## Quantitative Risk Analysis

In Quantitative Risk Analysis, we try to translate every information asset element into monetary value. There are three steps in Quantitative Risk Analysis:

1. Determine Single Loss Expectancy (SLE):
2. Single Loss Expectancy is a measure of the money loss that an information asset will suffer due to the activation of a threat.

SLE = Asset Value (\$) x Exposure Factor (%)

For example if the asset value is 2 million dollars and the Exposure Factor is 50%, then SLE is 1 million dollars.

3. Determine Annual Rate of Occurrence (ARO):
4. Annual Rate of Occurrence is the expected number of security incidents per year. For example if a specific security incident occurs once every 10 years, then ARO=1/10=0.1

5. Determine Annual Loss Expectancy (ALE):
6. ALE is used to justify to the top management the money expenditure in security measures.

ALE = SLE x ARO

EXAMPLE
Assume that the Asset Value for which we perform a quantitative risk analysis is \$10,000,000 and that the Exposure Factor is 50%.

=> SLE = \$10,000,000 x 0.5 = \$5,000,000

The Annual Rate of loss Occurrence is 0.05 (ARO=0.05)

=> ALE = SLE x ARO = \$5,000,000 x 0.05 = \$250,000.

The company is expected to have \$250,000 losses due to a specific risk every year. Now, assume if we spend \$100,000 in security countermeasures, this will reduce the EF from 0.5 to 0.2.

=> New SLE = \$10,000,000 x 0.2 = \$2,000,000

=> New ALE = \$2,000,000 x 0.05 = \$100,000

So, by spending \$100,000 in security countermeasures, we have reduced the loss from \$250,000 to \$100,000, which means we have a cost savings of \$150,000. The total company savings after subtracting the security cost expenses (\$100,000) is \$150,000 – \$100,000 = \$50,000