Computer Security Risk Assessment Computations: SLE, ALE & ARO

Instructor: Travis DeBary

Travis has over 20 years experience in Information Technology and Security, and a Master's degree in Information Systems.

When assessing risk, it's necessary to use quantitative measures to provide risk levels. These measures can be understood by an audience who may not have a background in risk assessing, especially those responsible for creating plans to address risk.

Risk is a Constant

We may not always know it, but we constantly evaluate risk in our everyday life. It could be something as simple as avoiding a pothole in the road so you don't get a flat tire or something significant that involves many risks, like buying a new house. Some risks can be evaluated by our own past experiences or opinions (known as qualitative assessment) and other risks can be measured computationally (known as quantitative assessment). In this lesson, we will dive into some of the quantitative formulas used when assessing risk.

Quantitative Risk Analysis

There are three recognized risk assessment computations: SLE, ALE, and ARO.

Single Loss Expectancy (SLE)

SLE tells us what kind of monetary loss we can expect if an asset is compromised because of a risk. Calculating SLE requires knowledge of the asset value (AV) and the range of loss that can be expected if a risk is exploited, which is known as the exposure factor (EF). EF is a percentage determined by how much of an impact we can expect based on the risk, the highest being 1 (signifying 100%).

In formulaic terms, SLE = AV ∗ EF

Let's look at an example that uses this formula. When we get into a car, we know there are specific risks that can prevent us from getting to our destination, such as driving over a pothole which can impact a tire. To determine the SLE of that risk, we use the value of the tire (around $100) and multiply it by the chances of the pothole causing a flat. A small pothole may have a low chance of causing a flat tire so we could give it an EF value of 0.1, or 10%. The SLE is $10 ($100 ∗ 0.1), which is the wear we can expect from hitting that pothole. Now, if we see a very large pothole and know that hitting it will definitely cause an irreparable flat tire, the EF is 1, or 100%, so the SLE is $100 ($100 ∗ 1). This means we lose 100% of the value of the tire (SLE) and we have to buy another one.

Annual Rate of Occurrence (ARO)

ARO is simply the likelihood of a risk being compromised. In our pothole example, if we drive over the large pothole only once per year and we know we are going to hit it every time, the ARO would be 1, one hit once per year. Simple. However, what happens if we know we won't hit the small pothole every time? Then we have to come up with a percentage of how likely it is we will hit it. Let's say that even though we know about the pothole, we assume we may actually hit it only once every 10 years. The ARO is calculated by dividing 1 by 10, which is 0.1, or 10%. So, every year (ARO) there is a 10% chance we hit the pothole.

To unlock this lesson you must be a Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use

Become a member and start learning now.
Become a Member  Back
What teachers are saying about
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 160 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Create an account to start this course today
Try it risk-free for 30 days!
Create An Account