PART 3). CHAP 2 - Quantitative Risk Analysis - AV, EF, SLE, ARO, ALE, CB/A.
Step 4)
Assess The Annual Rate Of Occurrence (ARO)
Step 1)
Assign Asset Value (AV)
Step 5)
Derive The Annual Loss Expectancy (ALE)
Step 6)
Perform a cost/ benefit analysis of each countermeasure for each threat for each asset.
Exposure Factor (EF)
Represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk.
What is Risk Management?
Risk Management is a detailed process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost, and implementing cost-effective solutions for mitigating or reducing risk.
ALE
S-LEARO
Single loss expectancy (SLE)
The cost associated with a single realized risk against a specific asset. It indicates the exact amount of loss an organization would experience if an asset were harmed by a specific threat occurring.
Annualized Rate of Occurrence (ARO)
The expected frequency with which a specific threat or risk will occur (that is, become realized) within a single year.
Annualized Loss Expectancy (ALE)
The is the possible yearly cost of all instances of a specific realized threat against a specific asset.
SLE
- AVEF (SLAVE)
Step 2)
Calculate Exposure Factor (EF)
Step 3)
Calculate Single Loss Expectancy (SLE)
Cost/Benefit Analysis (CB/A)
Calculating this with a Safeguard In addition to determining the annual cost of the safeguard, you must calculate the ALE for the asset if the safeguard is implemented.
Asset Valuation (AV)
Inventory assets, and assign a value
Quantitative Risk Analysis:
The quantitative method results in concrete probability percentages. That means the end result is a report that has dollar figures for levels of risk, potential loss, cost of countermeasures, and value of safeguards.
ARO
# / year
ACS (Annual cost of the safeguard)
$ / year
CB/A (Value or benefit of a safeguard)
(pre-countermeasure ALE -post-countermeasure ALE) -ACS Or, even more simply: (ALE1 -ALE2) -ACS
SLE
= asset value (AV) * exposure factor (EF) - or - (Asset value ($) * exposure factor)
ALE
= single loss expectancy (SLE) * annualized rate of occurrence (ARO)
Annualized Rate of Occurrence (ARO)
A countermeasure directly affects this factor, primarily because it is designed to prevent the occurrence of the risk, thus reducing its frequency per year.
