Quantitative Risk Analysis … The four HOW?

The objective of this analysis to find out

  • How much of our Asset is compromised?
  • How much one incident/event will cost?
  • How often the incident/event occurs?
  • How much will that cost annually?

To answer these, Let us look at the Below six major element of Quantitative Risk Analysis.

  • Asset Value (AV) – How much is the asset worth?
  • Exposure factor (EF) – Percentage of Asset Value lost?
  • Single Loss Expectancy (SLE) – (AV x EF) – What does it cost if it happens once?
  • Annual Rate of Occurrence (ARO) – How often will this happen each year?
  • Annualised Loss Expectancy (ALE1) without safeguard – (SLE x ARO) – This is what it cost per year if we do nothing.
  • Annualised Loss Expectancy (ALE2) post safeguard – (SLE x ARO) – This is what it cost per year if we put countermeasure.
  • The annual cost of Safeguard (ACS)
  • Cost-Benefit Analysis: if (ALE1-ALE2-ACS) > 0 = Safeguard is Good else it is not a good choice financially.
  • Total Cost of Ownership (TCO) – The mitigation cost: upfront + ongoing price (Normally Operational)
Quantitative Risk Analysis

Lets understand this mathematical formulas of quantitative Risk analysis with below Case study:
Case Study: Data Center
Suppose Company XYZ Data Center is valued at 100,000,000 USD.
i.e. AV = 100,000,000 USD
Data Center has a risk because of Natural calamity such as Flooding.
i.e. Threat = Flooding
If a flooding happens 15% of the DC is compromised.
i.e. EF = 15%
Loss per Flooding
i.e. SLE = AV x EF = 100,000,000 x 15% = 15,000,000 USD
The flooding happens once in 5 years
i.e. ARO = 0.20
Hence Loss per year because of flooding would be
ALE = SLE x ARO = 15,000,000 x 0.20 = 3,000,000 USD

Some other examples are summarized in below table.

How SLE, ARO, ALE are used/calculated