Walk me through quantitative versus qualitative risk analysis, and define ALE, SLE, and ARO.
Short answer
Quantitative analysis assigns hard monetary values so you can compute expected loss; qualitative analysis ranks risk on relative scales (high/medium/low) using expert judgment. Quantitative uses SLE = asset value x exposure factor, ARO = expected occurrences per year, and ALE = SLE x ARO to express annual expected loss in dollars.
Risk analysis exists to help leadership make defensible decisions about where to spend limited security budget. CISSP frames two complementary methods, and interviewers want to know you understand both the math and its limits.
Quantitative analysis
Quantitative analysis attaches money to risk so outcomes are comparable and budgets are justifiable. The core chain is:
- SLE (Single Loss Expectancy) = Asset Value x Exposure Factor. The exposure factor is the percentage of the asset lost in one event.
- ARO (Annualized Rate of Occurrence) = how many times per year you expect the event.
- ALE (Annualized Loss Expectancy) = SLE x ARO.
If a $500,000 datastore has a 40% exposure factor, SLE is $200,000. If you expect the event every two years, ARO is 0.5, so ALE is $100,000. A control that costs $30,000/year and halves the ARO is easy to justify.
Qualitative analysis
When reliable numbers do not exist — reputational damage, insider intent, novel threats — you rank risk on relative scales (high/medium/low, or 1-5) across likelihood and impact, usually via workshops, risk matrices, and expert judgment. It is faster and surfaces risks that resist measurement, but it is subjective and harder to defend to a CFO.
Why both matter
Mature programs are hybrid: qualitative to triage the landscape quickly, quantitative on the few risks where the spend is contested. The output feeds risk treatment, and whatever remains is residual risk that a business owner — not the security team — must formally accept.
What interviewers look for
State the ALE formula without hesitation, give a concrete worked example, and acknowledge that quantitative data is often scarce, which is why qualitative judgment and a hybrid approach remain essential.
Likely follow-ups
- How would you justify a control whose cost exceeds the ALE it reduces?
- Why are most real-world risk programs hybrid rather than purely quantitative?
- What is residual risk and who must accept it?