As seen earlier, the value of the asset is determined by
            calculating all costs related to the loss of, or compromise of, an
            asset. The exposure factor is the amount of damage experienced
            in asset value due to an attack.

            This calculation provides the amount of loss an organization
            could and should expect from any one event. For example - if a
            building was flooded out or caught fire - what would the amount
            of damage be? In most cases, the building would only
            experience a partial amount of damage. Therefore the exposure
            factor would only be equal to a partial amount of the total asset
            value, not identical to the full cost of the asset. That is why the
            exposure factor is used as a percentage of the damage suffered.

            It must be remembered, however, that the cost of an incident is
            much more than just the direct, initial price. The value includes
            the impact on productivity, the loss in customer confidence or
            reputation, and the costs of litigation or contractual violations. In
            some cases, historical records, events that have happened to
            other organizations, or other sources may aid in determining the
            value of a single incident.

            There are many different types of adverse events that could
            happen. Therefore, the calculation of SLE may need to be done
            many times for various activities, various departments, different
            systems, and different times of the year.



            Annualized Rate of Occurrence (ARO)
            One of the most challenging calculations for a quantitative risk
            assessment is the frequency or likelihood of an unwanted event