Single Loss Expectancy

aman_sharma_07
Tera Guru

Hi everyone!

 

I wanted to know the accuracy or reliability of the single loss expectancy (SLE) values,

how it is being found & if we have any set of criteria or way to verify its correctness...

 

Any related info will be appreciated!

 

Thanks in advance

5 REPLIES 5

Community Alums
Not applicable

Hi @aman_sharma_07 ,

If you're using classic risk, in the Default Scores section, fill in the fields.

 
Field Description
Inherent SLE Single-loss expectancy (SLE) is the monetary value expected from the occurrence of a risk on an asset if there are no controls to check the event.
Residual SLE Monetary value expected from the occurrence of a risk on an asset if there are controls to check the event.

 

These values are manually filled along with discussion with your organizations Compliance and Risk teams.

 

Community Alums
Not applicable

Hi @aman_sharma_07 ,

 

Hi @Community Alums ,

That was correct definition of both SLEs but I wanted to know if there exists any accuracy check on the value (especially for calculated ALE) with respect to the actual loss incurred..

Community Alums
Not applicable

Hi @aman_sharma_07 ,

Calculated ALE = Residual ALE + ((Inherent ALE - Residual ALE) * (Calculated Risk Factor / 100))

The inherent and residual scores for risk are calculated using the risk criteria, likelihood, and impact. Use the following calculations to score risks:
  • Qualitative Inherent ALE = Inherent ARO x Inherent SLE
  • Qualitative Inherent Score = Inherent Likelihood x Inherent impact
  • Quantitative Residual ALE = Residual ARO x Residual SLE
  • Qualitative Residual Score = Residual SLE

When scoring is set to qualitative, the quantitative values are updated in the background.

The Calculated Score for risk is a read-only field designed to quickly assess a risk affecting the organization, and identify threats and areas of non-compliance. 

If controls are implemented to mitigate risk, then 

  • Calculated ALE = Residual ALE + ((Inherent ALE - Residual ALE) * (Calculated Risk Factor / 100)). 
  • So: Calculated Score = Residual Score only if Compliance with the controls is 100%. 

If the Calculated Score > Residual Score, the organization is not 100% compliant with the controls used to mitigate risk. 

Meaning that the Calculated Score can never be less than the Residual Score or greater than the Inherent Score

If controls are not implemented to mitigate risk, then Calculated Score = Residual Score

If the Residual Score is not set, then Calculated Score = Inherent Score

The calculated risk factor value is calculated as:

  • Calculated Risk Factor = (Indicator failure factor + Control failure factor) / 2 

Control failure factor -> Sum of failed controls weighting divided by total controls weighting. 

Indicator failure factor -> Uses the last result of each associated indicator. The number of last results failed divided by the total number of indicators associated.