2.3.2. Risk Analysis: Qualitative and Quantitative
💡 First Principle: Risk analysis exists to produce decision-relevant information — not precise numbers for their own sake. The right analysis method is the one that produces actionable output given the data available and the decision being made. Both qualitative and quantitative methods serve important, complementary purposes.
Qualitative risk analysis uses descriptive scales to rank risks:
- Likelihood: Low / Medium / High / Critical
- Impact: Negligible / Minor / Moderate / Major / Catastrophic
- Risk level: combination (e.g., High likelihood × Major impact = Critical risk)
Advantages: Fast to perform, doesn't require hard-to-obtain financial data, works when historical incident data is sparse, accessible to non-financial stakeholders.
Disadvantages: Subjective, difficult to compare risks across categories, doesn't produce dollar figures for budget justification, may reflect analyst bias.
Quantitative risk analysis assigns numeric (dollar) values:
| Term | Formula | Example |
|---|---|---|
| Asset Value (AV) | Market + replacement + lost revenue value | Customer database: $5,000,000 |
| Exposure Factor (EF) | % of asset value lost if threat occurs | Ransomware destroys 80% of data: EF = 0.80 |
| Single Loss Expectancy (SLE) | AV × EF | $5,000,000 × 0.80 = $4,000,000 |
| Annualized Rate of Occurrence (ARO) | Expected frequency per year | Industry data suggests 0.25 (once every 4 years) |
| Annualized Loss Expectancy (ALE) | SLE × ARO | $4,000,000 × 0.25 = $1,000,000/year |
| Value of Safeguard | ALE before − ALE after − cost of safeguard | $1,000,000 − $200,000 − $300,000 = $500,000/year saved |
The safeguard ROI calculation is directly tested. A safeguard is cost-justified if:
(ALE_before - ALE_after) > Annual cost of safeguard
If a $300,000/year control reduces ALE from $1,000,000 to $200,000, the net benefit is $500,000/year — clearly justified. If it only reduces ALE from $1,000,000 to $800,000 (saving $200,000), the control costs more than it saves.
⚠️ Exam Trap: ARO can be a fraction. A threat expected to occur once every five years has ARO = 0.2. A threat expected twice per year has ARO = 2.0. The exam will test this. Also: the exam will present a multi-step quantitative calculation — work through it systematically; the correct answer is always derivable from the formula chain above.
Reflection Question: A ransomware incident destroys 60% of a company's customer database (valued at $8M). Industry data suggests ransomware incidents occur approximately once every 3 years in this sector. The organization is evaluating a backup and recovery solution costing $180,000/year that would reduce the exposure factor to 10%. Calculate whether the safeguard is cost-justified.
