SCEP Control Evaluation Calculator
SCEP is the control-side counterpart to CRVE. It takes an initial exposure value — typically the output of an SVA transform (CVSSA, CRVE, or SEM) — and credits mitigating controls against it to produce a defensible residual exposure. The aggregation uses the same STORM/RSK diminishing-impact formula that STORM uses throughout, so the number SCEP produces is directly comparable to other STORM measurements.
Why Diminishing Impact Matters
If two controls each mitigate 48% of a vulnerability, stacking them does not yield 96% mitigation — it yields 60%. The second control is addressing an already-diminished exposure. Multiplicative models that treat controls as independent filters systematically undercount residual exposure. STORM's diminishing-impact aggregation sorts corrections by strength and weights each subsequent correction at a fraction of the strongest, reflecting the reality that the best control does most of the work and additional controls yield diminishing returns.
Calculator
Set the initial exposure, then add one row per mitigating control. Select a control type, adjust its correction value within the range appropriate for that type, and optionally annotate it. Residual exposure updates live.
How the Residual Is Computed
SCEP aggregates control corrections using the same diminishing-impact composition that STORM and RSK measurements use throughout. Sorting corrections by strength, the strongest control counts in full and each successive control contributes a smaller share — the math reflects the practical reality that the best control does most of the work and additional controls yield diminishing returns. The aggregated correction is then applied to the initial exposure to produce the residual; the aggregated correction is capped at 1.0 so no stack of controls can yield a negative residual.
The full mathematical treatment, including why STORM uses this composition and how maturity adjustment works, appears in the STORM/RSK white paper. The calculator above sends inputs to the STORM API — no STORM math runs in your browser.
Control Types
- Preventive
- Stops exploitation before it occurs. Full 0–100% range. Examples: input validation, patching, access control.
- Detective
- Detects exploitation so response can limit damage. Capped below 100% — detection alone cannot eliminate an exposure. Examples: logging, SIEM, intrusion detection.
- Corrective
- Reverses or repairs damage after exploitation. Capped below 100%. Examples: backups with tested restore, rollback procedures.
- Compensating
- Indirectly addresses the vulnerability when the preferred control is not feasible. Examples: network segmentation compensating for a legacy system that cannot be patched.
- Transfer — Insurance
- Financial transfer of loss via cyber insurance. Bounded (10–70%) because insurance rarely covers the full loss and never covers reputational damage. Note required.
- Transfer — Contractual
- Contractual allocation of loss to a counterparty (MSP, cloud provider, supplier). Bounded by counterparty solvency and contract scope. Note required.
- Avoid
- Eliminate the exposure by removing the activity or asset entirely. Fixed at 100% — if the asset is gone, its exposure is gone. Note required.
Related Tools and Reading
- CRVE Vulnerability Exposure Calculator — produces the E0 input for SCEP when the finding has no CVSS score.
- HAM533 Threat Calculator — STORM Threat Assessment transform.
- STORM methodology — where SCEP residuals feed into the overall aggregation.
- STORM/RSK White Paper (PDF) — diminishing-impact aggregation and RSK series in full.
Simplified Total Risk Management, STORM, ATRA, StrongCOR, RAPID, and RSK are trademarks of Andrew T. Robinson.