When conducting a risk assessment, how is the annualized rate of occurrence (aro) calculated?
In this first post, we will talk about how to compute Risk Assessment, one of the most important stages when you are conducting a (naturally)Risk Assessment. Show
But first what is Risk Assessment?What is Risk Assessment? Well, Risk Assessment is the method used to deal with threats, vulnerabilities and impacts of loss information. Most of organizations in the whole world have vulnerabilities which can impact directly on business process. To take care of this, we use the Risk Assessment to measure how much the organization can lost if this threat turns real and if this vulnerability was exploited. From the beginning you need to learn this formula: SLE X ARO = ALE Which means: SLE = Single Loss Expectancy ARO = Annualized Rate of Occurrence ALE = Annual Loss Expectancy What you need to understand is. Single Loss Expectancy is money. The value you expect to lose at any time when the risk turns real. Annualized Rate of Occurrence is the chance of this risk turns real expressed in percentage. Annual Loss Expectancy is the value which you will measure if the risk turns real in one year. The Single Loss Expectancy is calculated by using two others variables which is: AV X EF Which means: AV=Asset Value EF=Exposure Factor The Asset Value is how much this asset cost to the organization, how much money the organization will lost if this asset fail or to repair. Exposure Factor is how long this asset stay in failure or how much time we must to spend to repair the situation. Keeping this variables in mind we transform the original formula in something like (AV X EF) X ARO = ALE. In example, if one service generates $10.000 per hour in revenue, the probability of this service failing during this year is esimated to be 10% and the failure would lead to 3 hours to downtime. What is the ALE? Simple. The revenue which the service generates is the Asset Value (or $10.000 per hour) the Exposure Factor is 3 hours to downtime. This time, we just find the Single Loose Expectancy which is Asset Value times Exposure Factor or $10.000 X 3h which is $30.000 (this is ever about money, remember, the risk for organizations is about loose or don't make money). The last number or the percentage number is the Annualized Rate of Occurence or 10%. So all we just to do is to calculate the Single Loose Expectancy times Annualized Rate of Occurence which is $3.000. The Annual Loose Expectancy is $3.000. Summarizing: AV = $10.000 EF = 3 hours SLE = AV X EF = $10.000 X 3 hours = $30.000 ARO = 10% or 0.10 ALE = SLE X ARO = $30.000 X 10 = $30.000 X 0.10 = $3.000 Then you just calculate Risk Assessment. Hope it will be useful. See you next post. This chapter is from the book Risk Identification and ManagementThe first step in the risk-management process is to identify and classify the organization's assets. Information and systems must be assessed to determine their worth. When asset identification and valuation is completed, the organization can start the risk-identification process. Risk identification involves identifying potential risks and threats to the organization's assets. A risk-management team is tasked with identifying these threats. The team then can examine the impact of the identified threats. This process can be based on real dollar amounts or on gut feeling and intuition. When the impact is analyzed, the team can look at alternatives for handling the potential risks. Risks can be:
The following sections look more closely at each step of the process. The Risk-Management TeamThe risk-management team is tasked with identifying and analyzing risks. Its members should be assembled from across the company and most likely will include managers, IT employees, auditors, programmers, and security professionals. Having a cross-section of employees from the company ensures that the team can address the many threats it must examine. This team is not created in a void; it requires developing a risk-management program with a purpose. As an example, the program might be developed to look at ways to decrease insurance costs, reduce attacks against the company's website, or even verify compliance with privacy laws. After establishing the purpose of the team, the team can be assigned responsibility for developing and implementing a risk-management program. This is a huge responsibility because it requires not only identifying risks, but also implementing the team's recommendations. Asset IdentificationAsset identification is the task of identifying all the organization's assets. These can be both tangible and intangible. The assets commonly examined include:
When looking at an asset, the team must first think about the replacement cost of the item before assigning its value. Actually, the value should be considered more than just the cost to create or purchase. These considerations are key:
Threat IdentificationThe risk-management team can gather input from a range of sources to help identify threats. These individuals or sources should be consulted or considered to help identify current and emerging threats:
A threat is any circumstance or event that has the potential to negatively impact an asset by means of unauthorized access, destruction, disclosure, or modification. Identifying all potential threats is a huge responsibility. A somewhat easier approach is to categorize the common types of threats:
A threat coupled with a vulnerability can lead to a loss. Vulnerabilities are flaws or weaknesses in security systems, software, or procedures. An example of a vulnerability is human error. This vulnerability might lead an improperly trained help-desk employee to unknowingly give a password to a potential hacker, resulting in a loss. Examples of losses or impacts include the following:
