Industrial Cybersecurity & OT Risk calculator

Cyber Recovery Readiness Index Calculator

The Cyber Recovery Readiness Index is a risk-priority number for OT resilience: it multiplies how bad a failed recovery would be, how exposed the system is to a disruptive incident, and how weak your recovery capability is. OT security and business-continuity leads use it to rank sites or system tiers by where a ransomware event or destructive attack would leave them unable to restore production. It matters because backups that were never test-restored, undocumented PLC configurations, and missing gold images turn a recoverable incident into a multi-week outage. Scoring readiness on a common scale tells you where to invest in tested backups, recovery runbooks, and spare-controller programs first.

What this calculator does

  • Rank OT cyber recovery readiness using recovery impact, recovery exposure, and readiness weakness.
  • Use it when evaluating backups, restore testing, spare hardware, playbooks, and recovery drills for OT systems.
  • It multiplies three 0-10 sub-scores (recovery impact, recovery exposure, recovery readiness weakness) into a single recovery readiness risk score.

Formula used

  • Cyber recovery readiness risk score = recovery impact score × recovery exposure score × recovery readiness weakness score
  • Use the same scoring scale across comparable sites or OT system tiers.

Inputs explained

  • Recovery impact score:
  • Recovery exposure score:
  • Recovery readiness weakness score:

How to use the result

  • Use it to prioritize backup, runbook, and recovery-capability investment across OT sites or system tiers.
  • It is a relative prioritization score, not a measured recovery time; it only stays meaningful when every tier is scored against the same rubric by the same assessors.

Common questions

  • How do you calculate the cyber recovery readiness index? Multiply the recovery impact score by the recovery exposure score by the recovery readiness weakness score. With 9, 6, and 4 (averaged to 6.7 across tiers), the example risk score is 6.7 on this scale.
  • What is a good cyber recovery readiness score? Lower means lower risk and better readiness. The score is for ranking, so the goal is to drive down the highest-scoring tiers by improving tested backups and runbooks rather than hitting a fixed number.
  • How does this relate to RTO and RPO? It is a fast prioritization proxy, not a measurement. High readiness-weakness and high exposure tiers are the ones most likely to blow past their RTO/RPO targets, so this index points you to where to validate them.
  • Why does recovery readiness weakness matter most? Because untested backups, missing gold images, and no documented PLC restore procedure are what turn a recoverable event into a prolonged outage. A high weakness score multiplies the whole index upward.
  • What pushes the recovery exposure score up? Internet-reachable OT, flat networks, weak segmentation, shared credentials, and a large attack surface all raise exposure, meaning the system is more likely to actually face a destructive incident.

Last reviewed 2026-05-12.