- Quantitative Risk Analysis – We want exactly enough security for our needs.
- We find the asset’s value: How much of it is compromised, how much one incident will cost, how often the incident occurs and how much that is per year.
- Asset Value (AV) – How much is the asset worth?
- Exposure factor (EF) – Percentage of Asset Value lost?
- Single Loss Expectancy (SLE) – (AV x EF) – What does it cost if it happens once?
- Annual Rate of Occurrence (ARO) – How often will this happen each year?
- Annualized Loss Expectancy (ALE) – This is what it cost per year if we do nothing.
- Total Cost of Ownership (TCO) – The mitigation cost: upfront + ongoing cost (Normally Operational)
- Laptop – Theft/Loss (unencrypted).
- The Laptop ($1,000) + PII ($9,000) per loss (AV).
- It is a 100% loss, it is gone (EF)
- Loss per laptop is $10,000 (AV) x 100% EF) = (SLE)
- The organization loses 25 Laptops Per Year (ARO)
- The annualized loss is $250,000 (ALE)