HELP with Risk ALE calculation question in Trainin...

Fishbone · ‎07-31-2025

Hi, I dont understand the calculations in the solution of this question.

If the CPU burns every 9 months, shouldn't ARO be 1.33 as it is expected to happen more than once a year, instead of 0.75 as the solution states??

You have been tasked with performing a risk assessment using the "loss expectancy" model on the organization's laptop computers as there seems to be a high failure rate.

You use the formula ALE (Annual Loss Expectancy) = SLE (Single Loss Expectancy) x ARO (Annual Rate of Occurrence), with the SLE being calculated by multiplying the AV (Asset Value) by the EF (exposure factor).

After consultation with the various stakeholders, it seems that besides a problem with the central processing unit (CPU), the laptops are reliable and robust.

Working with the following figures, what is the SLE for each laptop?

AV - $1250.00
EF – 33% (the cost to replace the CPU)
ARO - CPU burnout every 9 months

Your laptop supplier is offering a support and maintenance contract for $600 per annum, per laptop, which includes parts and labor.

Calculate the ALE. Is the support contract cost-effective?

A - Given the ALE and assuming a single failure: no, it is not

B - Given the ALE and assuming a single failure: yes, it is

C - Given the ALE and assuming multiple failures: no, it is not

D - Given the ALE and assuming multiple failures: yes, it is

Explanation

To calculate the ALE, we would need to take the SLE $412.50 and multiply it by the projected failure rate of once every nine months or 0.75 (the ARO). This gives us an ALE of $309.38, as the support contract will cost the organization $600. Given the information that a single yearly failure costs $309.38 compared to the support contract's cost of $600 annually, then we can say the support contract is not cost effective.

George_G · ‎08-01-2025

It looks like you miscalculated. Assuming you calculated 12(mo) / 9(mo) = 1.33, that is not correct. Nine months is 3/4 of one year(12 mo.), so .75. 1.33 would assume that 9 months occur more than once in a 12-month period, which, of course, it does not.

If you came up with 1.33 by another means, please let me know, and I'll try to help break it down.

Fishbone · ‎08-04-2025

Hi, thanks for tour reply.

Since the failure occurs every 9 months, my understanding is that the annualized occurrence must be greater than 1, not less, because it happens at least once a year. If it occurs once every 9 months, over a 12-month period, it would occur 12/9 times, which equals 1.33.

Another way to look at it is that if it occurs every 9 months, in a 3-year period (36 months), it would occur 4 times. Therefore, the annual rate would be 4/3, which is also 1.33.

George_G · ‎08-04-2025

hmm, interesting. I kind of see why you'd think this way and I even ran the question through AI and the output also explained it this way, although it chose C as the answer. However, my brain still wants to think that it can only happen once per year. My next question would be the source of the question and the quality of it. Maybe others will chime in because now I'm invested and would really like clarification.

***edit***

so after a little more reading and clarification for myself, the ARO is the number of event per year, not percentage of a year. So you would be correct, that it would be 1.33.

Fishbone · ‎08-04-2025

You can find this question in the official self paced ISC2 training.

George_G · ‎08-05-2025

Hopefully, we'll get some other perspectives on this. Another point to consider that validates what you're saying is if the event happens once per year, the ARO = 1. If it happens every 6 months, then the ARO = 2. So every 9 months is somewhere in between that (1.33). I'm stumped on the explanation for this one.

JoePete · ‎08-05-2025

@Fishbone wrote:
Hi, I dont understand the calculations in the solution of this question.
If the CPU burns every 9 months, shouldn't ARO be 1.33 as it is expected to happen more than once a year, instead of 0.75 as the solution states??

Given the scenario described, you are correct. If something occurs more frequently than once per year (i.e., once every nine months), then the ARO is greater than 1 (1.33 if it is once every nine months). In the abstract, the math should be:

$1,250 (value) X .33 (exposure factor) = $412.50

Annualized Rate of Occurrence = 1.33

Annual Loss Expectancy = $536.25

The question seems flawed. The number of laptops is irrelevant (they even state the contract is per laptop per annum). Therefore, none of the answers (since they reference single vs. multiple failures) is correct. The very reason we do things like ARO, exposure factor, etc. is to normalize across an inventory. In other words exposure factor could/should already account for what percentage of the inventory is subject to the failure (e.g., one-third).

Further aside, "asset value" is not a constant. It depreciates. For example, if you have two-year old laptop and its CPU fails, no one in their right mind would pay (whether out of pocket or with a service agreement) to replace the CPU. Instead, you buy a new laptop, get twice the capability for roughly the same price you paid two years ago (according to Moore's Law).