What Is Security Risk Analysis?

By Lawrence C. Miller, Peter H. Gregory

Risk analysis (or treatment) is a methodical examination that brings together all the elements of risk management (identification, analysis, and control) and is critical to an organization for developing an effective risk management strategy.

Risk analysis involves the following four steps:

  1. Identify the assets to be protected, including their relative value, sensitivity, or importance to the organization.
    This component of risk identification is asset valuation.
  2. Define specific threats, including threat frequency and impact data.
    This component of risk identification is threat analysis.
  3. Calculate Annualized Loss Expectancy (ALE).
    The ALE calculation is a fundamental concept in risk analysis.
  4. Select appropriate safeguards.
    This process is a component of both risk identification (vulnerability assessment) and risk control.

The Annualized Loss Expectancy (ALE) provides a standard, quantifiable measure of the impact that a realized threat has on an organization’s assets. Because it’s the estimated annual loss for a threat or event, expressed in dollars, ALE is particularly useful for determining the cost-benefit ratio of a safeguard or control. You determine ALE by using this formula:


Here’s an explanation of the elements in this formula:

  • Single Loss Expectancy (SLE): A measure of the loss incurred from a single realized threat or event, expressed in dollars. You calculate the SLE by using the formula Asset value × Exposure Factor (EF).
    Exposure Factor (EF) is a measure of the negative effect or impact that a realized threat or event would have on a specific asset, expressed as a percentage.
  • Annualized Rate of Occurrence (ARO): The estimated annual frequency of occurrence for a threat or event.

The two major types of risk analysis are qualitative and quantitative.

Qualitative risk analysis

Qualitative risk analysis is more subjective than a quantitative risk analysis; unlike quantitative risk analysis, this approach to analyzing risk can be purely qualitative and avoid specific numbers altogether. The challenge of such an approach is developing real scenarios that describe actual threats and potential losses to organizational assets.

Qualitative risk analysis has some advantages when compared with quantitative risk analysis; these include

  • No complex calculations are required.
  • Time and work effort involved is relatively low.
  • Volume of input data required is relatively low.

Disadvantages of qualitative risk analysis, compared with quantitative risk analysis, include

  • No financial costs are defined; therefore cost-benefit analysis isn’t possible.
  • The qualitative approach relies more on assumptions and guesswork.
  • Generally, qualitative risk analysis can’t be automated.
  • Qualitative analysis is less easily communicated. (Executives seem to understand “This will cost us $3 million over 12 months” better than “This will cause an unspecified loss at an undetermined future date.”)

A qualitative risk analysis doesn’t attempt to assign numeric values to the components (the assets and threats) of the risk analysis.

Quantitative risk analysis

A fully quantitative risk analysis requires all elements of the process, including asset value, impact, threat frequency, safeguard effectiveness, safeguard costs, uncertainty, and probability, to be measured and assigned numeric values.

A quantitative risk analysis attempts to assign more objective numeric values (costs) to the components (assets and threats) of the risk analysis.

Advantages of a quantitative risk analysis, compared with qualitative risk analysis, include the following:

  • Financial costs are defined; therefore, cost-benefit analysis can be determined.
  • More concise, specific data supports analysis; thus fewer assumptions and less guesswork are required.
  • Analysis and calculations can often be automated.
  • Specific quantifiable results are easier to communicate to executives and senior-level management.

Disadvantages of a quantitative risk analysis, compared with qualitative risk analysis, include the following:

  • Human biases will skew results.
  • Many complex calculations are usually required.
  • Time and work effort involved is relatively high.
  • Volume of input data required is relatively high.
  • Some assumptions are required.

Purely quantitative risk analysis is generally not possible or practical. Primarily, this is because it is difficult to determine a precise probability of occurrence for any given threat scenario. For this reason, many risk analyses are a blend of qualitative and quantitative risk analysis, known as a hybrid risk analysis.

Hybrid risk analysis

A hybrid risk analysis combines elements of both a quantitative and qualitative risk analysis. The challenges of determining accurate probabilities of occurrence, as well as the true impact of an event, compel many risk managers to take a middle ground. In such cases, easily determined quantitative values (such as asset value) are used in conjunction with qualitative measures for probability of occurrence and risk level. Indeed, many so-called quantitative risk analyses are more accurately described as hybrid.