An Introduction To
Information, Network and Internet Security

Show table of contentsGlossary

Quantitative risk assessment

In quantitative risk assessments, the goal is to try to calculate objective numeric values for each of the components gathered during the risk assessment and cost benefit analysis.

For example, the true value of each business asset in terms is estimated in terms of what it would cost to replace it, what it would cost in terms of lost productivity, what it would cost in terms of brand reputation, and other direct and indirect business values. The process requires the user to attempt to use the same objectivity when computing asset exposure, cost of controls, and all of the other values that are identified during the risk management process.

Note: This is an overview of the quantitative process and is intended to show at a high level some of the steps involved in quantitative risk assessments, it is not meant to be a prescriptive guide for using the approach

Identifying and valuing assets

Determining the monetary value of an asset is an important part of risk management. Business managers often rely on the value of an asset to guide them in determining how much money and time they should spend securing it. Many organizations maintain a list of asset values (AVs) as part of their business continuity plans. The numbers calculated are actually subjective estimates, though as there are no objective tools or methods for determining the value of an asset in existence. To assign a value to an asset, it is necessary to calculate the following three primary factors:

1.      The overall value of the asset to the organization. Calculate or estimate the asset's value in direct financial terms. Consider a simplified example of the impact of temporary disruption of an e-commerce Web site that normally runs seven days a week, 24 hours a day, generating an average of 2,000 per hour in revenue from customer orders. One can state with confidence that the annual value of the Web site in terms of sales revenue is 17,520,000.

2.      The immediate financial impact of losing the asset. If the example above is deliberately simplified and it is assumed that the Web site generates a constant rate per hour, and the same Web site becomes unavailable for six hours, the calculated exposure is .000685 percent per year. By multiplying this exposure percentage by the annual value of the asset, one can predict that the directly attributable losses in this case would be 12,000. In reality, most e-commerce Web sites generate revenue at a wide range of rates depending upon the time of day, the day of the week, the season, marketing campaigns, and other factors. Additionally, some customers may find an alternative Web site that they prefer to the original, so the Web site may have some permanent loss of users. Calculating the revenue loss is actually a very complex process for precise calculations considering all potential types of loss.

3.      The indirect business impact of losing the asset. In this example, the organisation estimates that it would spend 10,000 on advertising to counteract the negative publicity from such an incident. Additionally, the organisation also estimates a loss of .01 of 1 percent of annual sales, or 17,520. By combining the extra advertising expenses and the loss in annual sales revenue, one can predict a total of 27,520 in indirect losses in this case.

Determining the Single Loss Expectancy (SLE)

The SLE is the total amount of revenue that is lost from a single occurrence of the risk. It is a monetary amount that is assigned to a single event that represents the organisation's potential loss amount if a specific threat exploits a vulnerability. (The SLE is similar to the impact of a qualitative risk analysis.)

The SLE is calculated by multiplying the asset value by the exposure factor (EF). The exposure factor represents the percentage of loss that a realized threat could have on a certain asset. If a Web farm has an asset value of 150,000, and a fire results in damages worth an estimated 25 percent of its value, then the SLE in this case would be 37,500. This is an oversimplified example and other expenses may need to be considered.

Determining the Annual Rate of Occurrence (ARO)

The ARO is the number of times that one may reasonably expect the risk to occur during one year. Making these estimates is very difficult as often there is very little actuarial data available.

To estimate the ARO, one must draw on past experience and consult security risk management experts and security and business consultants.

The ARO is similar to the probability of a qualitative risk analysis, and its range extends from 0 percent (never) to 100 percent (always).

Determining the Annual Loss Expectancy (ALE)

The ALE is the total amount of money that the organization will lose in one year if nothing is done to mitigate the risk. This is calculated by multiplying the SLE by the ARO. The ALE is similar to the relative rank of a qualitative risk analysis.

For example, if a fire at the same organisation's Web farm results in 37,500 in damages, and the probability, or ARO, of a fire taking place has an ARO value of 0.1 (indicating once in ten years), then the ALE value in this case would be 3,750 (37,500 x 0.1 = 3,750).

The ALE provides a value that the organization can work with to budget what it will cost to establish controls or safeguards to prevent this type of damage - in this case, 3,750 or less per year - and provide an adequate level of protection. It is important to quantify the real possibility of a risk and how much damage, in monetary terms, the threat may cause in order to be able to know how much can be spent to protect against the potential consequence of the threat.

Determining the cost of controls

Determining the cost of controls requires accurate estimates on how much acquiring, testing, deploying, operating, and maintaining each control would cost. Such costs would include:

         buying or developing the control solution;

         deploying and configuring the control solution;

         maintaining the control solution;

         communicating new policies or procedures related to the new control to users;

         training users and IT staff on how to use and support the control;

         monitoring the control;

         contending with the loss of convenience or productivity that the control might impose.

For example, to reduce the risk of fire damaging the Web farm, the fictional organization might consider deploying an automated fire suppression system. It would need to hire a contractor to design and install the system and would then need to monitor the system on an ongoing basis. It would also need to check the system periodically and, occasionally, recharge it with whatever chemical retardants the system uses.

Risk On Security Investment (ROSI)

Estimate the cost of controls by using the following equation:

(ALE before control) - (ALE after control) - (annual cost of control) = ROSI

For example, the ALE of the threat of an attacker bringing down a Web server is 12,000, and after the suggested safeguard is implemented, the ALE is valued at 3,000. The annual cost of maintenance and operation of the safeguard is 650, so the ROSI is 8,350 each year as expressed in the following equation: 12,000 - 3,000 - 650 = 8,350.

Results of the Quantitative Risk Analyses

The input items from the quantitative risk analyses provide clearly defined goals and results. The following items generally are derived from the results of the previous steps:

         Assigned monetary values for assets;

         A comprehensive list of significant threats;

         The probability of each threat occurring;

         The loss potential for the organisation on a per-threat basis over 12 months;

         Recommended safeguards, controls, and actions.

As can be seen from the above, all of these calculations are based on subjective estimates.

Key numbers that provide the basis for the results are not drawn from objective equations or well-defined actuarial datasets but rather from the opinions of those performing the assessment.

The AV, SLE, ARO, and cost of controls are all numbers that the participants themselves insert (after much discussion and compromise, typically).

The Security Practitioner

An Introduction to Information Security