Home ›
D1: Security & Risk Mgmt ›
Quantitative & Qualitative Risk Analysis
Domain 1 · Lesson 5 of 10
Quantitative & Qualitative Risk Analysis
Phân tích Rủi ro Định lượng & Định tính
Risk Fundamentals
Risk = Threat × Vulnerability × Asset Value
| Concept | Tiếng Việt | Definition | Example |
|---|---|---|---|
| Threat | Mối đe dọa | Any potential event that could harm an asset | SQL injection attack, employee error, earthquake |
| Vulnerability | Lỗ hổng | A weakness that a threat can exploit | Unpatched API, weak password policy, no input validation |
| Asset | Tài sản | Anything of value that needs protection | Customer PII database, loan processing system, brand reputation |
| Risk | Rủi ro | The potential for harm combining threat, vulnerability, and asset value | Probability of PII breach × financial/reputational impact |
Quantitative Risk Analysis — Formulas
Quantitative analysis assigns dollar values to risk. These formulas WILL appear on the CISSP exam — practice calculating them until they are automatic.
Step 1: Single Loss Expectancy (SLE)
SLE = Asset Value (AV) × Exposure Factor (EF)
EF = percentage of asset value lost in a single incident (0–100%)
Step 2: Annual Loss Expectancy (ALE)
ALE = SLE × Annual Rate of Occurrence (ARO)
ARO = expected number of times incident occurs per year (e.g., 0.5 = once every 2 years)
Step 3: Control Justification (Cost-Benefit)
Value of Control = ALE(before) − ALE(after) − Annual Cost of Control
If positive: control is worth implementing. If negative: control costs more than it saves.
Worked Example
AV (Customer database) = $500,000
EF (30% of database exposed in breach) = 30% = 0.30
ARO (breach expected once every 2 years) = 0.5
SLE = $500,000 × 0.30 = $150,000
ALE = $150,000 × 0.5 = $75,000/year
If a control costs $20,000/year and reduces ALE to $10,000: Value = $75,000 − $10,000 − $20,000 = $45,000/year saved ✓
Qualitative vs Quantitative Risk Analysis
| Aspect | Qualitative | Quantitative |
|---|---|---|
| Method | Subjective ratings (High/Med/Low, 1–5 scale) | Objective dollar values (SLE, ALE) |
| Data needed | Expert opinion, judgment, experience | Historical incident data, asset values, probability |
| Output | Risk matrix / heat map | Financial loss expectancy in dollars |
| Best for | Early stages, new systems, intangible risks, fast assessment | Cost-benefit analysis of controls, mature organizations with data |
| Weakness | Subjective; two analysts may rate the same risk differently | Requires good data; calculations can give false precision |
Risk Types
Strategic — affects business goals
Operational — day-to-day processes
Financial — monetary loss
Compliance — regulatory violation
Reputational — brand damage
Technical — system failures
Risk Appetite, Tolerance & Residual Risk
| Concept | Tiếng Việt | Definition | Who Sets It |
|---|---|---|---|
| Risk Appetite | Khẩu vị rủi ro | The total amount of risk an organization is willing to accept in pursuit of its objectives | Board / Senior Management |
| Risk Tolerance | Ngưỡng chịu đựng rủi ro | The acceptable deviation from risk appetite — the wiggle room around the target | Board / Senior Management |
| Residual Risk | Rủi ro còn lại | Risk remaining after controls are applied — can never be zero | Formally accepted by Management |
Key principle: You cannot eliminate risk entirely. Residual Risk always remains after controls are applied. The goal is to reduce risk to within the organization's risk appetite/tolerance — not to reach zero.
Key Terms
| Term | Tiếng Việt | Formula / Definition |
|---|---|---|
| AV (Asset Value) | Giá trị tài sản | Dollar value of the asset being protected |
| EF (Exposure Factor) | Hệ số phơi nhiễm | % of asset lost per incident (0–100%) |
| SLE | Tổn thất kỳ vọng đơn lẻ | SLE = AV × EF |
| ARO | Tần suất xảy ra hàng năm | Expected occurrences per year (0.1 = once per 10 years) |
| ALE | Tổn thất kỳ vọng hàng năm | ALE = SLE × ARO |
| Risk Appetite | Khẩu vị rủi ro | Total risk organization accepts; set by Board |
| Residual Risk | Rủi ro còn lại | Risk remaining after controls; cannot be eliminated |
Exam Tips
- 1. ALE = SLE × ARO — this formula WILL appear on the exam. Practice calculating it in both directions (given ALE and ARO, find SLE).
