|Added cost/benefit analysis example updates and also added a cost/benefit analysis exercise||17/04/23|
|Added definitions for ‘safeguards’ and ‘countermeasures’ and included links for reference||17/04/23|
|Added more examples||12/05/23|
Cambridge Dictionary Definitions:
Countermeasure: an action that is designed to reduce the effect of something harmful – Source: https://dictionary.cambridge.org/dictionary/english/countermeasure
Safeguard: a law, rule, or something that is done to protect someone or something from harm or damage – Source: https://dictionary.cambridge.org/dictionary/english/safeguard
When we talk about Risk Management, it’s important that we understand what Quantitative Risk Analysis is and how it works. In this article, I will provide a few examples of quantitative risk analysis along with some exercises that you can do to gain a better understanding of how to calculate relevant figures in the context of quantitative risk analysis.
Before getting to the examples and exercises, lets just take a moment to briefly understand what quantitative risk analysis is. Now, there are many definitions and explanations already out there and so I won’t reinvent the wheel here but simply put, quantitative risk analysis is a quantification of the level of risk defined numerically or by using probability as a metric. Aside from assigning values to the level of risk, quantitative risk analysis also aims to assign values the cost of a potential loss as well as the cost of safeguards put in place to reduce risk and the cost of those safeguards.
Assuming that we are focused on quantitative risk analysis for an organisations assets, we first need to identity those assets and potential risks associated to each asset. But this is only the start! There are a number of steps that need to be followed when working with quantitative risk analysis as they will allow you to calculate for various eventualities as we will see in the examples and exercises later.
Quantitative Risk Analysis Steps
- Create an inventory of assets and assign a value to each asset. This value is known as an Asset Value (AV)
- Evaluate the possible threats associated to each asset to create a asset-threat pairing
- Calculate the asset-threat pairing Exposure Factor (EF) in %
- Calculate the Single Loss Expectancy (SLE) for the asset-threat pairs
- Calculate the Annualised Rate of Occurrence (ARO) by conducting a threat analysis against each threat with the goal of understanding how likely each threat could be realised within a single year
- Calculate the Annualised Loss Expectancy (ALE) to determine the potential loss for each threat if the threat was realised
- Identify the most suitable safeguards for each threat and then recalculate the EF, ARO and ALE
- Conduct a cost/benefit analysis exercise of each safeguards for each asset-threat pairing so that you can make a determination on the best approach for each threat. Think of ALE as the cost pre-safeguard and the ALE2 at post-safeguard. Calculating the ALE and ALE will produce the cost value of annually for each safeguard
The aforementioned text in bold represent the cost functions associated with quantitative risk analysis. Lets briefly describe each cost function to better understand their purpose.
- Asset Value (AV): The £ value of each individual asset
- Exposure Factor (EF): The percentage of loss that the organisation would face if a risk was realised against each individual asset
- Single Loss Expectancy (SLE): The potential £ loss against an asset if the associated threat was realised
- Calculation: SLE = AV * EF
- Annualised Rate of Occurrence (ARO): The frequency in which the treat or risk will occur annually. The range starts from 0.0 which represents zero and increases depending on the expected ARO
- Annualised Loss Expectancy (ALE): The annual potential £ loss if a treat paired to an asset was realised
- Calculation: ALE = AV * EF * ARO or ALE = SLE * ARO
- Annualised Loss Expectancy (ALE2) post-safeguard: The revised annual potential £ loss if a threat paired to an asset was realised after a safeguard was implemented. The purpose of the ALE2 is to highlight the effectiveness of the safeguard for an asset-threat pair with the intention to reducing the ARO as much as possible
- Annual Cost of Safeguard (ACS): ACS is the annual cost (monetary or otherwise) of the safeguard. Coupled with the ALE and ALE2, a cost/benefit analysis calculation can be performed to determine the cost-effectiveness of a safeguard
- Calculation: (ALE – ALE2) – ACS = safeguard benefit
Now that we have the basis down for understanding the cost functions, lets dive into a few examples.
Quantitative Risk Analysis Examples
Example One: Network Wizkid Technical Training Labs Scenario
Senior Leadership at Network Wizkid HQ are concerned about the risk of a fire breaking out in the Network Wizkid Technical Training Labs. The training labs are part of a brand new £500,000 community initiative with 80% of the £500,000 funding allocated directly to Network Wizkid Training Labs. While the relevant precautions were put in place when the labs were developed, experts have suggested that a fire could wipe out 20% of the facility if the risk of a fire was realised. Furthermore, based on the amount of equipment powered-on in each lab, there is a 3% chance of a fire occurring once a year. Based on this information, calculate the SLE against Network Wizkid Technical Training Labs to a Fire.