Losses can be immediate or delayed. A delayed loss is not immediate; it has a negative effect on the organization after some period of time—in a few days, months, or years. As an example, an organization could have its website hacked and thus suffer an immediate loss. No e-commerce transactions would occur, technical support would have to be brought in to rebuild the web server, and normal processing would halt. All these are immediate losses. Later, when the local news channel reports that the company was hacked and that personal information was lost, the company would lose the goodwill of its customers. Some might remember this event for years to come and choose to use a competitor. This is a delayed loss. Thus far, we have discussed building a risk-management team that has the support of senior management, identifying tangible and nontangible assets, and performing threat identification. Next, we analyze the potential risks that these threats pose. Risk-Analysis MethodsAfter identifying the threats, the team can start to focus on the risk-analysis process. Risk analysis can be performed in one of two basic methods:
Quantitative Risk AssessmentPerforming a quantitative risk assessment involves quantifying all elements of the process, including asset value, impact, threat frequency, safeguard effectiveness, safeguard costs, uncertainty, and probability. This involves six basic steps, illustrated in Figure 2.5:
The advantage of a quantitative risk assessment is that it assigns dollar values, which is easy for management to work with and understand. However, a disadvantage of a quantitative risk assessment is that it is also based on dollar amounts. Consider that it's difficult, if not impossible, to assign dollar values to all elements. Therefore, some qualitative measures must be applied to quantitative elements. Even then, this is a huge responsibility; therefore, a quantitative assessment is usually performed with the help of automated software tools. Assuming that asset values have been determined as previously discussed and threats have been identified, the next steps in the process are as follows: Much of the process of quantitative risk assessment is built upon determining the exposure factor and the annualized loss expectancy. These rely heavily on probability and expectancy. When looking at events, such as storms or other natural phenomena, it can be difficult to predict their actual behavior. Yet over time, a trend can be established. These events can be considered stochastic. A stochastic event is based on random behavior because the occurrence of individual events cannot be predicted, yet measuring the distribution of all observations usually follows a predictable pattern. In the end, however, quantitative risk management faces challenges when estimating risk, and as such must rely on some elements of the qualitative approach. Another item that is sometimes overlooked in quantitative risk assessment is the total cost of a loss. The team should review these items for such costs:
When these costs are accumulated and specific threats are determined, the true picture of annualized loss expectancy can be assessed. Now the team can build a complete picture of the organization's risks. Table 2.2 shows sample results. Table 2.2. Sample Assessment Results
Although automated tools are available to minimize the effort of the manual process, these programs should not become a crutch to prevent businesses from using common sense or practicing due diligence. Care should also be taken when examining high-impact events, even for the probability. Many of us witnessed the 100-year storm that would supposedly never occur in our lifetime and that hit the Gulf Coast and severely damaged the city of New Orleans. Organizations must be realistic when examining such potential events and must openly discuss how the situation should be dealt with. Just because an event is rated as a one-in-a-hundred-year probability does not mean that it can't happen again next year. Qualitative Risk AssessmentMaybe you're thinking that there has to be another way to perform the assessment. If so, you're right. Qualitative assessment is scenario driven and does not attempt to assign dollar values to components of the risk analysis. A qualitative assessment ranks the seriousness of threats and sensitivity of assets by grade or class, such as low, medium, or high. You can see an example of this in NIST 800-26, a document that uses confidentiality, integrity, and availability as categories for a loss. It then rates each loss according to a scale of low, medium, or high. Table 2.3 displays an example of how this process is performed. A rating of low, medium, or high is subjective. In this example, the following categories are defined:
Table 2.3. Performing a Qualitative Assessment
The downside of performing a qualitative assessment is that you are not working with dollar values; therefore, this lacks the rigor that accounting teams and management typically prefer. Other types of qualitative assessment techniques include these:
How is the annualized rate of occurrence ARO calculated?Annualized rate of occurrence (ARO) is described as an estimated frequency of the threat occurring in one year. ARO is used to calculate ALE (annualized loss expectancy). ALE is calculated as follows: ALE = SLE x ARO. ALE is $15,000 ($30,000 x 0.5), when ARO is estimated to be 0.5 (once in two years).
What is meant by annual rate of occurrence Aro?Annual rate of occurrence (ARO) – expected number of an incident's occurrences during a calendar year. For rare incidents, it is equivalent to a probability of one or more incidents during a year; for frequent incidents, it is equivalent to the expected number of incidents per year.
What is Aro in risk assessment?The threat frequency (or likelihood) for natural disasters can be calculated by using an Annualized Rate of Occurrence (ARO). An ARO is a constant number that tells you how often a threat might occur each year.
How do you calculate annualized loss rate?It is mathematically expressed as: Suppose that an asset is valued at $100,000, and the Exposure Factor (EF) for this asset is 25%. The single loss expectancy (SLE) then, is 25% * $100,000, or $25,000. For an annual rate of occurrence of 1, the annualized loss expectancy is 1 * $25,000, or $25,000.
|