What You'll Learn
Why quantitative risk analysis uses dollar amounts, not color codes
SLE formula: Asset Value × Exposure Factor
ARO: how historical frequency translates to annual probability
ALE formula and how it sets your maximum security budget
4.9M
Average breach cost (IBM 2024) — what ALE aims to predict
EF
Exposure Factor: % of asset lost per incident
ALE=SLE×ARO
The master formula for annual risk budget
Qualitative risk is Red/Yellow/Green opinions. Quantitative risk is cold dollar amounts and historical frequencies. SY0-701 tests both — but the math questions are always quantitative.
Why We Calculate Risk
Security professionals must justify every dollar of security spending to executive leadership. If a server is worth $50,000, it makes zero business sense to spend $200,000 annually defending it. Quantitative Risk Assessment uses mathematical formulas to derive the maximum rational budget for any security control — based purely on asset value and threat probability.
The Risk Formulas Explained
Single Loss Expectancy (SLE) — How much does the organization lose exactly one time this threat occurs?
## SLE = Asset Value (AV) × Exposure Factor (EF)
Asset Value (AV): The total replacement or recovery cost of the asset in dollars. This includes hardware, software licenses, recovery labor, and business interruption costs.
Exposure Factor (EF): The percentage of the asset destroyed or inaccessible per incident. A fire may destroy 100% of a server room (EF = 1.0). A data breach of one out of ten databases might expose only 10% of the data (EF = 0.1).
Example:
- A database server costs $200,000 to replace fully
- A ransomware attack would encrypt it completely (EF = 1.0)
- SLE = $200,000 × 1.0 = $200,000 per ransomware incident
Annualized Rate of Occurrence (ARO) — How many times per year is this specific threat expected to occur based on historical data?
ARO is a decimal expressing yearly frequency:
- Happens exactly once per year → ARO = 1.0
- Happens once every 2 years → ARO = 0.5
- Happens once every 10 years → ARO = 0.1
- Happens 4 times per year → ARO = 4.0
Source of ARO data: Historical incident records, industry threat intelligence feeds, insurance actuarial tables, and government databases like US-CERT incident statistics.
Exam Tip: ARO can be fractional. An earthquake hitting a data center once every 50 years = ARO of 0.02.
Annualized Loss Expectancy (ALE) — How much does this threat cost the organization per year on average?
## ALE = SLE × ARO
ALE is the maximum rational annual budget for a security control targeting that specific threat. It makes no business sense to spend more on a control than the expected annual loss.
Full Example Chain:
1. Asset (web server): AV = $100,000
2. Threat: DDoS attack makes server unavailable
3. Exposure Factor: 50% revenue impact per incident (EF = 0.5)
4. SLE = $100,000 × 0.5 = $50,000 per incident
5. Historical frequency: DDoS happens 3 times/year (ARO = 3.0)
6. ALE = $50,000 × 3.0 = $150,000/year expected DDoS loss
→ Spending $80,000/year on DDoS mitigation is justified. Spending $200,000/year is not.
To calculate the Return on Investment (ROI) of a security control:
## ROI (savings) = ALE_before − ALE_after − Cost_of_control
If the DDoS mitigation reduces incidents from 3/year to 0.5/year:
- Old ALE: $150,000/year
- New SLE: unchanged at $50,000
- New ARO: 0.5
- New ALE: $50,000 × 0.5 = $25,000/year
- Control cost: $50,000/year
- Annual savings: $150,000 − $25,000 − $50,000 = $75,000/year net benefit
This calculation directly justifies the security investment to the CFO in language they understand — dollar ROI.
Quick Reference Formula Table
| Term | Formula | What It Answers |
|---|---|---|
| AV (Asset Value) | Direct measurement ($) | How much is the asset worth? |
| EF (Exposure Factor) | Loss÷AV (expressed as %) | What fraction of the asset is lost per incident? |
| SLE (Single Loss Expectancy) | AV × EF | How much does one incident cost? |
| ARO (Annualized Rate of Occurrence) | Incidents ÷ Years | How often does it happen per year? |
| ALE (Annualized Loss Expectancy) | SLE × ARO | What is the expected yearly cost? (= max budget) |
| Control ROI | ALE_before − ALE_after − Control_cost | Does this spend make financial sense? |
Real-World Scenario
Practice Problem: A company's primary file server (AV = $500,000) is in a hurricane-prone coastal area. Historical records show a hurricane affecting operations once every 5 years (ARO = 0.2). A hurricane typically damages 40% of the facility (EF = 0.4). What is the ALE? Step 1: SLE = $500,000 × 0.4 = $200,000 Step 2: ALE = $200,000 × 0.2 = $40,000/year Conclusion: The company should not spend more than $40,000/year on hurricane protection for this asset. A $25,000/year hardened disaster recovery site is financially justified. A $100,000/year dedicated hurricane response team is not.
If the exam asks you to determine whether a security control is financially justified, always calculate ALE first. If Control_cost < ALE_reduction, the control is justified. If the question asks about annual savings from a control, use: ALE_before – ALE_after – Control_cost.
Key Takeaways
- SLE = AV × EF — cost of one single incident occurring.
- ARO is the annual frequency — can be fractional (0.1 = once every 10 years).
- ALE = SLE × ARO — the maximum rational annual security budget for that threat.
- If ALE = $50,000/year, never spend more than $50,000/year on that control.
- Control ROI = ALE_before − ALE_after − Control_cost — quantifies the financial impact of any control.
Next Steps
Ready to test your knowledge?
Take a free full-length practice exam with 90 questions and instant feedback.
Start Practice Exam