simulation is scaled 1-3x by asset size, with a 30% coefficient of variation (CV) applied to calculate percentiles (5th, 25th, 50th, 75th, and a high-end loss with a 10% chance of that level or higher), alongside closure rates tied to loss thresholds.

Source:

  • Loss Ranges: VikingCloud (55% collapse at $50K, 60% at $300K+), NAVEX 2025 (91% uninsured), Sophos 2024 ($1M+ ransomware), IBM 2024 ($4.88M average breach), Hiscox 2023 ($25K-$1M+), Ponemon Institute 2023 (SMB loss variability), Cybersecurity Ventures 2025 (loss escalation).

  • Closure: Verizon DBIR 2023 (financial impact), Cybersecurity Ventures 2025 (SMB survival), IBM 2024 (cost escalation).

 

Logic:

  • Loss Percentiles: The 30% CV means the standard deviation is set at 30% of the average SLE, establishing a moderate spread of potential losses across the 1,000 simulated scenarios—for instance, an average SLE might range from a low-end loss at the 5th percentile (representing less severe outcomes, calculated as the average minus 1.645 standard deviations) to a high-end loss with a 10% chance of being reached or exceeded (representing severe breaches, calculated as the average plus 1.282 standard deviations). The 50th percentile reflects the most likely loss outcome, derived directly from the simulation’s average SLE. This spread assumes a normal distribution of SLE outcomes to simplify interpretation for SMBs—e.g., a $500K average SLE with a 30% CV yields a standard deviation of $150K, ranging roughly from $250K (5th) to $700K (high end)—though real distributions may skew higher due to rare, severe events. The 1-3x asset scaling adjusts the base SLE to reflect business size—smaller SMBs (≤$100K assets) receive a 1x multiplier, while larger ones (>$1M) get up to 3x—ensuring loss estimates align with the firm’s financial exposure, as supported by IBM 2024’s cost scaling and Hiscox 2023’s SMB loss data.

  • Closure Rates: Closure probabilities escalate with loss size: 55% of SMBs fail at $50K losses, 60% at $50K-$300K, and 70% or more above $300K, based on VikingCloud’s survival data showing financial resilience thresholds, NAVEX’s 2025 finding that 91% of SMBs are uninsured, and IBM 2024’s escalation of breach costs beyond direct losses (e.g., $4.88M average including indirect impacts). This suggests 36-45% of all SMBs (60% of the 60-75% attacked annually) don’t survive six months post-attack, a conservative floor given Sophos 2024’s $1M+ ransomware impacts, Hiscox 2023’s severe loss trends, and Cybersecurity Ventures 2025’s projections of SMB failure rates, which indicate even higher closure risks for uninsured firms facing significant breaches (e.g., a $300K loss on $800K revenue exceeds typical survival capacity).

  • Reasoning: The 30% CV simplifies variability for SMB understanding—intentionally lower than industry CVs of 0.5-1.0 (Verizon DBIR 2023) to avoid complexity—but is paired with the simulation’s 1-5x severity scaling to capture $1M+ outliers (Ponemon Institute 2023, Sophos 2024), balancing usability with realism. Closure rates reflect real financial resilience data, with the 70%+ upper bound grounded in IBM and Hiscox escalation trends, reinforced by Cybersecurity Ventures’ survival projections and Verizon’s financial impact insights, ensuring a defensible estimate that underscores urgency without overstatement.

ROI Calculation

 

What: Calculates savings as ALE before minus ALE after, divided by fix costs to yield ROI, providing a financial metric for control prioritization.

 

Source:

  • Costs: ManaSec estimates ($500-$50K control costs), Verizon DBIR 2023 ($25K average loss), IBM 2024 (breach cost savings), NIST Cybersecurity Framework (implementation costs).

  • Efficacy: CIS IG1 v8 Metrics, NIST SP 800-53, Ponemon Institute 2023 (control ROI), KnowBe4 2023 (training impact).

 

Logic:

  • Savings: The difference between ALE before (baseline odds multiplied by SLE) and ALE after (reduced odds multiplied by SLE) quantifies the annual financial benefit of implementing controls, derived from the Monte Carlo simulation’s 1,000 scenarios—for example, reducing odds from 70% to 50% on a $500K SLE saves $100K annually ($350K - $250K). This difference is averaged across all iterations to provide a stable estimate, with ranges reflecting variability in odds (e.g., due to ±20% randomness) and severity (1-5x), ensuring the savings capture both typical and extreme outcomes—e.g., a range might span $50K to $150K depending on breach severity and control effectiveness.

