Industrial Cybersecurity & OT Risk calculator

Legacy OS Risk Score Calculator

The Legacy OS Risk Score is a multiplicative risk index for unsupported operating systems — Windows XP, 7, Server 2003/2008 and similar — still running production OT equipment. It mirrors the FMEA RPN structure: business impact times network exposure times the weakness of compensating controls. OT cybersecurity teams and risk owners use it to rank a long list of legacy boxes so remediation budget goes to the assets that are simultaneously high-impact, reachable and poorly protected. Because it is multiplicative, a single high factor — like a wide-open network path — pushes an asset to the top even if the other factors are moderate.

What this calculator does

  • Rank risk from legacy operating systems in OT using impact, exposure, and compensating control weakness.
  • Use it when prioritizing unsupported HMIs, engineering stations, historians, and SCADA servers for upgrade or isolation.
  • It multiplies three ratings — legacy OS impact, network exposure and compensating-control weakness — into a single comparative risk score for an unsupported OT asset.

Formula used

  • Legacy OS risk score = legacy OS impact score × legacy OS exposure score × compensating control weakness score
  • Use the same scoring scale across comparable legacy OS assets.

Inputs explained

  • Legacy OS business impact rating:
  • Legacy OS network exposure rating:
  • Compensating control weakness rating:

How to use the result

  • Use it to triage a fleet of legacy OS assets and decide which to isolate, replace or virtually patch first.
  • The score is only meaningful relative to other assets scored on the identical scale; an absolute number carries no inherent threshold, so consistent rating definitions are essential.

Common questions

  • How do you calculate a legacy OS risk score? Multiply the three ratings together: impact x exposure x control weakness. Using the calculator's weighting, ratings of 9, 6 and 5 produce a composite score of about 6.95 on its normalized scale.
  • Why multiply the factors instead of adding them? Multiplication makes risk compound — an asset that is critical, exposed and unprotected scores far higher than one with a single bad factor. Adding would let a low exposure quietly cancel a high impact, hiding genuinely dangerous assets.
  • What is a high legacy OS risk score? There is no universal cutoff because the score is relative. Rank your assets, then treat the top decile as urgent. The example score of 6.95 is only interpretable against your other legacy assets scored the same way.
  • How should I rate compensating control weakness? Rate it high when controls are absent or weak (flat network, no monitoring, shared credentials) and low when the asset is tightly segmented, application-whitelisted and monitored. Strong controls are the cheapest way to drop an asset's score without replacing the OS.
  • What is the fastest way to lower a legacy OS risk score? Reduce the factor you can change cheapest — usually exposure, via network segmentation and removing internet/IT routes, or control weakness, via whitelisting and monitoring. Both cut the score without the cost and downtime of an OS upgrade.

Last reviewed 2026-05-12.