BCAV Asset Valuation Calculator

BCAV is the asset-side companion to CRVE, SCEP, and HAM533. It produces a defensible basic criticality for an asset using three inputs: classification of the data the asset holds, the scope of users who depend on or have access to it, and which categories of high-value data are present. Multiple assets can be assessed and aggregated using the same diminishing-impact composition that STORM uses everywhere else.

Why Basic Criticality

BCAV is intentionally lightweight. It does not try to capture every nuance of asset value — that's what richer asset models are for. It captures enough to rank assets defensibly, to feed an A×T×V×(1−C) risk computation, and to produce a 0–1 number that can be combined with other STORM outputs without unit conversions or scaling adjustments.

Calculator

Add one row per asset. Per-asset criticality updates live as you adjust inputs. The composite across assets uses the STORM diminishing-impact aggregation, so adding ten low-value assets does not produce a composite that exceeds the value of the most critical one by much — matching the real-world intuition that the most critical asset dominates the composite.

Inputs

Classification (1–3)

Public data, internal data, or confidential. The classification sets the baseline harm if the asset is exposed.

User base scope (1–5)

How widely the asset is used or relied upon — from a single user to enterprise-wide plus partners. Wider scope amplifies the impact of any disruption or compromise.

High-value data (six categories)

Tick every category present: customer data, financial records, health information, source code / IP, credentials, and regulated data. Multiple categories compound the asset's criticality, but with diminishing returns — an asset with three categories is materially more critical than one with one, but not three times more.

How the Composite Works

Each asset receives an individual criticality value computed by the STORM API. Across multiple assets, BCAV uses the same diminishing-impact aggregation that STORM applies to threats, vulnerabilities, and controls. The most critical asset counts in full; each successive asset contributes less. This avoids the trap of long lists of low-value assets appearing to dominate one truly critical one.

Related Tools and Reading

• HAM533 Threat Calculator — STORM Threat Assessment transform.
• CRVE Vulnerability Exposure Calculator — STORM Vulnerability Assessment transform for non-CVSS findings.
• SCEP Control Evaluation Calculator — STORM Control Evaluation transform.
• STORM methodology — where BCAV asset values feed into the A×T×V×(1−C) aggregation.

Simplified Total Risk Management, STORM, ATRA, StrongCOR, RAPID, and RSK are trademarks of Andrew T. Robinson.