The quantitative method uses predefined formulas. The collected data is used to identify the following values:

• Exposure factor (EF)—The EF describes the loss that will happen to an asset as a result of a threat and is expressed as a percentage value.
• Single loss expectancy (SLE)—The SLE is the expected loss for any single incident. It is expressed in monetary terms, such as $1,000. The asset value (AV) multiplied by the EF equals the SLE.
• Annual rate of occurrence (ARO)—The ARO is the number of times the loss is expected to occur each year. For example, the risk may have occurred four times last year, so the ARO is four.
• Annual loss expectancy (ALE)—The ALE can be calculated as SLE × ARO. For example, the ALE would be $1,000 × 4, or $4,000.
• Safeguard or control value—This value is the cost of the control and is expressed in monetary terms.

A control is implemented to reduce a risk. More directly, the control will reduce the ARO. If the ARO was four before the control, the ARO should be less than four after the control. Then, the cost of the control is compared to the savings.

For example, a website generates revenue of $5,000 an hour. In the past two years, it has suffered two hard drive failures. Each year, one of the several hard drives in the system has failed. Each failure has resulted in about three hours of downtime. The hard drive cost was about $300. What is the SLE, ARO, and ALE?

• The SLE is $15,300. The calculation is $5,000 × 3 for the outage. Then, $300 is added for the new hard drive. The SLE includes the AV, which is what the business stands to lose if a threat occurs, multiplied by the EF. If the EF is 1 (i.e., 100 percent exposure to a threat) and the AV is $15,300, then the SLE is equal to 1 multiplied by $15,300.
• The ARO is 1. Historically, the outage has occurred once a year. If steps are not taken to reduce the risk, it will likely occur once each year.
• The ALE is $15,300. The calculation is $15,300 × 1.

This example doesn’t include intangible costs. For example, a customer who visited the website when it was down may never come back. The cost to get this customer back or to get another customer is an intangible cost.

The decision may be made that a hardware redundant array of independent disks (RAID) can eliminate this risk. A hardware RAID that costs $3,000 is identified. It includes several disk drives. If any single drive fails, the RAID can detect the failure and automatically recover, which means that the failure of one drive will not cause the entire system to fail. The RAID will change the ARO from 1 to 0.

Is it cost effective to implement this RAID? This determination can be made by comparing three pieces of information:

• ALE before control—$15,300
• Cost of control—$3,000
• ALE after control—$300, resulting in a savings of $15,000. A hard drive in the RAID might still fail, which would still result in a cost of $300 for the replacement hard drive. However, the RAID would prevent the outage.

If the cost of the control is less than the ALE after the control, the cost is justified. In other words, $3,000 is being spent to save $15,000, which results in a realized savings of $12,000.

On the other hand, if the cost of the control was $50,000, the cost would not be justified based on the existing data: $50,000 would be spent to save $15,000, which puts savings in the hole. If the cost of the control is close to the ALE after the control, the return on investment can also be calculated over several years. The ALE is also impacted by the EF and the AV because both factors determine the SLE. The SLE multiplied by the ARO equals the ALE.

In this scenario, the actual costs aren’t available or aren’t easy to calculate. Instead, a qualitative methodology can be used. A qualitative methodology uses the opinions of experts to determine two primary data points:

• Probability—The likelihood that the risk will occur. It can be expressed in words, such as low, medium, or high. It can also be expressed in a percentage, such as 10 percent, 50 percent, or 100 percent.
• Impact—Identifies the magnitude of the loss if the risk occurs. It can be expressed in words, such as low, medium, or high. It can also be expressed as a number in a range, such as 1 to 10 or 1 to 100.

The probability and impact allow the risks to be ranked. This ranking allows prioritizing the most and least important risks.

In this example, buffer overflow attacks, SQL injection attacks, and web defacing for a web server are being evaluated. Experts have provided the data shown in TABLE 6-2, based on the current controls protecting the server.

Each of these risks can be prioritized:

• Buffer overflow—Risk score of 5. The calculation is .10 × 50.
• SQL injection attacks—Risk score of 67.5. The calculation is .75 × 90.
• Web defacing—Risk score of 6.25. The calculation is .25 × 25.

The information in Table 6-2 clearly shows that the highest risk based on current controls is from SQL injection attacks. Now, controls to mitigate this risk can be identified.

Then, the experts can be queried to identify the controls that will provide the best gain. A similar survey can be used that identifies the probability and impact of a risk after implementation of a control.