  • ROI: Savings are divided by the user-provided cost of selected controls (e.g., $500 for email security software, $50K for endpoint protection across a fleet), expressed as a percentage—for instance, $100K savings on a $50K investment yields a 200% ROI, while $50K savings on a $500 control yields a 10,000% ROI. Control weights (e.g., 11.25% for MFA, 2.5% for training) scale the risk reduction, ensuring high-impact controls like MFA (per CIS v8 Metrics, thwarting 99% of account attacks per Microsoft) show greater savings than foundational steps like training (20-30% phishing reduction per KnowBe4 2023). Cost estimates align with industry norms—e.g., $500-$2K for training (NIST), $1K-$5K for endpoint tools (ManaSec)—allowing SMBs to prioritize options like a $500 MFA deployment over a $1K monitoring solution if the former offers comparable or better risk reduction, as validated by Ponemon Institute 2023’s ROI data on control investments.

  • Reasoning: This delivers a practical, financially grounded metric for SMBs to evaluate control investments, leveraging CIS IG1 v8 Metrics and NIST SP 800-53 efficacy data for control impact, and real-world cost ranges (ManaSec, IBM 2024) for feasibility. The scaled weights ensure ROI reflects the actual risk reduction potential of each control, avoiding oversimplification—e.g., MFA’s higher weight drives higher savings—while the simulation’s variability provides a realistic range of outcomes (e.g., savings varying by severity), making it actionable and defensible for SMB decision-making.

 

Outputs

Quiz: Score (0-58), gaps (e.g., no vendor checks).

ROI: Reduced odds, loss range (5th to high end with 10% chance of that level or higher), savings, ROI, updated score, gaps.

Logic: Links CIS IG1 progress to financial outcomes, quantifying risk reduction and investment value.

Reasoning: Provides clear, measurable results that SMBs can act on, avoiding technical overload while showing tangible benefits.

Validation Through Risk Management Frameworks

 

FAIR: Jack Jones’ framework quantifies risk via frequency and magnitude. We align attack odds and losses probabilistically.

Hubbard: Douglas Hubbard’s calibration avoids overconfidence with ranges and testing. We use midpoints and iteration.

Seiersen: Richard Seiersen’s actionable metrics ensure usability. We focus on practical ROI.

Why Chosen: FAIR’s rigor, Hubbard’s precision, and Seiersen’s practicality make our tools credible and accessible.

Standing Up to Scrutiny

 

  1. FAIR Alignment: 60-75% frequency (43% + unreported) and $25K-$1M+ losses match FAIR, per 93% penetrability.

  2. Hubbard Calibration: Ranges (40-90% risk, 60-70% reduction) and 43% alignment avoid overprecision.

  3. Seiersen Practicality: ROI and control impacts are actionable, bias-free via randomness.

  4. Data Robustness: Sources include Verizon DBIR 2023, BKA, Upfort, Sophos 2024, Accenture, GetAstra 2025, Positive Technologies 2025, NinjaOne 2025, StrongDM 2025, FBI IC3 2023 ($12.5B losses), IBM 2024, Hiscox 2023, Ponemon Institute 2023, Cybersecurity Ventures 2025, NIST SP 800-53, CIS IG1 v8 Metrics, Microsoft Security Intelligence, KnowBe4 2023.

  5. Scaling Rigor: Weights (e.g., 11.25% MFA) from CIS v8 Metrics, scaled realistically.

  6. Limitations: 30% CV vs. 0.35-0.4, normality assumption, user input subjectivity—mitigated by conservative estimates and consultation options.

Why It Works

 

For an SMB, e.g., no IT, no insurance, and $800K revenue facing $300K+ losses (over 60% closure risk), this is a lifeline. Grounded in CIS IG1, engineered using industry data, and scaled realistically, it stands firm under quantitative risk methodologies and will significantly assist SMBs in assessing their cybersecurity posture.

Disclaimer

 

Estimates are based on industry data and general SMB trends, as detailed here on this page. It is the responsibility of the person using these tools to understand the intended purposes, processes, methodologies, logic, and assumptions of the risk estimates. For a precise risk assessment, contact ManaSec to schedule a tailored consultation. If there are any questions or suggestions, please reach out to support@manasec.io

bottom of page