ITSG >TYPES OF POLICIES: PART 6 -RISK ANALYSIS

RISK ANALYSIS

Qualitative

• Subjective analysis to help prioritize probability and impact of risk events
• May use Delphi Technique

Quantitative

• Providing a dollar value to a particular risk event
• Much more sophisticated in a nature, a quantitative analysis if much more difficult and requires a special skill set
• Business decisions are made on a quantitative analysis
• Can't exist on its own. Quantitative analysis depends on qualitative information

QUANTITATIVE ANALYSIS FORMULAS AND DEFINITIONS

1. (AV) Asset Value: Dollar figure that represents what the asset is worth to the org. 
2. (EF) Exposure Factor: The percentage of loss that is expected to result in the manifestation of a particular risk event 
3. (SLE) Single Loss Expectancy: Dollar figure that represent the cost of a single occurrence of a threat instance
4. (ARO) Annual Rate of Occurrence: How often the threat is expected to materialize
5. (ALE) Annual Loss Expectancy: Cost per year as a result of the threat 
6. (TCO) Total Cost of Ownership: Total cose of implementing a safeguard. Often in addition to initial costs. There are ongoing maintenance fees as well
7. (ROI) Return of Investment: Amount of money saved by implementing of a safeguard. Sometimes referred to as the value of the safeguard/control

SLE = AV * EF

ALE = SLE * ARO

TCO = Initial Cost of Control + Yearly Fees

ROI = ALE (before implementing control) - ALE (after implementing control) - cost of control