Saturday, October 10, 2009

Quantitative Risk Assessments

If you're preparing for the CompTIA Security+ SY0-201 exam, you'll see some objectives related to risk, risk assessments, and risk management.

Risk assessments are used to prioritize risks. All risk can’t be prevented. Instead, risk management attempts to mitigate risk.

One quantitative risk model uses three elements three elements to quantify and prioritize risks. They are:
  • Single loss expectancy (SLE). The is the cost of any single loss expressed in monetary terms (such as $4,000).
  • Annualized rate of occurrence (ARO). This indicates how many times the loss is expected to occur if no action is taken. For example, it may have occurred an average of 4 times in the past three years, so the ARO would be 4.
  • Annualized loss expectancy (ALE). SLE * ARO. What you expect to lose annually if no action is taken in this example is $16,000.
Now imagine that you have used this to quantify 4 different losses. They have AROs of $100, 2,000, $, 8,000, and $16,000. Which one is the most important to mitigate? Knowing the AROs, you can easily see the risk that results in an annual loss of $16,000 is the most important to address.

Using an SLE of $4,000, and an ARO of 4, see if you can solve this problem. Suppose you could spend $2,000 and reduce the ARO from 4 to 1. How much money would you save?

  • The original ALE is $16,000 ($4,000 * 4).
  • If the ARO was reduced to 1, the ALE would be $4,000 ($4,000 * 1), or a reduction of losses by $12,000.
  • You spent $2,000 to save $12,000 so you saved $10,000
Another way of looking at this is to use these figures to determine the effectiveness of a mitigation measure. Imagine the ALE is $16,000. Someone proposes a risk mitigation solution that costs $35,000 a year with a guarantee that it will eliminate this risk. Does that make fiscal sense? In other words, you’ll spend $35,000 to save $16,000 - not too good. Now instead of losing $16,000, you’re spending $35,000.

Make sure you understand the SLE, ALE, and ARO when preparing for the CompTIA Security+ SY0-201 exam.

You can read about qualitative risk assessments here.

Darril Gibson