Quantitative Risk Analysis

What Is Risk Analysis?

Risk analysis is a part of the risk assessment process (itself being a stage of the risk management process) which involves evaluating potential risks to determine their impact and likelihood to occur.

Below I have made a list of the steps in the risk management process and some of the processes that take place. This may make it easier to understand where everything fits in with context.

Risk Management:

  1. Identify threats (threat modelling).
  2. Risk Assessment (risk framing, risk analysis).
  3. Risk Mitigation (risk avoidance, risk transfer, risk reduction, risk acceptance).
  4. Monitoring risk.

In this post, we will be focusing on quantitative risk analysis, which is a type of risk analysis that assigns numerical values to risk. This is in contrast to qualitative risk analysis which assigns subjective assessments. We will use this quantitative risk analysis approach to evaluate and assess whether or not a safeguard should be employed in order to mitigate the risk, considering business objectives and security.

Calculating SLE (Single Loss Expectancy)

SLE (Single Loss Expectancy) = AV (Asset Value) * EF (Exposure Factor)

Single Loss Expectancy (SLE) is the loss incurred due to the realisation of a threat represented as a monetary value.

Asset Value (AV) is the monetary value of an asset.

Exposure Factor (EF) is the percentage of loss a realised threat can cause to an asset.

Calculating ALE (Annualised Loss Expectancy)

ALE (Annualised Loss Expectancy) = SLE (Single Loss Expectancy) * ARO (Annualised Rate or Occurrence)

Annualised Loss Expectancy (ALE) is the loss the company expects to lose per year due to the threat.

Annualised Rate of Occurrence (ARO) is the expected number of times this threat is realised yearly.

Calculating the Value of a Safeguard (Risk Mitigation Solution)

We calculate the value of a safeguard in order to determine whether or not applying it will earn or lose the business money.

SLEafterSafeguard = AV × EFafterSafeguard

ALEbeforeSafeguard = SLEbeforeSafeguard × ARObeforeSafeguard

ALEafterSafeguard = SLEafterSafeguard × AROafterSafeguard

ValueofSafeguard = ALEbeforeSafeguard − ALEafterSafeguard − AnnualCostSafeguard

The value of the safeguard should be positive in order for it to be effective as it represents the gain or loss of money after the safeguard has been applied.

How to Calculate Easily

The following is a list of the information you need:

  • AV
  • EFbeforeSafeguard
  • EFafterSafeguard
  • SLEbeforeSafeguard
  • SLEafterSafeguard
  • ALEbeforeSafeguard
  • ALEafterSafeguard
  • ARObeforeSafeguard
  • AROafterSafeguard
  • AnnualSafeguardCost

SafeguardValue = ALEbeforeSafeguard – ALEafterSafeguard – AnnualSafeguardCost

First note down all the information and then just follow these steps:

  1. Calculate SLEbeforeSafeguard.
  2. Calculate SLEafterSafeguard.
  3. Calculate ALEbeforeSafeguard.
  4. Calculate ALEafterSafeguard.
  5. Calculate SafeguardValue.

Automate It!

Here’s a quick script I made in Python to automate the process of calculating the value of the safeguard. I know it doesn’t account for a lot of use cases, however I just made this as an example:

The Python script in IDLE
The output of the Python script

If you want to use this script, here it is so you can copy and paste:

AV = input("Enter the asset value: ")
EFbefore = input("Enter the exposure factor(%): ")
ARO = input("Enter the annual rate of occurrence: ")
SafeguardCost = input("Enter the annual cost of the safeguard: ")
EFafter = input("Enter the exposure factor after the safeguard (%): ")

SLEbefore = int(AV) * (int(EFbefore)/100)
SLEafter = int(AV) * (int(EFafter)/100)

ALEbefore = SLEbefore * float(ARO)
ALEafter = SLEafter * float(ARO)

SafeguardValue = ALEbefore - ALEafter - int(SafeguardCost)

if SafeguardValue > 0:
    print("Approve control.")
elif SafeguardValue < 0:
    print("Reject control.")
elif SafeguardValue == 0:
    print("There is no gain or loss.")


I was inspired to write a bit after doing some TryHackMe this morning. I have been learning a lot these days and enjoying it very much!

Until the next one 🙂