- Quantitative Risk Analysis – We want exactly enough security for our needs.
- We find the asset’s value: How much of it is compromised, how much one incident will cost, how often the incident occurs and how much that is per year.
- Asset Value (AV) – How much is the asset worth?
- Exposure factor (EF) – Percentage of Asset Value lost?
- Single Loss Expectancy (SLE) – (AV x EF) – What does it cost if it happens once?
- Annual Rate of Occurrence (ARO) – How often will this happen each year?
- Annualized Loss Expectancy (ALE) – This is what it cost per year if we do nothing.
- Total Cost of Ownership (TCO) – The mitigation cost: upfront + ongoing cost (Normally Operational)
- Laptop – Theft/Loss (unencrypted).
- The Laptop ($1,000) + PII ($9,000) per loss (AV).
- It is a 100% loss, it is gone (EF)
- Loss per laptop is $10,000 (AV) x 100% EF) = (SLE)
- The organization loses 25 Laptops Per Year (ARO)
- The annualized loss is $250,000 (ALE)
- Data Center – Flooding
- The Data Center is valued at $10,000,000 (AV)
- If a flooding happens 15% of the DC is compromised (EF)
- Loss per Flooding is $10,000,000 (AV) x 15% EF) = (SLE)
- The flooding happens every 4 years = 0.25 (ARO)
- The annualized loss is $375,000 (ALE)
IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.