GARY'S COFFEE SHOP GETS DONE OVER.

That receipt is his asset value (AV) — the value of the thing he's protecting. Every piece of security maths starts here: what does the thing cost if you lose it. Not what it sells for. What it replaces for.

One night, someone smashes the window, grabs the espresso machine and empties the till. Gary stands in the wreckage doing the maths. The machine, the till, the window, a week shut for repairs — that's about 80% of the shop gone. Not everything — the walls are still standing, the tables survived — but most of it.

That 80% is the exposure factor (EF) — the fraction destroyed in one hit. Always between 0 and 1. A decimal in the formula; a percentage when Gary's explaining it to Sarah.

Gary stares at the receipt on the wall. Fifty grand. Times 0.8.

£50,000 × 0.8 = £40,000. He writes it on a napkin. Forty thousand pounds. One break-in. That napkin number is the SLE — Single Loss Expectancy. SLE = AV × EF.

Next morning, Gary asks the barber next door. "How often do shops on this street get done?" The barber doesn't even look up from his scissors. "Twice a year, mate. Like clockwork."

Twice a year is the ARO — Annualised Rate of Occurrence — how often the threat happens per year. A frequency, not a cost. Frequency on one axis, magnitude on the other. That's risk.

Gary adds to the napkin. Forty grand, twice a year.

£40,000 × 2 = £80,000. His hand shakes. He's losing more per year than the shop is worth. That £80K is the ALE — Annualised Loss Expectancy. ALE = SLE × ARO. If the cost of a countermeasure is less than the ALE, buy the countermeasure. That is risk treatment in one sentence.

A salesman walks in. Steel security shutters. £1,000 a year, stops 90% of break-ins. Gary grabs a fresh napkin. With shutters, break-ins drop to 0.2 per year. New ALE = £40,000 × 0.2 = £8,000. Saves £72,000, minus £1,000 for the shutters. £71,000 net benefit. Gary signs the contract before the salesman finishes his americano.

That calculation is the cost-benefit analysis. The rule: if ALE(before) − ALE(after) is greater than the cost of the control, buy the control. Always.

That night, Gary's wife holds up four fingers. "You've actually got four choices."

Mitigate — get the shutters, reduce the damage. Transfer — get insurance, make someone else pay. Accept — live with it, budget for the loss. Avoid — sell up, walk away. Gary scratches his head. "What about just pretending it won't happen?" She glares at him. "That is not an option."

The morning before the shutters go in, Gary sticks a Post-it on the shop door: "RISK LEVEL: BASICALLY A PIÑATA." That's his inherent risk — the risk before any controls. After the shutters are bolted on, he peels it off and writes a new one: "RISK LEVEL: STILL A BIT DODGY, BUT I CAN SLEEP." That's residual risk — what remains after the controls. Not zero. Never zero. But within his risk tolerance.

Gary's wife takes both Post-its and staples them into a notebook she keeps next to the till. One page per risk. The break-in, the cost, the shutters, what's left over, Gary's decision. She taps the notebook: "This is the risk register, Gary. If it's not in here, you haven't thought about it properly."

Months later, Gary's mate asks: "How'd you figure all that out? Maths?" Gary shakes his head. "Two ways. I could do the maths — fifty grand times 0.8 times 2, get an exact number. That's quantitative. Or I could just go: shop's high value, break-ins are likely, risk is high. No numbers, just gut. That's qualitative." His mate blinks. "Which one's better?" "Numbers convince the bank manager. Gut feelings are faster."