Annualized Rate of Occurrence (ARO)
What is Annualized Rate of Occurrence (ARO)?
Annualized Rate of Occurrence, or ARO, is a risk measurement that estimates how often a specific threat is expected to happen within one year.
Examples
- A company estimates that employee laptops are likely to be stolen twice per year, giving that threat an ARO of 2.
- A security team expects a serious phishing-related account compromise to happen once every four years, so the ARO is 0.25.
Discover 🔎
When security teams talk about risk, they are not only asking how bad an incident could be. They are also asking how often it is likely to happen. A rare disaster and a recurring nuisance may create very different business problems, even if both deserve attention. Annualized Rate of Occurrence helps put that frequency question into a usable form.
ARO matters because security decisions are easier when risk is described in both impact and likelihood. If a threat is expensive but extremely rare, the response may differ from a threat that causes smaller losses again and again. ARO gives organizations a structured way to estimate the expected yearly frequency of a threat so that risk calculations become more realistic and more useful.
Summary 📝
ARO is the estimated number of times a specific threat is expected to happen in one year. It gives organizations a way to express risk frequency more clearly and supports broader calculations such as ALE. Its value comes from helping teams move beyond vague language and think more carefully about how often a risk may actually occur.
Tip: The interactive version includes progress tracking, decks, and premium deep dives.