Example One: Breakdown
- First we determine the asset and its value (AV). In this example the asset is the Network Wizkid Technical Training Labs facility and the value of the facility is £400,000. This value is derived from 80% of the £500,000
- Next we find the exposure factor (EF). In this example, experts have indicated that if the risk of a fire was realised, Network Wizkid Technical Training Labs could see 20% of their labs wiped out. Therefore, 20% is the EF
- Lastly, we can now find the SLE by calculating the AV and the EF. The answer to this example is shown below
SLE = EF - AV OR SLE = AV * EF ------------------------------------------------------------------------------------------------ (SLE) £80,000 = (EF) 20% - (AV) £400,000 OR (SLE) £80,000 = (AV) £400,000 * (EF) 20%
Continuing with the same example, we can now calculate the ALE
- We can either take the ARO which in this example is .3% and multiply that with the SLE (ALE = SLE * ARO) now that we know it or we can take the ARO and multiply that with the EF and AV (ALE = AV * EF * ARO). As with the previous math, we can also calculate the answer using subtraction; we will show all ways below
ALE = SLE * ARO OR ALE = AV * EF * ARO OR ALE = ARO - SLE OR ALE = EF - ARO - AV ------------------------------------------------------------------------------------------------ (ALE) £240 = (SLE) £80,000 * (ARO) .3% OR (ALE) £240 = (AV) £400,000 * (EF) 20% * (ARO) .3% OR (ALE) £240 = (ARO) .3% - (SLE) £80,000 OR (ALE) £240 = (EF) 20% - (ARO) .3% - (AV) £400,000
Based on our quantitative risk analysis so far, we have determined the Single Loss Expectancy (SLE) which is the loss that the business would expect to lose if the fire risk was realised and we have determined the Annual Loss Expectancy (ALE) which is a £ value of what the organisation should expect to lose each time the risk is realised. The ALE is based on likelihood and therefore one should not assume that a fire will happen every year but the business should think of this as the average cost between fires. The ALE should only be used to determine the importance of an asset from a business continuity perspective.
Based on the SLE figures, the organisation can look for countermeasures that will help reduce the risk being realised. Usually at this point a cost/benefit analysis is performed to ensure that the cost of the countermeasure doesn’t outweigh the assets SLE if the risk or threat was ultimately realised.
Example One: Cost/Benefit Analysis
Using the same example, lets assume that the business has decided that a relevant safeguard for part of the building would be to implement a preaction water suppression system. This type of system would reduce the ALE to £40 but would also result in a yearly maintenance cost of £150. From this information, we can calculate the cost/benefit of the intended safeguard with the following calculation (ALE – ALE2 – ACS) as shown below.
(ALE - ALE2) - ACS = Benefit of safeguard ((ALE) £240 - (ALE2) £40) - (ACS) £150 = £50
With the safeguard in place, the business would reduce their ALE by £200 bringing the ALE (ALE2) to £40. The ACS annually was calculated at £150 and so the business would look to have an expenditure of £190 (ALE2 + ACS) which is £50 less than the value without the safeguard (ALE £240) and so in this example the safeguard makes financial sense as the business would reduce risk and save money. If the ACS outweighed the original ALE then it probably wouldn’t be a good idea to implement the safeguard.
To calculate the value difference between the ALE and the ACS you could do the following calculation:
ALE - ALE2 + ACS = The difference between having the safeguard and not having the safeguard
Example Two: Natural Disaster Risk Scenario
The Network Wizkid HQ is currently sat on a fault line and is therefore exposed to earthquakes. If an earthquake was to occur, it could damage the £5 million facility. Experts have advised that there is a 4% chance that an earthquake will occur each year. If an earthquake did occur it would completely destroy the Network Wizkid HQ. Existing building and contents insurance would cover 80% of the total value of the Network Wizkid HQ and its content however, the remaining 20% is the land value and therefore wouldn’t be covered. What is the Single Loss Expectancy (SLE) of Network Wizkid HQ to earthquakes?
Example Two: Breakdown
Example two explores a slightly different scenario and focuses on a natural disaster. We are required to calculate the SLE but in order to do so we first need to calculate the true value of Network Wizkid HQ. Lets break it down:
- Network Wizkid HQ has a valuation of £5 million – this is the Asset Value (AV). But as we continue to read through the scenario we come to realise that 80% of that value is attributed to the Network Wizkid HQ and its contents, leaving 20% allocated to the land. In this scenario, we need to focus on the building and the content only. So, first we need to calculate the true value of the building and its contents and to do that we calculate the following:
Building & Contents AV = AV * 80% (Building & Contents share of AV)
- From this calculation we get the true AV of £4 million
£4 million (Building & Contents AV) = £5 million (AV) * 80% (Building & Contents share of AV)
Now that we know the true AV for the building and contents, we can now calculate the SLE because we already know the Exposure Factor (EF) which is 4%. We can use the following calculation to work out the SLE:
SLE = Building & Contents AV * EF
- From this calculation we can now determine the SLE which is £160,000
£160,000 (SLE) = £4 million (Building & Contents AV) * 4% (EF)
Quantitative Risk Analysis Exercises
Exercise One: WorldZ Corp
WorldZ Corp is an e-sports gaming company responsible for hosting the biggest e-sports competitions in the world. They are conducting a quantitative risk analysis on their hosting server and have brought in external consultants to help with the analysis. It has been determined by the senior leadership that the server in question is worth £100,000. External consultants have determined that this particular hosting server is a valid target for threat agents and have intelligence that a particular group of malicious actors are exploiting these types of servers and wiping all the data once they’ve stolen what they need. This could ultimately result in WorldZ Corp losing all of their hosting data, damaging their reputation and losing a massive chunk of revenue to name a few. Until these malicious actors are tracked down and caught, external consultants have predicted that the malicious group are 5% likely to initiate their attack per year.
What is the SLE for WorldZ Corp to the threat?
What is the ALE for WorldZ Corp?
Exercise One: Cost/Benefit Analysis
It has been determined that WorldZ Corp could tackle this risk by implementing a new Endpoint Detection Response (EDR) product on their hosting servers. The ALE would be reduced by 50% and the EDR subscription for the hosting server would cost £120 annually. Based on this information, answer the following questions.
- What is the value of ALE2?
- What is the value of ACS?
- What is the cost difference between having the safeguard to not having it?
Please share your answers and theory in the comments section
ISC2 Certified Information Systems Security Professional Official Study Guide