The objective of this analysis to find out
- How much of our Asset is compromised?
- How much one incident/event will cost?
- How often the incident/event occurs?
- How much will that cost annually?
To answer these, Let us look at the Below six major element of Quantitative Risk Analysis.
- Asset Value (AV) – How much is the asset worth?
- Exposure factor (EF) – Percentage of Asset Value lost?
- Single Loss Expectancy (SLE) – (AV x EF) – What does it cost if it happens once?
- Annual Rate of Occurrence (ARO) – How often will this happen each year?
- Annualised Loss Expectancy (ALE1) without safeguard – (SLE x ARO) – This is what it cost per year if we do nothing.
- Annualised Loss Expectancy (ALE2) post safeguard – (SLE x ARO) – This is what it cost per year if we put countermeasure.
- The annual cost of Safeguard (ACS)
- Cost-Benefit Analysis: if (ALE1-ALE2-ACS) > 0 = Safeguard is Good else it is not a good choice financially.
- Total Cost of Ownership (TCO) – The mitigation cost: upfront + ongoing price (Normally Operational)
Lets understand this mathematical formulas of quantitative Risk analysis with below Case study:
Case Study: Data Center
Suppose Company XYZ Data Center is valued at 100,000,000 USD.
i.e. AV = 100,000,000 USD
Data Center has a risk because of Natural calamity such as Flooding.
i.e. Threat = Flooding
If a flooding happens 15% of the DC is compromised.
i.e. EF = 15%
Loss per Flooding
i.e. SLE = AV x EF = 100,000,000 x 15% = 15,000,000 USD
The flooding happens once in 5 years
i.e. ARO = 0.20
Hence Loss per year because of flooding would be
ALE = SLE x ARO = 15,000,000 x 0.20 = 3,000,000 USD
Some other examples are summarized in below table.