Quantitative analysis focuses on irrefutable data that can be measured versus the qualitative assessment, which is based on the opinions of the individuals conducting the assessment. The quantitative assessment performs mathematical calculations to express risk in terms of financial loss, which is very useful when working to seek acceptance from business leaders for financial support of an information security initiative.

Quantitative assessment has the benefit of being based on measurable data, which can greatly help the information security professional in delivering a precise risk score based on mission-specific information derived from your organization business units. Being expressed in terms of money, it makes it easier for your organization's executive leadership to determine the following:

• What would the cost be per year for a given risk?
• Is a given security control worth the cost, considering the cost of the risk exposure?

To conduct a quantitative risk assessment, you will need to understand a few new concepts and gather information from your organization related to these concepts as follows:

• Single Loss Expectancy (SLE): Money that the organization will lose if a specific incident occurs one time:
  • Asset value: A factor of SLE. The value of the asset to the organization
  • Exposure factor: Another factor of SLE. The amount of loss that will occur to the asset value because of a threat
• Annual Rate of Occurrence (ARO): The number of times that a specific incident is expected to occur within the organization
• Annual Loss Expectancy (ALE): Once you understand your SLE and ARO, the annual loss expectancy is the money that your organization would expect to lose over a single year