Quantitative Risk Analysis

In Quantitative Risk Analysis, we try to translate every information asset element into monetary value. There are three steps in Quantitative Risk Analysis:

  1. Determine Single Loss Expectancy (SLE):
  2. Single Loss Expectancy is a measure of the money loss that an information asset will suffer due to the activation of a threat.

    SLE = Asset Value ($) x Exposure Factor (%)

    For example if the asset value is 2 million dollars and the Exposure Factor is 50%, then SLE is 1 million dollars.

  3. Determine Annual Rate of Occurrence (ARO):
  4. Annual Rate of Occurrence is the expected number of security incidents per year. For example if a specific security incident occurs once every 10 years, then ARO=1/10=0.1

  5. Determine Annual Loss Expectancy (ALE):
  6. ALE is used to justify to the top management the money expenditure in security measures.

    ALE = SLE x ARO

Assume that the Asset Value for which we perform a quantitative risk analysis is $10,000,000 and that the Exposure Factor is 50%.

=> SLE = $10,000,000 x 0.5 = $5,000,000

The Annual Rate of loss Occurrence is 0.05 (ARO=0.05)

=> ALE = SLE x ARO = $5,000,000 x 0.05 = $250,000.

The company is expected to have $250,000 losses due to a specific risk every year. Now, assume if we spend $100,000 in security countermeasures, this will reduce the EF from 0.5 to 0.2.

=> New SLE = $10,000,000 x 0.2 = $2,000,000

=> New ALE = $2,000,000 x 0.05 = $100,000

So, by spending $100,000 in security countermeasures, we have reduced the loss from $250,000 to $100,000, which means we have a cost savings of $150,000. The total company savings after subtracting the security cost expenses ($100,000) is $150,000 – $100,000 = $50,000