A quantitative risk assessment measures the risk using a specific monetary amount. This monetary amount makes it easier to prioritize risks. For example, a risk with a potential loss of $30,000 is much more important than a risk with a potential loss of $1,000.
You can read about qualitative risk assessments here.
When preparing for security certifications such as CompTIAs Security+ and CASP certifications, and (ISC)2’s SSCP and CISSP certifications, you should have a good understanding of quantitative and qualitative risk assessments. As an example, here’s a sample Security+ certification question.
Quantitative Risk Assessment Sample Question
Can you answer this Security+ practice test question? More, do you know why the correct answer is correct and why the incorrect answers are incorrect?
2. You need to calculate the ALE for a server. The value of the server is $3,000, but it has crashed 10 times in the past year. Each time it crashed, it resulted in a 10 percent loss. What is the ALE?
A. $300
B. $500
C. $3,000
D. $30,000
You can view the correct answer and the explanation at the end of this post:
Get over 400 Security+ (SY0-401) questions here.
Quantitative Risk Assessment and Asset Value
The asset value is an important element in a quantitative risk assessment. It may include the revenue value or replacement value of an asset. A web server may generate $10,000 in revenue per hour. If the web server fails, the company will lose $10,000 in direct sales each hour it’s down, plus the cost to repair it. It can also result in the loss of future business if customers take their business elsewhere. In contrast, the failure of a library workstation may cost a maximum of $1,000 to replace it.
Quantitative Risk Assessment Terms
One quantitative risk assessment model uses the following values to determine risks:
- Single loss expectancy (SLE). The SLE is the cost of any single loss.
- Annual rate of occurrence (ARO). The ARO indicates how many times the loss will occur in a year. If the ARO is less than 1, the ARO is represented as a percentage. For example, if you anticipate the occurrence once every two years, the ARO is 50 percent or .5.
- Annual loss expectancy (ALE). The ALE is the SLE × ARO.
Calculating Quantitative Risk Assessment Values
Imagine that employees at your company lose, on average, one laptop a month. Thieves have stolen them when employees left them in conference rooms during lunch, while they were on location at customer locations, and from training rooms.
Someone suggested purchasing hardware locks to secure these laptops for a total of $1,000. These locks work similar to bicycle locks and allow employees to wrap the cable around a piece of furniture and connect into the laptop. A thief needs to either destroy the laptop to remove the lock or take the furniture with them when stealing the laptop. Should your company purchase them? With a little analysis, the decision is easy.
You have identified the average cost of these laptops, including the hardware, software, and data, as $2,000 each. This assumes employees do not store entire databases of customer information or other sensitive data on the systems, which can easily result in much higher costs. You can now calculate the SLE, ARO, and ALE as follows:
- SLE. The value of each laptop is $2,000, so the SLE is $2,000.
- ARO. Employees lose about one laptop a month, so the ARO is 12.
- ALE. You calculate the ALE as SLE × ARO, so $2,000 × 12 = $24,000.
Security experts estimate that these locks will reduce the number of lost or stolen laptops from 12 a year to only 2 a year. This changes the ALE from $24,000 to only $4,000 (saving $20,000 a year). In other words, the organization can spend $1,000 to save $20,000. It doesn’t take a rocket scientist to see that this is a good fiscal decision, saving a net of $19,000. Buy them.
Managers use these two simple guidelines for most of these decisions:
- If the cost of the control is less than the savings, purchase it.
- If the cost of the control is greater than the savings, accept the risk.
The organization might be considering other controls, such as a combination of hardware locks, biometric authentication, LoJack for Laptops, and more. The final cost of all of these controls is $30,000 per year. Even if a laptop is never stolen again, the company is spending $30,000 to save $24,000, resulting in a higher net loss—they’re losing $6,000 more a year.
Admittedly, a company could choose to factor in other values, such as the sensitivity of data on the laptops, and make a judgment to purchase these controls. However, if they’re using a quantitative risk assessment, these values would need to be expressed in monetary terms.
Quantitative Risk Assessment Reverse Calculations
Although you would normally know the SLE and ARO and use these to calculate the ALE, you might occasionally have the SLE and ALE, but not know the ARO. Using basic algebra, you can reformat the formula. Any of these are valid:
- ALE = SLE × ARO
- ARO = ALE / SLE
- SLE = ALE / ARO
Now available
CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide
A quantitative risk assessment uses specific monetary amounts to identify cost and asset values. The SLE identifies the amount of each loss, the ARO identifies the number of failures in a year, and the ALE identifies the expected annual loss. You calculate the ALE as SLE × ARO. A qualitative risk assessment uses judgment to categorize risks based on probability and impact.
Answer Quantitative Risk Assessment Sample Question
2. You need to calculate the ALE for a server. The value of the server is $3,000, but it has crashed 10 times in the past year. Each time it crashed, it resulted in a 10 percent loss. What is the ALE?
A. $300
B. $500
C. $3,000
D. $30,000
2. C is correct. The annual loss expectancy (ALE) is $3,000. It is calculated as single loss expectancy (SLE) × annual rate of occurrence (ARO).
The SLE is 10 percent of $3,000 ($300) and the ARO is 10.
10 × $300 is $3,000.