- 2. Qualitative = subjective (High/Med/Low); Quantitative = objective ($$$). The exam may ask "which method assigns dollar values" — always Quantitative.
- 3. Residual Risk cannot be eliminated. Any answer choice that says "eliminate all risk" is always wrong on CISSP.
- 4. Control cost-benefit: A control should not cost more than ALE(before) − ALE(after). If the control costs more than it saves, reject it.
- 5. Risk Appetite is set by MANAGEMENT/BOARD, not by IT or the security team. IT can recommend, but the business accepts risk.
Work Application — FinTech Company X
Calculate ALE for Platform A PII exposure risk:
AV = $2,000,000 (regulatory fine + remediation cost + reputational damage)
EF = 50% (partial exposure — not all records exposed)
ARO = 0.1 (once per 10 years — based on industry incident rate)
SLE = $2,000,000 × 0.50 = $1,000,000
ALE = $1,000,000 × 0.1 = $100,000/year
Cost of AES-256-CTR encryption implementation = ~$20,000/year
ROI = $100,000 − $20,000 = $80,000/year saved
EF = 50% (partial exposure — not all records exposed)
ARO = 0.1 (once per 10 years — based on industry incident rate)
SLE = $2,000,000 × 0.50 = $1,000,000
ALE = $1,000,000 × 0.1 = $100,000/year
Cost of AES-256-CTR encryption implementation = ~$20,000/year
ROI = $100,000 − $20,000 = $80,000/year saved
This is the business case for encrypting Platform A legacy data. Present this calculation to the CTO when requesting budget — quantitative justification is far more persuasive than "we should encrypt because it's best practice."
Qualitative approach for Platform C new features: Use a risk matrix (Likelihood × Impact: 1–5 scale) during sprint planning to prioritize security requirements for new PH partner integrations where no historical incident data is available.
Practice Questions
Q1. A customer database has an Asset Value of $800,000. An attack is expected to destroy 25% of records. What is the SLE?
A) $200,000 — SLE = AV × EF = $800,000 × 0.25 = $200,000Rationale: SLE = Asset Value × Exposure Factor. AV = $800,000, EF = 25% (0.25). SLE = $800,000 × 0.25 = $200,000. This represents the expected dollar loss per single incident occurrence.
Q2. Using the database from Q1 (SLE = $200,000), if such an attack is expected to occur 3 times every 10 years, what is the ALE?
A) $60,000/year — ALE = SLE × ARO = $200,000 × 0.3 = $60,000Rationale: ARO = 3 attacks per 10 years = 0.3 occurrences/year. ALE = SLE × ARO = $200,000 × 0.3 = $60,000/year. This means the organization should expect to lose $60,000 per year on average due to this threat.
Q3. A startup is evaluating risks for a brand-new mobile lending app with no historical incident data. Which risk analysis method is most appropriate?
A) Qualitative — uses expert judgment and risk matrices when historical data is unavailableRationale: Quantitative analysis requires historical data (incident frequencies, asset values) to calculate SLE and ALE accurately. For a new system with no track record, qualitative analysis (risk matrix, expert judgment, High/Med/Low ratings) is more practical and is the appropriate starting point. Quantitative becomes more feasible over time as incident data accumulates.
Q4. The Board of Directors must decide how much operational risk to accept for a new digital lending product. Who is responsible for setting the risk appetite?
A) The Board of Directors / Senior Management — not the IT or security teamRationale: Risk appetite is a business decision made by the Board or senior management, not by IT or the CISO. IT and security can assess and quantify risk, but the decision about how much risk to accept is ultimately a business and governance decision. The security team informs — the business decides.
Q5. A security control costs $30,000/year. Before the control, ALE was $80,000. After the control, ALE is estimated at $25,000. Should the control be implemented?
A) Yes — the control saves $25,000/year (Value = $80,000 − $25,000 − $30,000 = $25,000 positive ROI)Rationale: Control Value = ALE(before) − ALE(after) − Annual Cost = $80,000 − $25,000 − $30,000 = $25,000. A positive result means the control saves more than it costs — it should be implemented. If the result were negative, the control would cost more than it saves and should be rejected or replaced with a cheaper alternative.