Risk Analysis

Risk Analysis

Risk analysis is a part of the risk management process. It is a process of identifying the list of risks associated with each asset in the organization, and it involves the identification of threats, vulnerabilities, the likelihood of each threat being realized, and the impact of the realized threat.

There are two ways to perform risk analysis.

  1. Qualitative

  2. Quantitative

Qualitative Risk Analysis

Qualitative risk analysis uses a ranking system where each risk is categorized as low, moderate, high, or critical based on the likelihood and impact/consequences of the risk.

image source: https://www.safran.com/image source: https://www.safran.com/

Quantitative Risk analysis

Quantitative risk analysis involves assigning a monetary value (asset value) to the asset and the data it contains. For instance, let’s say there is a laptop valued at $1000, and it holds critical PII information about employees of the organization, valued at $9000, making the total value of the asset $10000.

Quantitative risk analysis involves following terms.

Exposure Factor (EF): percentage of asset that is lost if the risk occurs.

Single Loss Expectancy (SLE): amount of money loss faced by the organization if the risk is realized only once on a particular asset.

SLE= Asset value * EF

Annualized Rate of Occurrence (ARO): The number of times a particular risk occurs within a single year for the asset.

Annualized Loss Expectancy (ALE): The total amount of money loss faced by the organization if the risk is realized within a year for a particular asset.

ALE=SLE*ARO

To understand these terms, let’s take an example.

10% of the server will get affected if the earthquake hits the organization twice in one year. Value of the server is $5000._

Exposure Factor (EF) - 10%
Asset value - $5000
Annualized Rate of Occurrence (ARO) = 2/year
Single Loss Expectancy (SLE) = Asset value * EF ⇒  10 * 5000  ⇒  $500

This means the organization would face a loss of $500 if the risk is realized only once.

ALE = ARO * SLE ⇒ 2 * 500 ⇒ $1000

So, if the risk is realized twice in a year, the organization would face a total loss of $1000 on the server.

Based on the organization’s understanding that countermeasures for mitigating the earthquake risk should not exceed $1000 per year, including both implementation and operational costs. This budget constraint suggests that the organization should seek cost-effective solutions for mitigating the earthquake risk on the server. Any countermeasures implemented should not only be effective in reducing the risk but also remain within the budget of $1000 per year.

The organization may need to conduct a cost-benefit analysis to determine the most efficient and affordable countermeasures that can effectively mitigate the risk while staying within the specified budget constraint. This analysis will help prioritize and select the most suitable risk mitigation strategy.

Thank you!!!