Quantitative Risk Analysis

(OBJ 5.2)

Quantitative Risk Analysis

• Method of evaluating risk that uses numerical measurements
• Provides a probabilistic analysis of potential future events
• Allows for more precise understanding of potential impacts and the effectiveness of proposed solutions.
• Provides objective and numerical evaluation of risks
  • While Quantitative Risk Analysis provides a more subjective and high-level analysis
• Used for financial, safety, and scheduling decisions
• Utilizes key components
  • Single Loss Expectancy (SLE)
  • Exposure Factor (EF)
  • Annualized Rate of Occurrence (ARO)
  • Annualized Loss Expectancy (ALE)

Key Components

• Exposure Factor (EF)
  • Proportion of asset lost in an event (0% to 100%)
    • 0% (no loss)
    • 100% (total loss)
  • Indicates asset loss severity
  • Example:
    • HQ Flooding = 70% lost assets
    • EF = 70%
• Single Loss Expectancy (SLE)
  • Monetary value expected to be lost in a single event
  • Calculated as Asset Value $\times$ Exposure Factor (EF)
    • 0% (no loss)
    • 100% (total loss)
  • Example:
    • $100,000 (Asset) $\times$ 70% EF
    • = $70,000 SLE
• Annualized Rate of Occurrence (ARO)
  • Estimated frequency of threat occurrence within a year
  • Provides a yearly probability
• Annualized Loss Expectancy (ALE)
  • Expected annual loss from a risk
  • Calculated as SLE $\times$ ARO

Example

• Single Loss Expectancy (SLE):
  • SLE = Asset Value $\times$ Exposure Factor = $10,000 $\times$ 50%
  • SLE = $5,000
• Annualized Loss Expectancy (ALE):
  • ALE = SLE $\times$ ARO
  • ALE = $5,000 $\times$ 0.5
  • ALE = $2,500
• Means the company can expect to lose roughly $2,500 per year due to a server crash.
• Consider this when looking for mitigation solutions vendors