Risk assessments are used to prioritize risks. All risk can’t be prevented. Instead, risk management attempts to mitigate risk.
One quantitative risk model uses three elements three elements to quantify and prioritize risks. They are:
- Single loss expectancy (SLE). The is the cost of any single loss expressed in monetary terms (such as $4,000).
- Annualized rate of occurrence (ARO). This indicates how many times the loss is expected to occur if no action is taken. For example, it may have occurred an average of 4 times in the past three years, so the ARO would be 4.
- Annualized loss expectancy (ALE). SLE * ARO. What you expect to lose annually if no action is taken in this example is $16,000.
Using an SLE of $4,000, and an ARO of 4, see if you can solve this problem. Suppose you could spend $2,000 and reduce the ARO from 4 to 1. How much money would you save?
- The original ALE is $16,000 ($4,000 * 4).
- If the ARO was reduced to 1, the ALE would be $4,000 ($4,000 * 1), or a reduction of losses by $12,000.
- You spent $2,000 to save $12,000 so you saved $10,000
Make sure you understand the SLE, ALE, and ARO when preparing for the CompTIA Security+ SY0-201 exam.
You can read about qualitative risk assessments here.