What is the formula for calculating Aro?

Quantitative risk assessment

Once you have determined which threats create the greatest risk exposure to the business, you can then use quantitative risk assessment methods to determine how much the agency should spend to mitigate the potential threat. Quantitative risk assessment associates loss with a financial value. The goal of understanding financial loss is to give you more information in making decisions about the procurement and implementation of safeguards. Quantitative risk assessment is essential if you want to perform cost-benefit analysis to figure out if implementing a particular safeguard is financially worth the cost. If the anticipated annual loss (also referred to as annual loss expectancy) is less than the annualized cost of the safeguard, then it is usually not worth it to implement the safeguard. For example, if a data center is in a city that is prone to electrical grid outages, then it might make sense to invest in more generators only if the annual loss is greater than the annualized cost of new generators (the safeguard).

(The loss caused by the electrical grid, could mean loss of data, loss of customers, or some other loss.)

Let’s look at a more detailed example related to natural disasters to figure out financial loss based on quantitative risk assessment methods. If you look at Figure 17.4, you will see that in Florida alone there are different probabilities throughout the state for hurricanes with wind speeds greater than 100 knots. To calculate the risk of a hurricane occurring in Miami, Florida, you need to understand the likelihood of one occurring each year. If a hurricane occurs once every 20 years (1 of 20), then it has a 5% chance of occurring yearly since 1/20 = 0.05, which equals 5%.

The frequency of Florida hurricanes with wind speeds greater than or equal to 100 knots is mapped in terms of the probability of occurrence during a 20-year exposure window. These probabilistic estimates, based on 1006 years of observations, illustrate that hurricanes with 100-knot winds occur more frequently in southern Florida and gradually decrease in frequency toward northern Florida [2].

The threat frequency (or likelihood) for natural disasters can be calculated by using an Annualized Rate of Occurrence (ARO). An ARO is a constant number that tells you how often a threat might occur each year. AROs can be broken down into subvalues known as Standard Annual Frequency Estimates (SAFE) and Local Annual Frequency Estimates (LAFE). The SAFE value is the number of times a specific threat is expected to occur annually in a large geographic region such as North America. The LAFE value is the number of times a specific threat can be expected to occur annually in a smaller, local geographic region such as Miami, Florida. For the purpose of FISMA compliance, it is more appropriate to use LAFE values. (If we were going to assess all the systems in North America in one Security Package, we might use SAFE values for that. Such a Security Package of course would be a Sisyphean exercise.)

ARO values (SAFE and LAFE) typically are represented as rational numbers or as a decimal value as shown in Table 17.5. (A rational number is a number that can be expressed equivalently as a fraction.)

Table 17.5. Threat Values for Annualized Rates of Occurrence

ARO (LAFE) ValuesExpressed as a PercentageExpressed as a DecimalExpressed as a FractionFrequency of Occurrence10.011/100Once every 100 years20.021/50Once every 50 years50.051/20Once every 20 years100.101/10Once every 10 years200.21/5Once every 5 years10011/1Once a year10001010/110 times a year10,0002020/120 times a year

The reduction in the value of an information system from one threat (or incident) is referred to as a Single Loss Expectancy (SLE). If one of the servers in your hardware and software inventory is valued at $100,000, and a hurricane destroys 90% of it, the value of the system has been reduced by $90,000, which is represented by the SLE equation:

SLE=OriginalTotalCost–RemainingValue

SLE$90,000=$100,000–$10,000

It is possible that instead of a hurricane, a hacker might destroy 90% of the server and the same SLE formula would apply. Once you know the SLE, you can determine an Annual Loss Expectancy (ALE). ALE is a risk exposure standard that is computed by multiplying the probability of a loss from a threat (or incident) by the reduction in value of the information system [1].

ALE is a metric that was developed by the National Bureau of Standards in 1979. In the mid-1980s, the National Bureau of Standards became part of the National Institute of Standards and Technology.

ALE values are useful to perform cost-benefit analysis so that you can figure out if spending money on a particular safeguard is worth it or not. ALE values can be determined for any type of threat whether it is a threat launched by an adversary, or a natural disaster. To determine the ALE for this same $100,000 system, use the formula:

ALE=LAFE×SLE

RE=PL×SL

The LAFE value is the probability of potential loss, or P(L). The SLE, or the loss from a one-time occurrence of the incident, is the severity of the loss, S(L).

