May 22, 2013

2.1.4 Risk Calculation in Projects

Risk Calculation in Projects

Few systems are free of risks. The job of the risk/security professional is to identify the risk, estimate the potential cost and recommend appropriate action.

Risk Management is a field that has seen major growth and development in the past few years.  This growth has risen to meet the growth of risk in the field.  The expectation for any projects is that it be successful, which means they meet deadlines, stay on budget and fulfill the statement of work.

In IT for example, you should continually try to uncover the risks in your systems. For example, are your employees streaming Netflix videos on company time, are they visiting suspected compromised sites? These actions are each potentially very harmful to the organization. How does the cost of preventing or avoiding the risk compare to the cost of allowing or ignoring it.

There are a range of methods for calculating risk and minimizing the danger they pose to the success of your project.  They all make use of procedures of risk assessments and measurements. As the information generated continues to grow and our rate of information consumption continues to increase, more often than not, we consume or take action on information without the proper risk assessment on the information.

At one point the Internet (known then as ARPAnet) was a set of 50 kbps lines connecting four computers. The risks then were very different.1 The network today has increased in both size and complexity and the risk has increased alongside it.

McAfee defines risk as a “function of threat and asset, plus a risk multiplier”.2 This is saying that risk is outcome-based. The outcome or effect of a successful intrusion at a bank is more critical than an intrusion at a site with less valuable data. Before a threat is identified as a risk, a determination of the cost of the risk and the risk management is made against value of the asset. Once the threat is identified as a risk, risk mitigation programs must be deployed to mitigate or minimize the risk and its cost.

What factors are available to help you to determine the highest risks for an event?
  1. Calculate the probability of the event, if possible based on real data.
  2. Conduct research on your client, their background, business drivers and key roles.  For every calculated risk, generate an agile project plan to manage it.
  3. Control the risk.  Hire a certified ethical hacker (CEH)3 for instance to try and break into the network, apply stress on the network and measure the outcome.
The likelihood and outcome of a risk has a strong impact on your cost analysis for budgeting funds for risk countermeasures and mitigation. A calculation used to determine this factor is Annual Loss Expectancy (ALE). You must calculate the chance of a risk occurring, sometimes called the Annual Rate of Occurrence (ARO), and the potential loss of revenue based on a specific period of downtime, which is called the Single Loss Expectancy (SLE). By multiplying these factors together, you arrive at the ALE.

Chance of a Risk Occurring

Potential Loss of Revenue Over a Period of Downtime

Likelihood and Impact of a Risk
Annual Rate of Occurrence (ARO)
Single Loss Expectancy (SLE)
Annual Loss Expectancy (ALE)

ALE is how much money you expect to lose on an annual basis because of the impact from an occurrence of a specific risk.

When conducting a risk assessment, it is important to prioritize. Consider the likelihood of an event occurring and its impact to your organization. Focus on the events that have a significant impact. Not every risk should be weighted equally.

The three categories commonly used to identify the likelihood of a risk: High (1.0), Medium (0.5), or Low (0.1) values for risk comparison.

Annualized Rate of Occurrence (ARO) is the likelihood, often drawn from historical data, of an event occurring within a year. This measure can be used in conjunction with a monetary value assigned to data to compute Single Loss Expectancy (SLE) and Annual Loss Expectancy (ALE) values.

When computing risk, remember the following:
Annual Rate of Occurrence (ARO)
Single Loss Expectancy (SLE)
Annual Loss Expectancy (ALE)

Asset Value (AV)
Exposure Factor (EF)
Single Loss Expectancy (SLE)

Thus, if you can reasonably expect that every SLE, which is equal to asset value (AV) times exposure factor (EF), will be equivalent to $1,000 and that there will be seven occurrences a year (ARO), then the ALE is $7,000. Conversely, if there is only a 10 percent chance of an event occurring in a year (ARO = .1), then the ALE drops to $100.

Annual Rate of Occurrence (ARO)

Single Loss Expectancy (SLE)

Annual Loss Expectancy (ALE)



The Annualized Loss Expectancy (ALE), a calculation that is used to identify risks and calculate the expected loss each year, is the expected monetary loss for an asset due to a risk over a one year period. An important feature of the Annualized Loss Expectancy (ALE) is that it can be used directly in a cost-benefit analysis. If a threat or risk has ALE of $5,000, then it may not be worth spending more resources per year on a security measure which will eliminate it.

Risk assessment can be either qualitative (opinion-based and subjective) or quantitative (cost-based and objective), depending upon whether you are focusing on dollar amounts or not. The formulas for single loss expectancy (SLE), annual loss expectancy (ALE), and annualized rate of occurrence (ARO) are all based on doing assessments that lead to dollar amounts and are thus quantitative.

Quantitative calculations assign dollar amounts.

Study Guides & References:

  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
  • CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart


  1. Unless you consider the system crashing on the first attempt to send the “login” prompt.

Additional Resources:

  • History of Computing Project: -
  • Risk Mitigation: -
  • Petrocelli, T. D. (2006). Data protection and information lifecycle management. Upper Saddle River, NJ: Prentice Hall Professional Technical Reference. 

No comments:

Post a Comment