Quantitative vs Qualitative Risk Analysis: ALE, SLE and ARO Made Simple

April 30, 2026 · 4 views

Risk analysis comes in two flavours, and certifications from CRISC to CISSP expect you to know when to use each and how the quantitative formulas work. The distinction is simple once you see it: qualitative uses judgment and categories; quantitative uses money and probability.

Qualitative analysis

Qualitative analysis rates risk using descriptive categories — high/medium/low, or a 1-to-5 scale for likelihood and impact, often plotted on a heat map. Its strengths are speed and accessibility: you can run a workshop, populate a matrix, and communicate results to a board in an afternoon. Its weakness is subjectivity — "high" means different things to different people, and you cannot easily justify a budget with it.

Quantitative analysis

Quantitative analysis assigns monetary values to produce objective figures that support cost-benefit decisions. Three formulas do the heavy lifting:

• SLE (Single Loss Expectancy) = Asset Value × Exposure Factor. The expected loss from one occurrence. If a $400,000 asset would lose 25% of its value in an incident, SLE = $400,000 × 0.25 = $100,000.
• ARO (Annualized Rate of Occurrence) = how many times per year you expect the event. Once every five years = 0.2.
• ALE (Annualized Loss Expectancy) = SLE × ARO. Continuing the example: $100,000 × 0.2 = $20,000 per year.

ALE is the figure that justifies (or fails to justify) a control. If a control costs $30,000 a year to address a risk with a $20,000 ALE, the maths says do not spend the money — accepting the risk is the cost-rational choice. If the control costs $5,000, it pays for itself. This is the single most testable idea in quantitative analysis: never spend more on a control than the risk it removes.

A worked exam pattern

Watch for the classic distractor: a question gives you asset value, exposure factor and frequency, then offers the SLE as one of the wrong answers. In our example, $100,000 (the SLE) will sit there tempting you when the question asks for ALE ($20,000). Compute deliberately: SLE first, then multiply by ARO.

When to use which

Use qualitative analysis for breadth and speed — triaging a large risk register, or where reliable monetary data does not exist. Use quantitative analysis for the risks that matter most, where you need to justify spending or compare options objectively. In practice, mature programs do both: qualitative to prioritise, quantitative to decide on the high-stakes few. The methods are complementary, not competing.