🧠 Domain 1 – Security and Risk Management
⚖️ D1.8 – Risk Assessment Types & ALE (🇬🇧 / 🇫🇷)
This memo explains the types of risk assessments used in CISSP, and how to apply the ALE formula to quantify risk.
📊 Risk Assessment Methods
🔹 Qualitative Risk Assessment
- Uses subjective judgment (High / Medium / Low)
- Based on impact, likelihood, threat ranking
- Quick, requires less data
- Often displayed using risk matrices
🧠 FR : Utilise des échelles d’impact et de probabilité (élevé, moyen, faible).
🔹 Quantitative Risk Assessment
- Uses numerical data and $$$
- Calculates actual financial risk and potential loss
- Based on 3 key metrics: SLE, ARO, ALE
🧠 FR : Évaluation chiffrée, utilisée pour budgétiser la gestion du risque.
💡 Use Cases
| Method | When to use |
|---|---|
| Quantitative | For tangible assets (servers, buildings, equipment) |
| Qualitative | For intangible assets (brand, reputation, goodwill) |
| Hybrid (both) | ✅ Recommended in real-life scenarios and CISSP |
🔢 ALE Formula (Annualized Loss Expectancy)
To calculate the expected annual cost of a risk:
ALE = SLE × ARO
Where:
SLE = Single Loss Expectancy
→ Cost of one occurrence of the incident
ARO = Annual Rate of Occurrence
→ How often the incident is expected per year
🧾 Example (Tangible Asset)
A ransomware attack on a file server causes €25,000 in damage.
It is expected to occur once every 4 years.
🎯 Step-by-step:
SLE = €25,000
ARO = 0.25 (because once every 4 years)
📘 ALE = €25,000 × 0.25 = €6,250/year
🧠 FR : Cela permet de comparer le coût annuel d’un risque avec le coût d’un contrôle.
🧾 Extended Example (Warehouse + Fire)
A company has a data warehouse valued at $150,000.
If a fire occurs, it is expected to damage 25% of the warehouse.
The frequency of such an event is once every 10 years.
Step 1 – Calculate SLE:
SLE = Asset Value × Exposure Factor SLE = 150,000 × 0.25 = $37,500 🧠 This means one fire would cause a $37,500 loss.
Step 2 – Calculate ALE: ARO = 1 / 10 = 0.1 ALE = SLE × ARO = $37,500 × 0.1 = $3,750/year
✅ This means the company expects to lose $3,750 per year due to fire.
📌 Interpretation: The company should not spend more than $3,750 annually on countermeasures (like sprinklers, fireproofing, etc.), otherwise it would cost more to prevent the risk than to accept it.
🧠 FR : L’ALE représente la perte annuelle estimée. L’entreprise ne devrait pas dépenser plus de 3 750 $ par an pour se protéger contre cette menace.
❗ When ARO = 1
If the incident is expected to occur once per year, then: ALE = SLE × 1 = SLE
📘 Quick Comparison Table Metric Description Example SLE Loss per event €10,000 ARO Frequency per year 0.5 (every 2 years) ALE Expected loss/year €5,000 💡 CISSP Tip
If the question uses monetary values, it’s quantitative
If the question uses High/Medium/Low, it’s qualitative
If the scenario mixes tangible/intangible → ✅ use both