Ch15 - 15.02 - Types of Risk Analysis Flashcards
Qualitative Analysis
As mentioned, qualitative risk analysis determines the risk and mitigation techniques without actually calculating the loss as a dollar figure. With qualitative risk analysis, you create a scale and subjectively rate each threat based on the numbers in the scale.
The formula is that risk is equal to the probability multiplied by the loss (also known as the impact):
Risk = Probability × Loss
With qualitative risk analysis, instead of spending time figuring out the actual dollars and cents, you focus on assigning a value based on the scale you create. This saves time during the analysis because you are not actually trying to figure out an exact dollar figure.
Quantitative Analysis
The other type of risk analysis is quantitative. The drawback of qualitative analysis is that you are using a scale someone created to judge the seriousness of the threat, and the seriousness is subject to the viewpoint of the person doing the assessment.
With quantitative analysis, the resulting cost of the threat helps determine how much you should invest in a security solution to protect the asset.
Quan Analysis - Exposure Factor (EF)
The percentage of the asset’s value you expect to lose if the threat occurs.
Single Loss Expectancy (SLE)
SLE = value ($) × EF (%)
Annual Loss Expectancy (ALE)
& Annual Rate of Occurrence (ARO)
A calculation of how much money you will lose per year with each of the threats
ALE = SLE × ARO
The annual rate of occurrence (ARO) is how many times a year you expect the threat to occur
