Industrial Cybersecurity & OT Risk worked example
Security Control Gap with required ot security controls of 300 controls: a worked example
This scenario runs the security control gap calculation on the strong side: required ot security controls of 300 controls, with every other input held at its documented default. Use it when preparing audit remediation, IEC 62443 program reviews, NIST CSF mapping, or site security roadmaps.
The inputs for this scenario
- Required OT security controls: 300 controls (raised for this scenario; the documented default is 120)
- Implemented OT security controls: 84 controls (unchanged)
- Accepted compensating controls or exceptions: 8 controls (unchanged)
Working through the calculation
- Applying the documented formula (Security control gap = required OT security controls - implemented OT security controls - accepted compensating controls or exceptions) to the inputs above produces each figure below.
- At this operating point the engine returns 2,700 % for security control gap rate, the number this scenario is built around.
- At this operating point the engine returns 216 value for absolute margin.
- At this operating point the engine returns 300 value for available amount.
- At this operating point the engine returns 84 value for required amount.
How this compares with the baseline
- Against the tool's baseline example, where required ot security controls sits at 120 controls and the headline result is 450 %, this scenario comes in 500% above the baseline at 2,700 %.
- Use it after a controls assessment to size remediation scope, or quarterly to trend coverage against your security baseline. Treat this as a target state: the delta against the baseline quantifies what the improvement is worth before you commit to chasing it.
Results at a glance
- Security control gap rate: 2,700 % (headline result)
- Absolute margin: 216 value
- Available amount: 300 value
- Required amount: 84 value
Run it with your numbers
- Every input above is editable in the live Security Control Gap calculator, which recalculates instantly and can be shared with the inputs intact.
Last reviewed 2026-05-12.