Assessing risk requires the careful analysis of threat and vulnerability information to determine the extent to which circumstances or events could adversely impact an organization and the likelihood that such circumstances or events will occur.
Metrics for Risk Management
Quantitative assessments typically employ a set of methods, principles, or rules for assessing risk based on the use of numbers. This type of assessment most effectively supports cost–benefit analyses of alternative risk responses or courses of action.
Qualitative assessments typically employ a set of methods, principles, or rules for assessing risk based on nonnumeric categories or levels (e.g., very low, low, moderate, high, very high).
What Is Single-Loss Expectancy (SLE)?
Single-loss expectancy (SLE) must be calculated to provide an estimate of loss. SLE is defined as the difference between the original value and the remaining value of an asset after a single exploit. The formula for calculating SLE is as follows:
SLE = Asset Value (in $) x Exposure Factor (as a % of loss)
Losses can include lack of availability of data assets due to data loss, theft, alteration, or denial of service (perhaps due to business continuity or security issues).
What Is an Exposure Factor (EF)?
The exposure factor is a variable percentage of the monetary loss that may happen based upon a specific threat vector. For instance, the complete physical destruction of a building vector may have a greater monetary loss than an external threat attack vector. The total loss is expressed as a percentage.
What Is Annualized Rate of Occurrence (ARO)?
Annualized rate of occurrence (ARO) is an estimate of how often a threat will be successful in exploiting a vulnerability over the period of a year. If multiple years pass before an event occurs, it is frequency divided by years. The calculation is as follows:
ARO= Frequency ÷ Years
What Is Annualized Loss Expectancy (ALE)?
With an ARO and an SLE identified, the annualized loss expectancy (ALE) can be calculated. The ALE is a product of the yearly estimate for the exploit (ARO) and the loss in the value of an asset after an SLE. The calculation is as follows:
ALE = ARO x SLE
Example:
ABC Corp. has been experiencing increased hacking activity as indicated by their firewall and IPS logs. The logs also indicate that they have experienced at least one successful breach in the last 30 days. Upon further analysis of the breach, the security team has reported to senior management that the dollar value impact of the breach appears to be $10,000.
Senior management has asked the security team to come up with a recommendation to fix the issues that led to the breach. The recommendation from the team is that the countermeasures required to address the root cause of the breach will cost $30,000. Senior management has asked you, as the Certified Cloud Security Professional, to evaluate the recommendation of the security team and ensure that the $30,000 expense to implement the countermeasures is justified.
Taking the loss encountered of $10,000 per month, we can determine the annualized loss expectancy as $120,000, assuming the frequency of attack and loss are consistent. Thus, the mitigation would pay for itself after three months ($30,000) and would provide a $10,000 loss prevention for each month after. Therefore, this would be a sound investment.
Organizations can use the results of annualized loss expectancy calculations to determine the quantitative impact to an organization if an exploitation of a specific vulnerability were successful. In addition to the results of quantitative impact analysis, organizations should evaluate the results of qualitative impact analysis.