Quantitative risk assessment

ELI5: What is Quantitative Risk Assessment?

This is when you use math to figure out exactly how much money a bad thing could cost. If a laptop gets stolen once a year and it’s worth $1, 000, t ha t^{'} syo u rye a r l y l oss n u mb er . I t h e lp s d ec i d e i f b u y in g a$ 200 lock is worth it.

Definition

A quantitative risk assessment uses mathematical formulas and numerical data to calculate the financial impact of risks. The key metrics are: Asset Value (AV), Exposure Factor (EF), Single Loss Expectancy (SLE = AV × EF), Annual Rate of Occurrence (ARO), and Annual Loss Expectancy (ALE = SLE × ARO). This approach enables organizations to prioritize risk treatment using cost-benefit analysis — if a control costs less than the ALE it prevents, it is economically justified.

Key Details

SLE: expected dollar loss from a single incident (AV × EF)
ARO: probability of the threat occurring in a given year (e.g., 0.1 = once every 10 years)
ALE: expected annual financial exposure from a specific risk (SLE × ARO)
Control value: ALE (before control) − ALE (after control) − annual cost of control = cost-benefit
Limitation: requires reliable historical loss data and accurate asset valuations, which are often unavailable

Connections

Parent: risk-assessment — quantitative assessment provides financial precision for risk prioritization and control justification
See also: qualitative-vs-quantitative-analysis
See also: qualitative-risk-assessment

SY0-701 Study Notes

Explorer

Quantitative risk assessment

Definition

Key Details

Connections

Graph View

Table of Contents

Backlinks