If you're going to be calculating your risk, it's nice when we have quantitative ways to go about that some way to actually determine in real dollars or labor or time how much a particular incident is going to affect a particular asset. So to do this, the first thing we're going to do is pick an asset. So I'm going to pick one of these little routers here. Now, this router right here has an asset value. Now you might be tempted at first to simply go, Oh, well, the asset value is how much does it cost to buy a new one, but it's more complicated than that. Now, if you take a look at this router, the actual cost to buy a new one, the replacement cost is about say 20 $500.
But that's not all we need to consider. For example, I need someone to come out and fix the things so and that's going to cost me 500 bucks, and it's also going to take it full day to get it replaced. So we actually have a $500 per day cost just to get the thing on there on top of the So we're really talking about $3,000 replacement cost. The other big issue is revenue. If this router is making me $2,000 a day, and it takes me a day to replace it, I have to add that on to the replacement cost. So now we're talking about an asset value of around $5,000.
So an asset value. In this particular example, we're using this router, but it doesn't have to be placed on the individual piece of equipment. Let's say you've got a big server room that's got millions of dollars worth of equipment and air conditioners and raised ceilings and cabling and all kinds of stuff, you can place an asset value on that thing completely in one big piece. And that's actually kind of important. As we talk about the next thing to talk about with quantitative risk calculation, your exposure factor, the exposure factor is nothing more than the percentage of an asset that's lost as the result of a particular incident. So down here in Houston, we have a lot of flooding.
So if we take that router and Water fills up my router. Well, that's pretty much a 100% right off. So in that particular situation, we'd say we have an exposure factor of one. Now, exposure factors don't always have to be one. Let's use my server room as an example. Now, if we had some flooding there, oh, the flooding might come up a little bit, but there's still plenty of equipment, that's fine.
So in this case, I might have to replace some cables, a couple of power supplies that were down on the floor, things like that, but generally most of the equipment's okay. So in that case, I would make an exposure factor of say, point seven, five. Now with an asset value and a exposure factor, we can create what's known as a single loss expectancy, the single loss expectancy SLE is equal to the asset value times the exposure factor for any one particular incident. Now going through the example then, using my router, I would say by router which has a 5000 Dollar asset value and an exposure factor of one for flooding. The SLE for that particular example would be $5,000. So we understand that a sl E is a particular value.
Now the problem is is how often is this going to happen? What What is the chances of this taking place? In that case, what we're most interested in is the annualized rate of occurrence. Look, if you're going to be doing security for a living, you have to be able to budget stuff. So we'd like to budget on an annualized basis. And that's where aaro comes into play.
The AR O is the annualized rate of occurrence basically, in a given year, what are the chances of this particular incident taking place? So again, going with the flooding in Houston, we get one good flood Houston about every 20 years. So the chances of my let's go with the server room, the chances of my server room flooding every 20 years is equal to one over 20 Or point 05. Now if we've got that point 05, we can do something very cool. We can take our single loss expectancy, and we can multiply that times the AR. To get the holy grail of quantitative risk calculation, the annualized loss expectancy with the elite we can say in real dollars based on a percentage chance of something happening, how much that is going to cost.
The annualized loss expectancy is a really important value for us. Because as a security person, I can actually put into real dollars on an annualized basis, what is the cost of this particular incident, and I can use that to help decide how I'm going to be dealing with that particular risk mitigation, avoidance, whatever you want to do. Now, the other place where things become very interesting is that I've got a lot of equipment in my infrastructure. And the nice part about a lot of this equipment is that we have great data that goes back years and years for routers light bulbs and electrical motors and all kinds of stuff that helps us get an idea of how long something's going to last. So let's take a look at those values real quick. I've got this router here.
Now, from historical perspective, Cisco knows how long this router will work until it doesn't work anymore. So to make you guys understand this, let's draw a little graph. So the x axis of my graph is time, okay. And then on my Y axis, I'm going to either say either it's, it's good, or here at the bottom, I'm going to say it's failed. So basically, we're going to start a line here that says the router is good over time. And then at some point, it fails, boom, so it drops all the way down.
Now, now we got a failure. So what we first want to calculate is the amount of time that it's down. So here it's down, we're ordering a new router, or we're looking for a new part, or whatever it is, and then there's a point where it's actually working again. So here We are now we're working. So that time, right there is what we call from the failure to the repair is the mean time to repair or mttr. Okay, so now it's doing just fine and it's working here it goes, dah, dah, dah, dah, dah, and boom, all of a sudden that dies again.
So the time from, when it was repaired, to the time that it fails, again, is called the mean time to failure. So arguably, we could go put mean time to failure here at the beginning as well. So from the moment we bought it, until it failed, is also the mean time to failure. Now, if you're going to combine the meantime to repair and the meantime to failure, so what we're going to get is a line here, that's called mean time between failures. So the mtbf is the time from a failure, all the time to repair and then the time until it fails. Again.
The only other thing I want you to be comfortable with when we're talking about these things. values is that mean time between failures is usually applied to something that can be repaired. For example, this router right here has an mtbf provided to me from Cisco. So for example, I can go into this thing and fix it, I can replace the Power Supply in here I can put a new board in, it's surprising how much I can do. Meantime to fail. Your however, is normally applied to things that you can't fix.
So a mean time to failure would be something we'd apply to a light bulb, for example, because I don't know about you, but you have the skills to fix something like that. Now, we've gone through a lot of calculations in this episode, and let me warn you friends, you will need to be able to generate these calculations on the exam. So take some time practice with these and do a little research you'd be surprised how much great stuff is out there online for you to play with to get an idea of how all this works.