Quantitative

Risk Analysis
By Kavinga Yapa Abeywardena
Sri Lanka Institute of Information Technology (SLIIT)
Managers are usually happy with ‘Numbers’ not ‘Opinions’
 Quantitative Risk Analysis
• So far we have focused on ‘Qualitative Risk Analysis’.

• We have noticed that Qualitative methods are scenario

based.

• ‘Quantitative Risk Analysis’ attempts to assign

independent monetary values to system components.

• Quantitative methods tend to be more resource

consuming, however they come with few distinct
advantages over qualitative methods.
 Quantitative Risk Analysis : Why?
• More objectivity in its assignment

• Results are easier to be presented to the management

• Offers direct cost projection, better resource utilization

• Can be fine tuned to specific situations & organization

• Less prone to arouse disagreements in review meetings

• Analysis is often derived from indisputable facts & figures

Quantitative Risk Analysis : Method
1. Conduct ‘Risk Assessment & Vulnerability Study’ to determine risk
factors.
2. Based on top 5 risk factors in [1] determine value of assets under
risk.
3. Determine historical attitude of the company with regards to their
security practices for reporting ‘loss incidents’.
4. Estimate Annualized Rate of Occurrence (ARO) for each risk factor.
5. Determine countermeasures for each risk factor.
6. Determine Annualized Loss Expectancy (ALE) for each risk factor.
7. Calculate the difference between the ALE prior to implementing
countermeasures [5] to the ALE after implementing them.
8. Based on [6] & [7] determine the ROI using Internal Rate of Return
(IRR).
9. Present the summarized results to the management.
 Quantitative Risk Analysis:
Key Variables
• Exposure Factor(EF) = Percentage of asset loss caused by
identified threat (0-100%)

• Single Loss Expectancy (SLE) = Asset Value x EF

e.g. Rs. 50,000 x 20% = Rs. 10,000

• Annualized Rate of Occurrence (ARO) = Frequency a threat

will occur within a year

• Annualized Loss Expectancy (ALE) = SLE x ARO

• Safeguard Cost/Benefit = ALE before Safeguard - ALE After

Safeguard - Annual Cost of Safeguard
 Determining Asset Values [2]
• Tangible Assets
• Ask the IT manager for cost information regarding existing
equipment, hardware & software
• Internet research on exact or comparable systems
• Look at previous projects, adjust according to depreciation
• Overall replacement cost due to failure (installation,
troubleshooting, 10% for contingency, temporary loss of services)

• Intangible Assets
• Measure asset’s fair market value (depreciation!) e.g. Trade Secrets
• Focus on the income producing capability of the intangible asset
• Involve senior management to conduct final valuation
 Quantifying the Risk Elements
• Results derived from risk analysis & vulnerability
assessment need to be quantified.

• EF, SLE & ARO need to be calculated.

• External knowledge & resources can be utilized.

• Look at the extract from a table developed by SANS using

latest industry-wide surveys and studies (Next Slide).

• Adjust the values according to the magnitude of your

organization.
SQL Injections & CSS
 World-Wide DOS Attack
Duration Distribution

These statistics can be incorporated to quantification!

 Quantitative Analysis
Mathematical Techniques
• Bayesian Techniques
• Based on probabilities of event occurrence & Bayes' theorem

• Fuzzy Logic
• For risks that do not have a proper quantitative probability model, it can
help model the cause-and-effect relationships, assess the degree of risk
exposure and rank the key risks in a consistent way, considering both the
available data and experts’ opinions.

• Fault Tree Analysis

• A logical diagram is constructed showing the logical event
relationships

• Many other mathematical approaches exist

QUESTIONS ?