Phishing Exposure Risk Calculator
Estimates your organization's annualized phishing risk exposure (in USD) based on workforce size, email volume, click-through rates, incident response costs, and existing security controls.
Formula
Step 1 — Emails reaching inboxes per year:
Emails_in_Inbox = Employees × Emails_Per_Day × Working_Days × (1 − Filter_Rate)
Step 2 — Effective click rate after training:
Effective_Click_Rate = Baseline_Click_Rate × (1 − Training_Reduction)
Step 3 — Expected clicks per year:
Total_Clicks = Emails_in_Inbox × Effective_Click_Rate
Step 4 — Expected compromises per year:
Total_Compromises = Total_Clicks × Compromise_Rate
Step 5 — Annualized Loss Expectancy (ALE):
ALE = Total_Compromises × Cost_Per_Incident
Step 6 — Probability of at least one incident (Poisson approximation):
P(≥1 incident) = 1 − e−Total_Compromises
Assumptions & References
- Baseline click rate of ~30% is consistent with industry benchmarks before security awareness training (Proofpoint State of the Phish, 2023).
- Security awareness training can reduce click rates by 40–70%; a 50% default is used as a mid-range estimate (SANS Security Awareness Report, 2023).
- Modern enterprise email filters (SEGs) block 85–95% of phishing emails on average (Gartner, 2023).
- Average cost per phishing incident is estimated at $4,500–$4,900 for SMBs and higher for enterprises (IBM Cost of a Data Breach Report, 2023).
- The Poisson approximation P(≥1) = 1 − e−λ is appropriate when individual incident probabilities are small and events are independent.
- ALE is a standard metric from NIST SP 800-30 risk assessment methodology: ALE = ARO × SLE, where ARO is the annual rate of occurrence and SLE is the single loss expectancy.
- Working days default to 250 (5 days/week × 50 weeks), consistent with US business calendar norms.
- This calculator models direct incident costs only; indirect costs (reputational damage, regulatory fines, lost productivity) are not included.