Risk analysis is a key practice within management which enables the ability to determine potential risks and hazards and try to minimize the negative impact to a project or organization. Exposure is unavoidable in all organisations and environments and managers should regularly analyze the risks they may encounter in order to prepare for them and put in place plans to effectively resolve such risks if they arise. There are two types of risk analysis methods. These are Qualitative risk analysis and Quantitative risk Analysis.
Qualitative risk analysis is the more commonly used method and is a quick way to gauge the likelihood of potential risks and their impact so you can prioritize them for further assessment. Quantitative risk analysis is a little more in-depth analysis and takes an objective approach that uses hard numbers and verified data to assess the likelihood and impact of risks. The process involves calculating metrics, such as annual loss expectancy, to help you determine whether a given risk mitigation effort is worth the investment. In this article, we will focus on quantitative risk analysis and explain how to calculate metrics such as annual loss expectancy (ALE).
Quantitative Risk Analysis uses relevant, verifiable data to estimate the likelihood and consequences of a risk which ultimately helps determine the results quantitatively as a risk and helps you make smart, data-informed decisions for your business. The outcomes from the analysis offer an understanding of the probability of the risk and help decide on which countermeasures to implement and calculate realistic costs of risk mitigation.
There are many different types of risks that IT professionals need to consider, including the following:
- Human errors
- Hostile action, such as cyberattacks, unauthorized disclosure or misuse of data
- Application errors
- System or network malfunctions
- Physical damage from causes such as fire, natural disasters or vandalism
Annual loss expectancy is a calculation that helps you to determine the expected monetary loss for an asset due to a particular risk over a single year. For example, let’s say that you calculate an Annual Lodd Expectancy of $10,000 and to eliminate the risk would cost $15,000 you might decide that the cost isn’t worth the risk.
Here is an overview of how to calculate ALE. Each term is explained in further detail below.
- Inventory your information assets and determine the asset value (AV) of each.
- Identify the potential threats to each asset.
- For each threat, do the following: Determine the Exposure factor, Calculate the Single loss expectancy and Calculate the Annual rate of occurrence
- Asset value (AV) — Many of your assets are tangible items, such as computers, servers and software. Other assets are intangible, like expertise, databases, plans and sensitive information. The asset value is the total value of the specific asse
- Determine the Exposure factor (EF) to that threat for each information asset— This is the percentage of the value of a given asset that gets lost as a result of a specific incident. If you expect to lose a quarter of the value of an asset in an incident, then your EF for that asset is 0.25 (25%). Remember that you can only calculate the EF in relation to a specific risk, such as a security breach or natural disaster. Also keep in mind that a loss can exceed the value of a given asset; in such cases, the EF would be greater than 1.0 (more than 100%).
- Calculate the Single loss expectancy (SLE) using the formula: AV x EF = SLE— This is the amount of money you expect to lose each time a specific asset is lost or compromised. For instance, you may expect to lose $300 each time your business server breaks down, or you might lose $1,500 every time a laptop is lost or stolen. To calculate single loss expectancy, multiply the AV and EF.
- Calculate the Annual rate of occurrence (ARO) — This is the number of times you expect a specific incident to occur in one year. If you expect your server to crash five times per year, your ARO would be 5. If the ARO is less than 1, you express it as a percentage — for instance, if the likelihood of an incident is once every four years, the ARO for that incident would be 0.25 (25%).
Formula to Calculate the Annualized Loss Expectancy (ALE)
By Using the calculations above you will then be able to Calculate the annualized loss expectancy (ALE) using this formula: SLE x ARO = ALE
ALE calculation Example
- Determine the AV. $100,000.
- Calculate the EF. Let’s assume that you will loose a half of the value of the Asset 0.5 (50%).
- Calculate the SLE by multiplying the AV by the EF, which yields an SLE of $50,000.
- Determine the ARO. Let’s assume it’s 0.95 (meaning there’s a 95% chance of the risk occurring in any given year).
- Calculate the ALE: $50,000 (SLE) X 0.95 (ARO) = $47,500 (ALE).
- Compare the ALE to the cost of each of the solutions you’re considering. If the cost exceeds your ALE ($50,000), the solution is not a worthwhile investment.
Calculating ALE as part of a quantitative risk assessment is essential for making informed business decisions. While the process can be confusing and arduous at times, reliably determining risks and accurately calculating potential losses will provide valuable information to help you make smart business decisions. With ALE as a risk assessment tool in your pocket, you can more effectively perform a cost-benefit analysis and determine if employing specific countermeasures are worth the investment.