Quantitative Risk Decisions

We previously talked about how Han Solo makes risks decisions. Han considers the risks he faces and decides if they are high-risk, moderate-risk, or low-risk. This is a qualitative way of thinking about risk. His partner, Chewbacca, looks at risk a little differently. A Mathlete in high school, Chewie likes to see the numbers. He adopts a quantitative view of risk.


Chewie is trying to decide if he should purchase a deflector shield from a vendor for $80,000. This deflector shield is industry approved and is proven to block 100% of all lasers fired at the ships it is installed on. Chewie is wondering if it is a worthwhile investment to install one of these shields on his ship.

Chewie and Han get into a lot of close calls that usually result in an exchanging of lasers. They predict, based on their previous trends, that they get shot by lasers 42 times a month. This means that per year, they estimate that they will be shot 504 times (42 times a month multiplied by 12 months). This is the annualized rate of occurrence (ARO), or the estimated amount of times Chewie’s ship will get shot each year. They also know that they have to repair the ship after being hit by a laser. The repair bill usually runs about $30 per laser shot. This is the single loss expectancy (SLE), or the cost of a laser shot occurring one time.

They can now establish an annualized loss expectancy (ALE) to discover how much they will have to spend on repairs per year for laser shots. To do this, they multiply the ARO by the SLE.

annualized rate of occurrence x single loss expectancy = annualized loss expectancy

504 x 30 = $15,120.

Chewie risks $15,120 a year by not protecting against lasers and the vendor wants $80,000 to protect him against lasers. This isn’t to say that Chewie should or shouldn’t buy the shield, this just allows him to make an educated risk decision based on potential loss.

But this isn’t the only factor to consider when making quantitative risk decisions. Chewie has to spend the time repairing his ship after each shot. How valuable is Chewie’s time? The ship can’t be flown on jobs while being repaired. How much is he losing when he has to disable the ship for maintenance? How comfortable is Chewie with the idea of getting shot by lasers…is he able to accept that risk?

How does this apply to protecting business assets? Think of Chewie’s ship as a business asset, the vendor’s shield as a security control, and the lasers as threats trying to exploit vulnerabilities in the business asset. By looking at the cost of a vulnerability being realized and the frequency of that vulnerability being realized each year, a security professional can decide how serious the vulnerability is and can establish cost-effective controls to keep risk within the organization’s accepted level.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s