Section 9.86 Quantitative Risk Analysis

Question 1

Quantitative Risk Analysis

Answer 1

Provides objective and numerical evaluation of risks

■ Used for financial, safety, and scheduling decisions

■ Utilises key components:
● Single Loss Expectancy (SLE)
● Exposure Factor (EF)
● Annualized Rate of Occurrence (ARO)
● Annualized Loss Expectancy (ALE)

Question 2

Exposure Factor (EF)

Answer 2

● Proportion of asset lost in an event (0% to 100%)

● Indicates asset loss severity

e.g One of your servers, valued at $20,000, has an Exposure Factor (EF) of 60% in the event of a crash.

Question 3

Single Loss Expectancy (SLE)

Answer 3

● Monetary value expected to be lost in a single event

● Calculated as Asset Value x Exposure Factor (EF)

Single loss expectancy is calculated based upon the Exposre Factor (EF)
e.g One of your servers, valued at $20,000, has an Exposure Factor (EF) of 60% in the event of a crash = 60% of 20000 = 12000 (SLE)

Question 4

Annualised Rate of Occurrence (ARO)

Answer 4

● Estimated frequency of threat occurrence within a year

● Provides a yearly probability

The server crashes once every five years = 1/5 OR 0.2

Question 5

Annualised Loss Expectancy (ALE)

Answer 5

● Expected annual loss from a risk

● Calculated as SLE x ARO

Question 6

You are managing a company’s IT infrastructure. One of your servers, valued at $20,000, has an Exposure Factor (EF) of 60% in the event of a crash. The server crashes once every five years.
What is the Annualized Loss Expectancy (ALE) for this server?

Answer 6

The Single Loss Expectancy (SLE) is calculated as the value of the asset multiplied by the Exposure Factor (EF). In this case, SLE =12,000. The Annualized Rate of Occurrence (ARO) is 1/5 (since the server crashes once every five years) = 0.2. The Annualized Loss Expectancy (ALE) is calculated as SLE * ARO. In this case, ALE= 12,000 * 0.2= 2,400.