Chapter 111 · Security Program Management

Risk Analysis

Qualitative and quantitative risk assessment methods, the ARO/AV/EF/SLE/ALE formula chain, impact analysis across life, property, safety, finance and reputation, and the risk register for ongoing risk tracking.

Confidential
Report ID: RA-2024-001Domain: Security Program ManagementTopic: Qualitative & Quantitative Risk Assessment

Qualitative and Quantitative Risk Assessment

Once risks are identified, they must be analyzed to determine their significance. Two complementary approaches exist: qualitative analysis uses descriptive categories to characterize risk, while quantitative analysis uses numerical calculations to express risk in financial terms. Most mature security programs use both methods, because each fills gaps the other leaves.

Qualitative Risk Assessment

Qualitative risk assessment evaluates risk using descriptive or subjective analysis rather than precise numerical calculations. It asks the opinions of subject matter experts and presents results in broad, understandable terms.

Example traffic light grid:

Risk FactorImpactLikelihoodControl CostOverall Risk
Legacy Windows clientsMediumHighMediumHigh
Untrained staffLowMediumLowMedium
No antivirus on devicesMediumHighMediumVery High

Quantitative Risk Assessment

Quantitative risk assessment uses numerical calculations to estimate the financial impact and likelihood of security incidents. It provides measurable data for budgeting and justifying security investments.

Qualitative: descriptive, opinion-based, traffic light grids — good for non-financial impacts. Quantitative: formula-based, financial calculations — good for budgeting and ROI justification. Use both together for a complete picture.
Confidential
Report ID: RA-2024-002Domain: Security Program ManagementTopic: Quantitative Formulas — SLE, ALE, ARO

Quantitative Risk Formulas: SLE and ALE

Quantitative risk analysis uses a chain of calculations to arrive at the Annualized Loss Expectancy — the expected yearly financial cost of a specific risk. Understanding and applying these formulas is a core Security+ exam skill.

Single Loss Expectancy (SLE)

The Single Loss Expectancy is the monetary loss expected from a single occurrence of a specific threat event against a specific asset.

SLE = AV × EF

Annualized Loss Expectancy (ALE)

The Annualized Loss Expectancy is the expected yearly financial loss from a recurring threat, calculated by multiplying how often the event occurs by how much each occurrence costs.

ALE = ARO × SLE

Formula Chain Summary

TermDefinitionFormulaExample
AROAnnualized Rate of Occurrence: how often per yearHistorical data / statistics7 laptops stolen per year
AVAsset Value: total value of the asset to the organizationReplacement + lost revenue + fines$1,000 per laptop
EFExposure Factor: percentage of asset value lost per incidentFraction (0.0–1.0)1.0 (complete loss)
SLESingle Loss Expectancy: cost of one incidentAV × EF$1,000 × 1.0 = $1,000
ALEAnnualized Loss Expectancy: yearly financial impactARO × SLE7 × $1,000 = $7,000/year
Formula chain: SLE = AV × EF → ALE = ARO × SLE. Laptop example: AV=$1,000, EF=1.0, SLE=$1,000, ARO=7, ALE=$7,000/year. Security investment is justified if its annual cost is less than the ALE reduction it produces.
Confidential
Report ID: RA-2024-003Domain: Security Program ManagementTopic: Impact Analysis, Risk Appetite & Risk Register

Impact Analysis, Risk Appetite, Tolerance, and the Risk Register

Impact Categories

The consequences of a realized risk extend beyond financial loss. A complete risk analysis considers impact across five categories, ordered from most critical to least:

Risk Likelihood vs. Risk Probability

These terms are related but technically distinct and often used interchangeably in practice:

Risk Appetite and Risk Tolerance

Not every risk requires action. Organizations define acceptable levels of risk exposure through two related but distinct concepts:

Risk Register

A risk register is a formal document that records all identified risks associated with a project or organizational operation, enabling systematic tracking and management:

Impact priority: Life > Property > Safety > Finance > Reputation. Risk appetite = what you are willing to accept (policy). Risk tolerance = how far above appetite you will go before acting (practice). Risk register: documents all risks with KRIs, owner, and threshold for every project.