The level of impact may also depend on the extent and
            effectiveness of controls in place to prevent or contain an
            incident.



            Risk Level

            The risk level is a combination of all the above factors - asset
            value, threat, vulnerability, likelihood, and impact. The risk may
            be measured either quantitatively or qualitatively - or as a hybrid
            of both. As we can see, the critical factors in risk assessment are
            to be able to assess the threat and vulnerability environment
            accurately. We use professional judgment to evaluate the
            capabilities and motivation of the adversary, the strength of the
            controls, and the effectiveness of the security program.


            Quantitative Risk Assessment

            Quantitative risk assessment starts with the calculation of the
            impact of a single adverse event and then calculates the annual
            cost of risk based on the number of times that event may happen
            per year. Using a yearly basis provides a common denominator
            to compare various types of risk with each other. This is
            primarily since most budgets and risk management efforts are
            based on annual budgets.



            Single Loss Expectancy (SLE)
            The calculation of Single Loss Expectancy (SLE) is a part of a
            quantitative risk assessment. SLE is simply calculated as the
            Asset Value (AV) multiplied by the Exposure Factor (EF).

            SLE = AV * EF