Risk Analysis Formulas
Understanding Risks Analysis Formulas
Risk analysis can be broken down into two primary methods. Qualitative Risk Analysis and Quantitative Risk Analysis.
Qualitative Risk Analysis is much more subjective and focuses on the perceived level of risk. This could involve discussions and estimations based on experience, intuition, judgment. Sometimes, in the wrong hands, it can be a pretty blunt instrument.
For a more numerical, objective view, we use Quantitative Risk Analysis. This method uses maths and formula to calculate risk, i.e a dollar value to the risks and countermeasures involved, which is particularly useful when comparing and deciding on risk mitigation strategies.
The 6 Steps of Quantitative Risk Analysis
The official study guide you says there are 6 major elements of quantitative risk analysis, and many of the exam questions are based around them:
1: Assign Asset Value (AV)
The first step is to assign a value to the asset that is at risk. This dollar value gives us a tangible measure that can be used in calculations.
2: Calculate Exposure Factor (EF)
The exposure factor is the percentage of the asset value that could be lost in the event of a risk occurring. We represent it as a decimal. So, if the exposure factor is given as a percentage (e.g., 25%), we simply calculate by converting it into a decimal (0.25).
3: Calculate Single Loss Expectancy (SLE)
Now that we have figured out the Asset Value and Exposure Factor, we can calculate the Single Loss Expectancy, which is the cost if the risk occurred just once. The formula for this is simple: SLE = AV * EF.
4: Assess the Annual Rate of Occurrence (ARO)
The next step is to assess the Annual Rate of Occurrence, which is how many times the risk might happen in a year. Be careful here, if an event is expected to occur once every five years, the ARO would be 0.2 (1/5)
5: Derive the Annualized Loss Expectancy (ALE)
The ALE gives us a value for how much we could expect to lose per year because of the risk. The formula for this is ALE = SLE * ARO.
6: Perform a Cost-Benefit Analysis
The final step is to compare the cost of a potential safeguard (a countermeasure/control) against the risk it mitigates. In this final step, you'll need to evaluate the controls gap: the difference in a risk before and after the safeguard, and the residual risk, the risk remaining after the safeguard is applied. For a safeguard to be cost-effective, it's benefit should outweigh it's cost.
Calculate the safeguard's effectiveness using the formula: Cost-Benefit = (ALE before - ALE after) - Annual Cost of Safeguard (ACS). If the result is negative, the safeguard is not cost-effective.
Applying the Quantitative Risk Analysis Process:
Let's breakdown these concepts using a practical scenario. Consider a company with a server valued at $100,000. If it does get hit, the company estimates losing 40% of the server's value. The attack is expected to occur once every four years. So, let's apply our Quantitate Risk Analysis:
| Step | Concept | Formula | Example | Result |
| 1 | Asset Value | = AV | Server value including assets on it | $100,000 |
| 2 | Exposure Factor |
= EF |
Estimated loss percentage from an incident | 0.4 (40%) |
| 3 | Single Loss Expectancy |
AV * EF = SLE |
Cost if the server gets hit once | $100,000 * 0.4 = $40,000 |
| 4 | Annualized Rate of Occurrence |
= ARO |
Expected frequency of the incident happening per year | Once every 4 years = 1/4 = 0.25 |
| 5 | Annualized Loss Expectancy |
AV * EF * ARO = SLE * ARO = ALE |
Expected loss per year due to the risk | $40,000 * 0.25 = $10,000 |
Now, we can't do step six yet, because do not know what the safeguard is. Let's consider implementing a Security Operations Centre (SOC) that will cost $15,000 annually.
| Step | Concept | Formula | Example | Result |
| 1 | Annual Cost of Safeguard | = ACS | The SOC costs $15,000 per year | = $15,000 |
| 2 | ALE before Safeguard |
= ALE1 |
ALE identified in step 5 becomes ALE1 | = $10,000 |
| 3 | Adjusted (Controlled) ARO after Safeguard |
= CARO (unofficial term) |
The SOC is still expected have a breach once every 8 years. | Once every 8 years = 1/8 = 0.125 |
| 4 | ALE after Safeguard |
SLE * CARO = ALE2 |
After the safeguard is in place, the expected yearly loss is the single loss expectancy ($40,000) times the CARO. |
$40,000 * 0.125 = $5000 |
| 5 | Annualized Loss Expectancy |
AV * EF * ARO = SLE * ARO = ALE |
To determine if the safeguard is cost-effective, subtract the post-safeguard ALE (ALE2) and the annual cost of the safeguard (ACS) from the pre-safeguard ALE (ALE1) |
($10,000 - $5,000) - $15,000 = -$10,000 |
So, in this scenario, it's not cost-effective to implement the safeguard, as it results in an additional expected loss of $10,000 per year when considering the cost of the safeguard.
To simplify things, I have not included additional Exposure Factors like fines and reputational damage. If you'd like, feel free to research the fines for a breach in your country and discover if this Quantitative Risk Analysis would be worth doing then.