If the system is located in Miami, Florida, and hurricanes have a 5% chance of occurring yearly:

ALE=$0.05×$90,000=4,500

Every year, the one-information system located in Miami, Florida, is being exposed to an annual loss expectancy of 4,500 from hurricanes alone. If there are 1000 systems at this facility in Miami, all with the same ALE, that would come to a whopping cumulative ALE of $4,500,000. Even if moving the facility to a different location costs $1,000,000, in this case it would be worth it since the safeguard (e.g., the move) would be far less expensive than the Annual Loss Expectancy.

An additional resource that explains quantitative risk assessment is an article titled “Security Scanning is not Risk Analysis” in the Intranet Journal (http://www.web.archive.org/web/20030207102906/http://www.intranetjournal.com/articles/200207/se_07_14_02a.html).

Quantitative Assessment

Imagine all the scenarios in which your assets are threatened, and determine what portion of those asset would be lost if each threat became a reality. The percentage of the asset value that would be lost is the exposure factor (EF). The dollar (or other currency) amount that would be lost if the threat was realized is the single loss expectancy (SLE), and is computed using the following formula:

SLE = asset value x exposure factor

If only half of a $1,000,000 asset is lost in an incident, then the exposure factor is 50 percent and the SLE is $500,000. It is possible for a loss to exceed the asset’s value to the corporation, such as in the event of a massive product liability lawsuit; in this case, the EF would be greater than 100 percent.

Of course, some threats are more likely to materialize than others. The term for the frequency of threats each year is the annualized rate of occurrence (ARO). If we expect a threat to occur three times per year on average, then the ARO equals 3. If another threat is expected to occur only once in ten years, the average would be one tenth of an occurrence each year, giving an ARO of 0.1 for that threat. An important factor in the ARO is how vulnerable you are to a particular threat. For our information systems, we can refer to vulnerability databases published on the Web, which tell us what known vulnerabilities exist for a particular version of a particular product. However, vulnerabilities in information systems don’t only come from programming errors. Improper installation and configuration of a product can also make it vulnerable. A vulnerability scanner program can automate much of the work of identifying vulnerabilities in these systems.

Now we can combine the monetary loss of a single incident (SLE) with the likelihood of an incident (ARO) to get the annualized loss expectancy (ALE). The ALE represents the yearly average loss over many years for a given threat to a particular asset, and is computed as follows:

ALE = SLE x ARO

Some risk assessment professionals add another factor: uncertainty. If we have good historical data to support our quantification of asset value, exposure factor, and annualized rate of occurrence, then we are very certain of the risk. If we used a dart board to assign any of these component values, then we have considerable uncertainty of the risk. We can revise our last formula to account for this:

ALE = SLE x ARO x uncertainty

where uncertainty ranges from one for completely certain, to numbers greater than one for more uncertainty (e.g., an uncertainty of 1.5 means that the ALE might be 50 percent more than the estimate of SLE × ARO; an uncertainty of 2.25 means that the ALE might be more than double our estimate).Table 9.2 shows quantitative risk assessment calculations.

Table 9.2. Quantitative Risk Assessment Calculations

Asset NameAsset ValueExposure FactorSLEAROUncertaintyALEBuilding$6,000,00050 %$3,000,000.071$210,000Customer
Database$1,000,000100 %$1,000,000.6673$2,000,000Software$800,00075 %$600,000.6671.5$600,000

Answers

1.

Correct answer and explanation: C. The ARO is the number of attacks in a year.

Incorrect answers and explanations: Answers A, B, and D are incorrect. The AV is $20,000. The EV is 40% and the monthly cost of the DoS service (used to calculate TCO) is $10,000.

Correct answer and explanation: D. The ALE is derived by first calculating the SLE, which is the AV, $20,000, multiplied by the EF, 40%. The SLE is $8000, which is multiplied by the ARO of 7 for an ALE of $56,000.

Incorrect answers and explanations: Answers A, B, and C are incorrect. $20,000 is the AV, while $8000 is the SLE.

Correct answer and explanation: C. The TCO of the DoS mitigation service is higher than ALE of lost sales due to DoS attacks. This means it is less expensive to accept the risk of DoS attacks or to find a less expensive mitigation strategy.

Incorrect answers and explanations: Answers A, B, and D are incorrect. The annual TCO is higher, not lower. $10,000 is the monthly TCO; you must calculate yearly TCO to compare with the ALE.

Correct answer and explanation: A. The canons are applied in order and “To protect society, the commonwealth, and the infrastructure” is the first canon, and is thus the most important of the four canons of The (ISC)2® Code of Ethics.

Incorrect answers and explanations: Answers B, C, and D are incorrect. The canons of The (ISC)2® Code of Ethics are presented in order of importance. The second canon requires the security professional to act honorably, honestly, justly, responsibly, and legally. The third mandates that professionals provide diligent and competent service to principals. The final and therefore least important canon wants professionals to advance and protect the profession.

