Risk is the potential for an unwanted or adverse outcome resulting from an incident, event, or occurrence, as determined by the likelihood that a particular threat will exploit a particular vulnerability, with the associated consequences.
Risk is the combination of threats and vulnerabilities to an asset. Risk is calculated in business by looking at three different categories.
- ARO – Annual Rate of Occurrence (Chance that incident will happen)
- SLE – Single Loss Expectancy (Dollar amount expected to lose if incident is to occur)
- ALE – Annual Loss Expectancy (How much should be budgeted for incident)
The Annual Loss Expectancy is calculated by using this formula: ARO x SLE = ALE.
- Example: 50% chance that a ransomware attack occurs that would cost the company $1,000,000 if attack were to occur.
- ARO x SLE = ALE -> (0.5) x (1,000,000) = $500,000 -> $500,000 is the Annual Loss Expectancy
Source: DHS Risk Lexicon, NIPP and adapted from: CNSSI 4009, FIPS 200, NIST SP 800-53 Rev 4, SAFE-BioPharma Certificate Policy 2.5
To learn more about cyber risk, watch this short video: