Skip to main content

Risk Analysis Formulas

Understanding Risks Analysis Formulas

Risk analysis can be broken down into two primary methods. Qualitative Risk Analysis and Quantitative Risk Analysis. 

Qualitative Risk Analysis is much more subjective and focuses on the perceived level of risk. This could involve discussions and estimations based on experience, intuition, judgment. Sometimes, in the wrong hands, it can be a pretty blunt instrument. 

For a more numerical, objective view, we use Quantitative Risk Analysis. This method uses maths and formula to calculate risk, i.e a dollar value to the risks and countermeasures involved, which is particularly useful when comparing and deciding on risk mitigation strategies. 

Risk Type
When Safeguard is Implemented
Example
Description
Residual Risk
After Safeguard
Despite using encrypted communication, there is a residual risk of data being intercepted by advanced threats.
This is the risk that remains after all possible safeguards have been put into place.
Inherent Risk
Before Safeguard
A newly deployed system could be inherently at risk from cyber attacks before security controls are in place.
This risk exists before any risk management strategies have been applied.
Total Risk
No Safeguard
Without any cybersecurity measures, an organization could face total risk of data breaches or cyber attacks.
This risk represents the worst-case scenario if no safeguards were implemented at all.
Risk analysis is an essential part of understanding and managing risk. Besides evaluating the types of risk, two key factors to consider are:

  • Loss Potential: This refers to the potential loss if a threat agent successfully exploits a vulnerability.
  • Delayed Loss: This represents the amount of loss that can occur over time, such as the damage to the organization's reputation.

Risk Analysis


Risk analysis is an essential part of understanding and managing risk. Besides evaluating the types of risk, two key factors to consider are:

  • Loss Potential: This refers to the potential loss if a threat agent successfully exploits a vulnerability.
  • Delayed Loss: This represents the amount of loss that can occur over time, such as the damage to the organization's reputation.
Remember, threat agents are entities that cause threats by exploiting vulnerabilities - the weaknesses in your assets or even your safeguards!

Supply Chain Risks

Modern service delivery often involves a chain of multiple entities. Even companies that aim to control as much production in-house as possible, such as Apple, rely on components from a diverse range of suppliers. For example, Apple uses screens manufactured by Samsung, one of its major competitors. The supply chain isn't limited to manufacturing; it also includes transport, managed by multiple companies.

Ensuring the security, reliability, and reputation of all vendors in this supply chain is crucial to maintain overall operational integrity.

Supply Chain Evaluation

Evaluating the vendors in your supply chain involves several methodologies, such as:

  • Onsite Assessment: This includes visiting the organization, interviewing people, and observing their operating habits to ensure they meet safety and security standards.
  • Document Exchange and Review: Analyze how an organization manages information exchange and conducts assessments and reviews.
  • Process/Policy Review: Request and review the vendor's security policies, processes, and procedures to ensure they align with your organization's standards.
  • Third-party Audit: Enlist an independent auditor to provide an unbiased review of the vendor's security infrastructure.

The 6 Steps of Quantitative Risk Analysis

The official study guide you says there are 6 major elements of quantitative risk analysis, and many of the exam questions are based around them:

1: Assign Asset Value (AV)

The first step is to assign a value to the asset that is at risk. This dollar value gives us a tangible measure that can be used in calculations.

2: Calculate Exposure Factor (EF)

The exposure factor is the percentage of the asset value that could be lost in the event of a risk occurring. We represent it as a decimal. So, if the exposure factor is given as a percentage (e.g., 25%), we simply calculate by converting it into a decimal (0.25).

3: Calculate Single Loss Expectancy (SLE)

Now that we have figured out the Asset Value and Exposure Factor, we can calculate the Single Loss Expectancy, which is the cost if the risk occurred just once. The formula for this is simple: SLE = AV * EF.

4: Assess the Annual Rate of Occurrence (ARO)

The next step is to assess the Annual Rate of Occurrence, which is how many times the risk might happen in a year. Be careful here, if an event is expected to occur once every five years, the ARO would be 0.2 (1/5)

5: Derive the Annualized Loss Expectancy (ALE)

The ALE gives us a value for how much we could expect to lose per year because of the risk. The formula for this is ALE = SLE * ARO.

6: Perform a Cost-Benefit Analysis

The final step is to compare the cost of a potential safeguard (a countermeasure/control) against the risk it mitigates. In this final step, you'll need to evaluate the controls gap: the difference in a risk before and after the safeguard, and the residual risk, the risk remaining after the safeguard is applied. For a safeguard to be cost-effective, it's benefit should outweigh it's cost.

Calculate the safeguard's effectiveness using the formula: Cost-Benefit = (ALE before - ALE after) - Annual Cost of Safeguard (ACS). If the result is negative, the safeguard is not cost-effective. 

Applying the Quantitative Risk Analysis Process:

Let's breakdown these concepts using a practical scenario. Consider a company with a server valued at $100,000. If it does get hit, the company estimates losing 40% of the server's value. The attack is expected to occur once every four years.  So, let's apply our Quantitate Risk Analysis:

Step Concept Formula Example Result
1 Asset Value AV Server value including assets on it $100,000
2 Exposure Factor

EF

 Estimated loss percentage from an incident 0.4 (40%)
3 Single Loss Expectancy 

AV * EF

SLE

 Cost if the server gets hit once $100,000 * 0.4 = $40,000
4 Annualized Rate of Occurrence 

ARO

 Expected frequency of the incident happening per year Once every 4 years = 1/4 = 0.25
5 Annualized Loss Expectancy

AV * EF * ARO = SLE * ARO

ALE

 Expected loss per year due to the risk $40,000 * 0.25 = $10,000

Now, we can't do step six yet, because do not know what the safeguard is. Let's consider implementing a Security Operations Centre (SOC) that will cost $15,000 annually.

Step Concept Formula Example Result
1 Annual Cost of Safeguard ACS The SOC costs $15,000 per year = $15,000
2 ALE before Safeguard

ALE1

 ALE identified in step 5 becomes ALE1 = $10,000
3 Adjusted (Controlled) ARO after Safeguard

CARO (unofficial term)

 The SOC is still expected have a breach once every 8 years. Once every 8 years = 1/8 = 0.125
4 ALE after Safeguard

SLE * CARO

ALE2

 After the safeguard is in place, the expected yearly loss is the single loss expectancy ($40,000) times the CARO.

$40,000 * 0.125

= $5000
5 Annualized Loss Expectancy

AV * EF * ARO

= SLE * ARO

ALE

 To determine if the safeguard is cost-effective, subtract the post-safeguard ALE (ALE2) and the annual cost of the safeguard (ACS) from the pre-safeguard ALE (ALE1)

($10,000 - $5,000) - $15,000

= -$10,000

So, in this scenario, it's not cost-effective to implement the safeguard, as it results in an additional expected loss of $10,000 per year when considering the cost of the safeguard.

To simplify things, I have not included additional Exposure Factors like fines and reputational damage. If you'd like, feel free to research the fines for a breach in your country and discover if this Quantitative Risk Analysis would be worth doing then. 

Back to top