Correct answer and explanation: Files, database tables, and tax forms are example of objects, so they should be dragged to the right (Fig. 1.6).

Incorrect answers and explanations: A running process and a user are examples of subjects.

Answers

1.

Correct answer and explanation: A. Answer A is correct; policy is high level and avoids technology specifics.

Incorrect answers and explanations: B, C, and D. Answers B, C, and D are incorrect. B is a procedural statement. C is a guideline. D is a baseline.

Correct answer and explanation: C. Answer C is correct; the Annual Rate of Occurrence is the number of attacks in a year.

Incorrect answers and explanations: A, B, and D. Answers A, B, and D are incorrect. $20,000 is the Asset Value (AV). Forty percent is the Exposure Factor (EF). $10,000 is the monthly cost of the DoS service (used to calculate TCO).

Correct answer and explanation: D. Answer D is correct; Annualized Loss Expectancy (ALE) is calculated by first calculating the Single Loss Expectancy (SLE), which is the Asset Value (AV, $20,000) times the Exposure Factor (EF, 40%). The SLE is $8000; multiply by the Annual Rate of Occurrence (ARO, 7) for an ALE of $56,000.

Incorrect answers and explanations: A, B, and C. Answers A, B, and C are incorrect. $20,000 is the Asset Value. $8000 is the Single Loss Expectancy.

Correct answer and explanation: C. Answer C is correct; the Total Cost of Ownership (TCO) of the DoS-mitigation service is higher than Annualized Loss Expectancy (ALE) of lost sales due to DoS attacks. This means it's less expensive to accept the risk of DoS attacks (or find a less expensive mitigation strategy).

Incorrect answers and explanations: A, B, and D. Answers A, B, and D are incorrect. A is incorrect: the TCO is higher, not lower. $10,000 is the monthly TCO; you must calculate yearly TCO to compare with the ALE. D is wrong: the annual TCO is higher, not lower.

Correct answer and explanation: D. Answer D is correct; the data owner ensures that data has proper security labels.

Incorrect answers and explanations: A, B, and C. Answers A, B, and C are incorrect. Custodians patch systems. Users should be aware and report suspicious activity. Ensuring files are backed up is a weaker answer for a data owner duty, used to confuse the data owner with “the owner of the file” on a discretionary access control system.

Risk Analysis

The details we have covered to now have one primary aim: to help us quantify and manage the risk to our information. The quantifying approach is known as risk analysis, and these days many of you will be very familiar with some semiformal techniques. These techniques appear in the system development methodologies, project management methodologies, heath and safety processes, and insurance evaluations. If I had written this chapter five years ago, the examples and explanations would have needed to be far more detailed. However, I am going to assume everybody needs a refresher.

Determine Impact

In all risk assessment frameworks that you will encounter, there will be in some form or another, a measurement of impact. As previously mentioned, impact is the outcome, typically harmful, of a threat applied to an asset. This is also one of the primary components for computing a risk rating.

The objective of this activity is to produce a measurement for impact. This will be part of an impact and likelihood matrix, which will ultimately produce your risk ratings. There are many different ways to determine impact and contrary to what you may read in some literature there is no single correct method for determining impact.

Quantitative risk assessments, deal with estimating loss based on a financial perspective by using calculations like Single Loss Expectancy (SLE), Annualized Rate of Occurrence (ARO), and Annualized Loss Expectancy (ALE). As an example, a HIPAA violation not due to willful neglect carries a penalty of $100 for each violation, with the total amount not to exceed $250,000; therefore, we know that if a database with several thousand patient records was compromised, the impact to your organization will be $25,000. But if this was due to willful neglect, the impact could be as much as $1.5 million. This may be the most objective way to determine impact, but in reality, this is highly dependent on information that may not always be readily available.

Qualitative determination of impact differs from quantitative in that qualitative risk assessments do not try to put a financial value to the asset and the subsequent monetary losses stemming from the threat. In this approach one measures relative values. For example, if we have a health information system that handles all enterprise wide information processing, a business owner might say that losing the system will affect virtually all operations of the hospital. In this scenario, one might not be able to assign an accurate monetary value without going through hospital financials and working closely with the accounting department, which for all intents and purposes, though helpful, is not the primary objective of an information security risk assessment. In qualitative analysis you would typically assign a relative value. This would be a statement such as “Loss of system availability for the target system will have a HIGH impact in terms of availability of information processing across the organization and could cause significant financial losses.”

What is the formula for Aro?

How is SLE and ARO calculated?

What is the formula for annual loss expectancy?

What is ARO in risk management?