January 22, 2012

2.1.4 Risk Calculation

Risk Calculation

The likelihood and impact of a risk has a strong measure on your cost analysis for budgeting funds for risk countermeasures and mitigation. A calculation used to determine this factor is Annual Loss Expectancy (ALE).

You must calculate the chance of a risk occurring, sometimes called the Annual Rate of Occurrence (ARO), and the potential loss of revenue based on a specific period of downtime, which is called the Single Loss Expectancy (SLE). By multiplying these factors together, you arrive at the ALE. This is how much money you expect to lose on an annual basis because of the impact from an occurrence of a specific risk.

When you're doing a risk assessment, one of the most important things to do is to prioritize. Take into account the likelihood of an event happening and the impact to your organization if it does. Focus on the events that are likely and would have an impact. Not everything should be weighed evenly.

One method of measurement to consider is annualized rate of occurrence (ARO). This is the likelihood, often drawn from historical data, of an event occurring within a year. This measure can be used in conjunction with a monetary value assigned to data to compute single loss expectancy (SLE) and annual loss expectancy (ALE) values.

When you're computing risk assessment, remember this formula:
Thus, if you can reasonably expect that every SLE, which is equal to asset value (AV) times exposure factor (EF), will be equivalent to $1,000 and that there will be seven occurrences a year (ARO), then the ALE is $7,000. Conversely, if there is only a 10 percent chance of an event occurring in a year (ARO = .1), then the ALE drops to $100.
The Annualized Loss Expectancy (ALE) is the expected monetary loss that can be expected for an asset due to a risk over a one year period. It is defined as:
where SLE is the Single Loss Expectancy and ARO is the Annualized Rate of Occurrence.

An important feature of the Annualized Loss Expectancy is that it can be used directly in a cost-benefit analysis. If a threat or risk has an ALE of $5,000, then it may not be worth spending more resources per year on a security measure which will eliminate it.

Risk assessment can be either qualitative (opinion-based and subjective) or quantitative (cost-based and objective), depending upon whether you are focusing on dollar amounts or not. The formulas for single loss expectancy (SLE), annual loss expectancy (ALE), and annualized rate of occurrence (ARO) are all based on doing assessments that lead to dollar amounts and are thus quantitative.

Know how to calculate risk. Risk can be calculated either qualitatively (subjective) or quantitatively (objective). Quantitative calculations assign dollar amounts, and the basic formula is SLE × ARO = ALE where SLE is the single loss expectancy, ARO is the annualized rate of occurrence, and ALE is the annual loss expectancy.

ALE – A calculation that is used to identify risks and calculate the expected loss each year.
For each vulnerability associated with each asset, you must do the following to quantify risk:
  1. Estimate the cost of replacing or restoring that asset (its Single Loss Expectancy)
  2. Estimate the vulnerability's expected Annual Rate of Occurrence
  3. Multiply these to obtain the vulnerability's Annualized Loss Expectancy
The three categories commonly used to identify the likelihood of a risk: High (1.0), Medium (0.5), or Low (0.1) values for risk comparison.


No comments:

Post a Comment