In Quantitative Risk Analysis, we try to translate every information assetÂ element into monetary value. There are three steps in Quantitative Risk Analysis:

**Determine Single Loss Expectancy (SLE):****Determine Annual Rate of Occurrence (ARO):****Determine Annual Loss Expectancy (ALE):**

Single Loss Expectancy is a measure of the money loss that an information asset will suffer due to the activation of a threat.

**SLE = Asset Value ($) x Exposure Factor (%)**

For example if the assetÂ value is 2 million dollars and the Exposure Factor is 50%, then SLE is 1 million dollars.

Annual Rate of Occurrence is the expected number of security incidents per year. For example if a specific security incident occurs once every 10 years, then **ARO=1/10=0.1**

ALE is used to justify to the top management the money expenditure in security measures.

**ALE = SLE x ARO**

**EXAMPLE **

Assume that the Asset Value for which we perform a quantitative risk analysis is $10,000,000 and that the Exposure Factor is 50%.

=> SLE = $10,000,000 x 0.5 = $5,000,000

The Annual Rate of loss Occurrence is 0.05 (ARO=0.05)

=> ALE = SLE x ARO = $5,000,000 x 0.05 = **$250,000.**

The company is expected to have $250,000 losses due to a specific risk every year. Now, assume if we spend $100,000 in security countermeasures, this will reduce the EF from 0.5 to 0.2.

=> New SLE = $10,000,000 x 0.2 = $2,000,000

=> New ALE = $2,000,000 x 0.05 = $100,000

So, by spending $100,000 in security countermeasures, we have reduced the loss from $250,000 to $100,000, which means we have a cost savings of $150,000. The total company savings after subtracting the security cost expenses ($100,000) is $150,000 – $100,000 = **$50,000**