topic Re: HELP with Risk ALE calculation question in Training in CISSP Study Group

HELP with Risk ALE calculation question in Training

Fishbone — Fri, 01 Aug 2025 02:34:57 GMT

Hi, I dont understand the calculations in the solution of this question.

If the CPU burns every 9 months, shouldn't ARO be 1.33 as it is expected to happen more than once a year, instead of 0.75 as the solution states??

You have been tasked with performing a risk assessment using the "loss expectancy" model on the organization's laptop computers as there seems to be a high failure rate.

You use the formula ALE (Annual Loss Expectancy) = SLE (Single Loss Expectancy) x ARO (Annual Rate of Occurrence), with the SLE being calculated by multiplying the AV (Asset Value) by the EF (exposure factor).

After consultation with the various stakeholders, it seems that besides a problem with the central processing unit (CPU), the laptops are reliable and robust.

Working with the following figures, what is the SLE for each laptop?

AV - $1250.00
EF – 33% (the cost to replace the CPU)
ARO - CPU burnout every 9 months

Your laptop supplier is offering a support and maintenance contract for $600 per annum, per laptop, which includes parts and labor.

Calculate the ALE. Is the support contract cost-effective?

A - Given the ALE and assuming a single failure: no, it is not

B - Given the ALE and assuming a single failure: yes, it is

C - Given the ALE and assuming multiple failures: no, it is not

D - Given the ALE and assuming multiple failures: yes, it is

Explanation

To calculate the ALE, we would need to take the SLE $412.50 and multiply it by the projected failure rate of once every nine months or 0.75 (the ARO). This gives us an ALE of $309.38, as the support contract will cost the organization $600. Given the information that a single yearly failure costs $309.38 compared to the support contract's cost of $600 annually, then we can say the support contract is not cost effective.

Re: HELP with Risk ALE calculation question in Training

George_G — Fri, 01 Aug 2025 13:01:40 GMT

It looks like you miscalculated. Assuming you calculated 12(mo) / 9(mo) = 1.33, that is not correct. Nine months is 3/4 of one year(12 mo.), so .75. 1.33 would assume that 9 months occur more than once in a 12-month period, which, of course, it does not.

If you came up with 1.33 by another means, please let me know, and I'll try to help break it down.

Re: HELP with Risk ALE calculation question in Training

Fishbone — Mon, 04 Aug 2025 17:14:56 GMT

Hi, thanks for tour reply.

Since the failure occurs every 9 months, my understanding is that the annualized occurrence must be greater than 1, not less, because it happens at least once a year. If it occurs once every 9 months, over a 12-month period, it would occur 12/9 times, which equals 1.33.

Another way to look at it is that if it occurs every 9 months, in a 3-year period (36 months), it would occur 4 times. Therefore, the annual rate would be 4/3, which is also 1.33.

Re: HELP with Risk ALE calculation question in Training

George_G — Tue, 05 Aug 2025 00:28:50 GMT

hmm, interesting. I kind of see why you'd think this way and I even ran the question through AI and the output also explained it this way, although it chose C as the answer. However, my brain still wants to think that it can only happen once per year. My next question would be the source of the question and the quality of it. Maybe others will chime in because now I'm invested and would really like clarification.

***edit***

so after a little more reading and clarification for myself, the ARO is the number of event per year, not percentage of a year. So you would be correct, that it would be 1.33.

Re: HELP with Risk ALE calculation question in Training

Fishbone — Tue, 05 Aug 2025 02:09:21 GMT

You can find this question in the official self paced ISC2 training.

Re: HELP with Risk ALE calculation question in Training

George_G — Tue, 05 Aug 2025 18:36:22 GMT

Hopefully, we'll get some other perspectives on this. Another point to consider that validates what you're saying is if the event happens once per year, the ARO = 1. If it happens every 6 months, then the ARO = 2. So every 9 months is somewhere in between that (1.33). I'm stumped on the explanation for this one.

Re: HELP with Risk ALE calculation question in Training

JoePete — Tue, 05 Aug 2025 19:25:46 GMT

@Fishbone wrote:
Hi, I dont understand the calculations in the solution of this question.
If the CPU burns every 9 months, shouldn't ARO be 1.33 as it is expected to happen more than once a year, instead of 0.75 as the solution states??

Given the scenario described, you are correct. If something occurs more frequently than once per year (i.e., once every nine months), then the ARO is greater than 1 (1.33 if it is once every nine months). In the abstract, the math should be:

$1,250 (value) X .33 (exposure factor) = $412.50

Annualized Rate of Occurrence = 1.33

Annual Loss Expectancy = $536.25

The question seems flawed. The number of laptops is irrelevant (they even state the contract is per laptop per annum). Therefore, none of the answers (since they reference single vs. multiple failures) is correct. The very reason we do things like ARO, exposure factor, etc. is to normalize across an inventory. In other words exposure factor could/should already account for what percentage of the inventory is subject to the failure (e.g., one-third).

Further aside, "asset value" is not a constant. It depreciates. For example, if you have two-year old laptop and its CPU fails, no one in their right mind would pay (whether out of pocket or with a service agreement) to replace the CPU. Instead, you buy a new laptop, get twice the capability for roughly the same price you paid two years ago (according to Moore's Law).

Re: HELP with Risk ALE calculation question in Training

Guitarpy — Fri, 24 Apr 2026 03:53:54 GMT

I have to say that I'm disappointed here. This thread is over 6 months old and the "guide" still has a deeply flawed calculation as is example of how to do it... The really scary part is that I only see 6 people talking about it here, and even they are questioning themselves...you're not wrong. 0.75 in that calculation is for an event every 18 months. 9 months is 1 & 1/3 ARO...Which in the phone example in the training is an $80 ALE...so...buy the insurance... It makes sense.

That said, when you get to the questions...the CPUs... If they are dying every 9 months, someone really messed up. That said, even calculating at 1&1/3 ARO you're still coming in under 600 (550) so insurance/ transference doesn't make sense

Considering what I'm paying for this, and the code of ethics this organization purports to hold so highly, I would hope that when they discovered that their training materials were misleading people something would be done immediately. I've sent an email... Hopefully they will fix this and help restore my faith in the training i paid for. I know a lot of this information coming in... I'm taking the training for the stuff I don't know. When I see something i know misrepresented for months...well...i don't want to be "that guy"...but... I'm going to start asking questions