What Is Risk Analysis?
Risk analysis is a part of the risk assessment process (itself being a stage of the risk management process) which involves evaluating potential risks to determine their impact and likelihood to occur.
Below I have made a list of the steps in the risk management process and some of the processes that take place. This may make it easier to understand where everything fits in with context.
Risk Management:
- Identify threats (threat modelling).
- Risk Assessment (risk framing, risk analysis).
- Risk Mitigation (risk avoidance, risk transfer, risk reduction, risk acceptance).
- Monitoring risk.
In this post, we will be focusing on quantitative risk analysis, which is a type of risk analysis that assigns numerical values to risk. This is in contrast to qualitative risk analysis which assigns subjective assessments. We will use this quantitative risk analysis approach to evaluate and assess whether or not a safeguard should be employed in order to mitigate the risk, considering business objectives and security.
Calculating SLE (Single Loss Expectancy)
SLE (Single Loss Expectancy) = AV (Asset Value) * EF (Exposure Factor)
Single Loss Expectancy (SLE) is the loss incurred due to the realisation of a threat represented as a monetary value.
Asset Value (AV) is the monetary value of an asset.
Exposure Factor (EF) is the percentage of loss a realised threat can cause to an asset.
Calculating ALE (Annualised Loss Expectancy)
ALE (Annualised Loss Expectancy) = SLE (Single Loss Expectancy) * ARO (Annualised Rate or Occurrence)
Annualised Loss Expectancy (ALE) is the loss the company expects to lose per year due to the threat.
Annualised Rate of Occurrence (ARO) is the expected number of times this threat is realised yearly.
Calculating the Value of a Safeguard (Risk Mitigation Solution)
We calculate the value of a safeguard in order to determine whether or not applying it will earn or lose the business money.
SLEafterSafeguard = AV × EFafterSafeguard
ALEbeforeSafeguard = SLEbeforeSafeguard × ARObeforeSafeguard
ALEafterSafeguard = SLEafterSafeguard × AROafterSafeguard
ValueofSafeguard = ALEbeforeSafeguard − ALEafterSafeguard − AnnualCostSafeguard
The value of the safeguard should be positive in order for it to be effective as it represents the gain or loss of money after the safeguard has been applied.
How to Calculate Easily
The following is a list of the information you need:
- AV
- EFbeforeSafeguard
- EFafterSafeguard
- SLEbeforeSafeguard
- SLEafterSafeguard
- ALEbeforeSafeguard
- ALEafterSafeguard
- ARObeforeSafeguard
- AROafterSafeguard
- AnnualSafeguardCost
SafeguardValue = ALEbeforeSafeguard – ALEafterSafeguard – AnnualSafeguardCost
First note down all the information and then just follow these steps:
- Calculate SLEbeforeSafeguard.
- Calculate SLEafterSafeguard.
- Calculate ALEbeforeSafeguard.
- Calculate ALEafterSafeguard.
- Calculate SafeguardValue.
Automate It!
Here’s a quick script I made in Python to automate the process of calculating the value of the safeguard. I know it doesn’t account for a lot of use cases, however I just made this as an example:
If you want to use this script, here it is so you can copy and paste:
AV = input("Enter the asset value: ")
EFbefore = input("Enter the exposure factor(%): ")
ARO = input("Enter the annual rate of occurrence: ")
SafeguardCost = input("Enter the annual cost of the safeguard: ")
EFafter = input("Enter the exposure factor after the safeguard (%): ")
SLEbefore = int(AV) * (int(EFbefore)/100)
SLEafter = int(AV) * (int(EFafter)/100)
ALEbefore = SLEbefore * float(ARO)
ALEafter = SLEafter * float(ARO)
SafeguardValue = ALEbefore - ALEafter - int(SafeguardCost)
if SafeguardValue > 0:
print("Approve control.")
elif SafeguardValue < 0:
print("Reject control.")
elif SafeguardValue == 0:
print("There is no gain or loss.")
Conclusion
I was inspired to write a bit after doing some TryHackMe this morning. I have been learning a lot these days and enjoying it very much!
Until the next one 🙂