CompTIA CASP+ Exam: ARO Calculation for Successful Breaches

ARO Calculation for Successful Breaches

Prev Question

Question

A security engineer estimates the company's popular web application experiences 100 attempted breaches per day.

In the past four years, the company's data has been breached two times.

Which of the following should the engineer report as the ARO for successful breaches?

Answers

A. 0.5

B. 8

C. 50

D. 36,500

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

https://blog.netwrix.com/2020/07/24/annual-loss-expectancy-and-quantitative-risk-analysis/

There are two types of risk analysis — quantitative and qualitative:

* Quantitative risk analysis is an objective approach that uses hard numbers to assess the
likelihood and impact of risks. The process involves calculating metrics, such as annual loss
expectancy, to help you determine whether a given risk mitigation effort is worth the
investment. The assessment requires well-developed project models and high-quality data.
Qualitative risk analysis is a quicker way to gauge the likelihood of potential risks and their

impact so you can prioritize them for further assessment. While quantitative risk analysis is
objective, qualitative risk analysis is a subjective approach that ranks risks in broader terms,
such as a scale of 1-5 or simply low, medium and

Both forms of risk analysis are valuable tools in risk management. In this article, we will focus on
quantitative risk analysis and explain how to calculate annual loss expectancy (ALE).

ARO stands for Annualized Rate of Occurrence, which is the estimated frequency at which a threat event will occur within a year. In this case, the question is asking for the ARO for successful breaches.

The security engineer estimates that the web application experiences 100 attempted breaches per day, which translates to 36,500 attempted breaches per year (100 x 365). However, the question is not asking for the ARO of attempted breaches, but for successful breaches.

The question states that the company's data has been breached two times in the past four years. Therefore, the ARO for successful breaches can be calculated as follows:

ARO = number of successful breaches / number of years

ARO = 2 / 4

ARO = 0.5

Therefore, the correct answer is A. 0.5.

Prev Question