Page046
Calculating Annualized Loss Expectancy
The Annualized Loss Expectancy (ALE) calculation allows you to determine the annual cost of a loss due to a risk. Once calculated, ALE allows you to make informed decisions to mitigate the risk.
This section will use an example of risk due to lost or stolen unencrypted laptops. Assume your company has 1000 laptops that contain Personally Identifiable Information (PII). You are the Security Officer, and you are concerned about the risk of exposure of PII due to lost or stolen laptops. You would like to purchase and deploy a laptop encryption solution. The solution is expensive, so you need to convince management that the solution is worthwhile.
Asset Value
The Asset Value (AV) is the value of the asset you are trying to protect. In this example, each laptop costs $2500, but the real value is the PII. Theft of unencrypted PII has occurred previously, and has cost the company many times the value of the laptop in regulatory fines, bad publicity, legal fees, staff hours spent investigating, etc. The true average Asset Value of a laptop with PII for this example is $25,000 ($2500 for the hardware and $22,500 for the exposed PII).
Tangible assets (such as computers or buildings) are straightforward to calculate. Intangible assets are more challenging. For example, what is the value of brand loyalty? According to Chronos Capital, there are three methods for calculating the value of intangible assets—market approach, income approach, and cost approach:
- Market Approach: This approach assumes that the fair value of an asset reflects the price which comparable assets have been purchased in transactions under similar circumstances.
- Income Approach: This approach is based on the premise that the value of an … asset is the present value of the future earning capacity that an asset will generate over its remaining useful life.
- Cost Approach: This approach estimates the fair value of the asset by reference to the costs that would be incurred in order to recreate or replace the asset” [12].
Exposure Factor
The Exposure Factor (EF) is the percentage of value an asset lost due to an incident. In the case of a stolen laptop with unencrypted PII, the Exposure Factor is 100%: the laptop and all the data are gone.
Single Loss Expectancy
The Single Loss Expectancy (SLE) is the cost of a single loss. SLE is the Asset Value (AV) times the Exposure Factor (EF). In our case, SLE is $25,000 (Asset Value) times 100% (Exposure Factor), or $25,000.
Annual Rate of Occurrence
The Annual Rate of Occurrence (ARO) is the number of losses you suffer per year. Looking through past events, you discover that you have suffered 11 lost or stolen laptops per year on average. Your ARO is 11.
Annualized Loss Expectancy
The Annualized Loss Expectancy (ALE) is your yearly cost due to a risk. It is calculated by multiplying the Single Loss Expectancy (SLE) and the Annual Rate of Occurrence (ARO). In our case, it is $25,000 (SLE) times 11 (ARO), or $275,000.
Table 2.5 summarizes the equations used to determine Annualized Loss Expectancy.
Table 2.5 Summary of Risk Equations.
| Formula | Value | |
|---|---|---|
| Asset Value (AV) | AV | Value of the asset |
| Exposure Factor (EF) | EF | Persentage of asset value lost |
| Single loss expectancy (SLE) | AV x EF | Cost of one loss |
| Annual rate of occurrence (ARO) | ARO | Number of losses per year |
| Annualized loss expectancy (ALE) | SLE × ARO | Cost of losses per year |