Both types -- qualitative and quantitative -- have their advantages and disadvantages. One of the most well-known of the quantitative risk metrics is that that deals with calculation of annual loss expectancy (ALE) (Bojanc & Jerman-Blazoc, 2008). ALE calculation determines the monetary loss associated form a single occurrence of the risk (popularly known as the single loss exposure (SLE)). The SLE is a monetary amount that is assigned to a single event that represents the amount that the organizations will potentiality lose when threatened. For intangible assets, this amount can be quite difficult to assess.
The SLE is calculated by multiplying the monetary value of the asset (AV) with the exposure factor (EF). The EF represents the percentage of loss that a threat can have on a particular asset. The equation, therefore, is thus: SLE=AV*EF. Applying this practically, if the AV of an e-commerce web server is $50,000 and a virus infection caused a loss of 35%, the SLE, in this case, would result in $17, 500.
Once the SLE has...
If nothing is done to mitigate it. The calculation to determine that is ALE= SLE*ARO.
According to Bojanc and Jerman-Blazoc (2008), calculating estimations for SLE or ARO is exceedingly difficult as very few companies track and report risks hence little actuarial data is available. Independent surveys, insurance claim data, or academic research provides the most reliable information.
Reference
Bojanc, R. & Jerman-Blazoc, B. (2008), An economic modelling approach to information security risk management. International Journal of Information Management 28 (2008) 413 -- 422
Chowdhary, A., & Mezzeapelle, M.A. (n.d.) Inforamtion Security metrics. Hewlett Packard.
Pedro, G.L., & Ashutosh, S. (2010). An approach to quantitatively measure Information security 3rd India Software Engineering Conference, Mysore, 25-27
