In Quantitative Risk Analysis, we try to translate every information asset element into monetary value. There are three steps in Quantitative Risk Analysis:
- Determine Single Loss Expectancy (SLE):
- Determine Annual Rate of Occurrence (ARO):
- Determine Annual Loss Expectancy (ALE):
Single Loss Expectancy is a measure of the money loss that an information asset will suffer due to the activation of a threat.
SLE = Asset Value ($) x Exposure Factor (%)
For example if the asset value is 2 million dollars and the Exposure Factor is 50%, then SLE is 1 million dollars.
Annual Rate of Occurrence is the expected number of security incidents per year. For example if a specific security incident occurs once every 10 years, then ARO=1/10=0.1
ALE is used to justify to the top management the money expenditure in security measures.
ALE = SLE x ARO
Assume that the Asset Value for which we perform a quantitative risk analysis is $10,000,000 and that the Exposure Factor is 50%.
=> SLE = $10,000,000 x 0.5 = $5,000,000
The Annual Rate of loss Occurrence is 0.05 (ARO=0.05)
=> ALE = SLE x ARO = $5,000,000 x 0.05 = $250,000.
The company is expected to have $250,000 losses due to a specific risk every year. Now, assume if we spend $100,000 in security countermeasures, this will reduce the EF from 0.5 to 0.2.
=> New SLE = $10,000,000 x 0.2 = $2,000,000
=> New ALE = $2,000,000 x 0.05 = $100,000
So, by spending $100,000 in security countermeasures, we have reduced the loss from $250,000 to $100,000, which means we have a cost savings of $150,000. The total company savings after subtracting the security cost expenses ($100,000) is $150,000 – $100,000 = $50,000