It Auditing: Using Controls to Protect Information Assets [IT AUDITING -OS N/D]
| Use | Description | Formula |
|---|---|---|
| Definition of risk | Used to represent risk | Risk = asset value × threat × vulnerability |
| Threat calculation | Numeric representation of threat | Threat = exposure factor (EF) × annual rate of occurrence (ARO) |
| Vulnerability calculation | Measures control deficiency | Control deficiency (CD) = 1 - control effectiveness |
| Risk calculation | Used to quantify risk | Risk = asset value × EF × ARO × CD |