Quantitative Risk Assessment
Quantitative assessment deals with numbers and dollar amounts. It attempts to assign a cost (monetary value) to the elements of risk assessment and to the assets and threats of a risk analysis.
To fully complete a quantitative risk assessment, all elements of the process (asset value, impact, threat frequency, safeguard effectiveness, safeguard costs, uncertainty, and probability) are quantified. Therein lies the problem with purely quantitative risk assessment: It is difficult, if not impossible, to assign dollar values to all elements; therefore, some qualitative measures must be applied to quantitative elements. A quantitative assessment requires substantial time and personnel resources. The quantitative assessment process involves the following three steps:
- Estimate potential losses (SLE)
- Conduct a threat analysis (ARO)
- Determine annual loss expectancy (ALE)