SLE & ALE calculations

dbrink

Quick question. If a question says there is a 12% chance for something to happen is that 12% calculated as the Exposure Factor (EF) or the Annualized Rate of Occurence (ARO)?

Darril

If it is "for something to happen" it is related to the "occurrence."

The exposure factor is related to the expected loss.

For example, if forest fires occur about once every five years and present a risk to a building, the ARO is .20 (1/5).
If a forest fire is expected to reduce the value of the building by 20% (say from $1,000,000 to $800,000) the exposure factor is .20 (800,000 / 1,000,000)

That said, I don't think you'll see the EF mentioned in the Security+ exam. The focus is more on single loss expectancy (SLE), annualized rate of occurrence (ARO), annualized loss expectancy (ALE).

The SLE is the cost of any single loss.
The ARO indicates how many times you can expect the loss in a year.
The ALE is calculated as SLE x ARO.

The benefit of knowing this is to calculate the value of a control.

In general, if a control is less than the ALE, it is worth the money to invest in it. If a control costs more than the ALE, it is not worth the cost. If the control is about the same as the ALE, it requires a deeper analysis.

For example, if it costs $1,000,000 to insure a shed in the middle of a forest (the insurance is the control) and the shed is worth $5,000 and expected to be totally destroyed from forest fires that hit about once every five years ($1,000 is the ALE), it doesn't make sense to implement the control. In other words, you wouldn't spend $1,000,000 to save $1,000 in losses.

On the other hand, if insurance only costs $100 in the same situation, it does make sense. You are spending $100 to save $1,000 in losses.

Hope this helps.