Risk analysis involves the following four steps:
- Identify the assets to be protected, including their relative value, sensitivity, or importance to the organization. This component of risk identification is asset valuation.
- Define specific threats, including threat frequency and impact data. This component of risk identification is threat analysis.
- Calculate Annualized Loss Expectancy (ALE). The ALE calculation is a fundamental concept in risk analysis.
- Select appropriate safeguards. This process is a component of both risk identification (vulnerability assessment) and risk control.
SLE x ARO = ALEHere's an explanation of the elements in this formula:
- Single Loss Expectancy (SLE): A measure of the loss incurred from a single realized threat or event, expressed in dollars. You calculate the SLE by using the formula Asset value × Exposure Factor (EF). Exposure Factor (EF) is a measure of the negative effect or impact that a realized threat or event would have on a specific asset, expressed as a percentage.
- Annualized Rate of Occurrence (ARO): The estimated annual frequency of occurrence for a threat or event.
Qualitative risk analysis
Qualitative risk analysis is more subjective than a quantitative risk analysis; unlike quantitative risk analysis, this approach to analyzing risk can be purely qualitative and avoid specific numbers altogether. The challenge of such an approach is developing real scenarios that describe actual threats and potential losses to organizational assets.Qualitative risk analysis has some advantages when compared with quantitative risk analysis; these include
- No complex calculations are required.
- Time and work effort involved is relatively low.
- Volume of input data required is relatively low.
- No financial costs are defined; therefore cost-benefit analysis isn't possible.
- The qualitative approach relies more on assumptions and guesswork.
- Generally, qualitative risk analysis can't be automated.
- Qualitative analysis is less easily communicated. (Executives seem to understand "This will cost us $3 million over 12 months" better than "This will cause an unspecified loss at an undetermined future date.")
Quantitative risk analysis
A fully quantitative risk analysis requires all elements of the process, including asset value, impact, threat frequency, safeguard effectiveness, safeguard costs, uncertainty, and probability, to be measured and assigned numeric values.A quantitative risk analysis attempts to assign more objective numeric values (costs) to the components (assets and threats) of the risk analysis.
Advantages of a quantitative risk analysis, compared with qualitative risk analysis, include the following:
- Financial costs are defined; therefore, cost-benefit analysis can be determined.
- More concise, specific data supports analysis; thus fewer assumptions and less guesswork are required.
- Analysis and calculations can often be automated.
- Specific quantifiable results are easier to communicate to executives and senior-level management.
- Human biases will skew results.
- Many complex calculations are usually required.
- Time and work effort involved is relatively high.
- Volume of input data required is relatively high.
- Some assumptions are required.