The objective of this analysis to find out

• How much of our Asset is compromised?
• How much one incident/event will cost?
• How often the incident/event occurs?
• How much will that cost annually?

To answer these, Let us look at the Below six major element of Quantitative Risk Analysis.

• Asset Value (AV) – How much is the asset worth?
• Exposure factor (EF) – Percentage of Asset Value lost?
• Single Loss Expectancy (SLE) – (AV x EF) – What does it cost if it happens once?
• Annual Rate of Occurrence (ARO) – How often will this happen each year?
• Annualised Loss Expectancy (ALE1) without safeguard – (SLE x ARO) – This is what it cost per year if we do nothing.
• Annualised Loss Expectancy (ALE2) post safeguard – (SLE x ARO) – This is what it cost per year if we put countermeasure.
• The annual cost of Safeguard (ACS)
• Cost-Benefit Analysis: if (ALE1-ALE2-ACS) > 0 = Safeguard is Good else it is not a good choice financially.
• Total Cost of Ownership (TCO) – The mitigation cost: upfront + ongoing price (Normally Operational)

Lets understand this mathematical formulas of quantitative Risk analysis with below Case study:
Case Study: Data Center
Suppose Company XYZ Data Center is valued at 100,000,000 USD.
i.e. AV = 100,000,000 USD
Data Center has a risk because of Natural calamity such as Flooding.
i.e. Threat = Flooding
If a flooding happens 15% of the DC is compromised.
i.e. EF = 15%
Loss per Flooding
i.e. SLE = AV x EF = 100,000,000 x 15% = 15,000,000 USD
The flooding happens once in 5 years
i.e. ARO = 0.20
Hence Loss per year because of flooding would be
ALE = SLE x ARO = 15,000,000 x 0.20 = 3,000,000 USD

Some other examples are summarized in below table.