logo

Quantitative Risk Analysis: Annual Loss Expectancy

Risk assessment is an essential component of risk management. It enables you to determine potential hazards that may negatively affect specific projects or result from certain decisions.

This article explains how to calculate your cybersecurity risk using the concept of annual loss expectancy:

There are two types of risk analysis — quantitative and qualitative:

  • Quantitative risk analysis is an objective approach that uses hard numbers to assess the likelihood and impact of risks. The process involves calculating metrics, such as annual loss expectancy, to help you determine whether a given risk mitigation effort is worth the investment. The assessment requires well-developed project models and high-quality data.
  • Qualitative risk analysis is a quicker way to gauge the likelihood of potential risks and their impact so you can prioritize them for further assessment. While quantitative risk analysis is objective, qualitative risk analysis is a subjective approach that ranks risks in broader terms, such as a scale of 1–5 or simply low, medium and

Both forms of risk analysis are valuable tools in risk management. In this article, we will focus on quantitative risk analysis and explain how to calculate annual loss expectancy (ALE).

What is quantitative risk analysis?

Quantitative risk analysis uses relevant, verifiable data to predict the probability of certain risk outcomes and their estimated monetary cost.

There are many different types of risks that IT pros need to consider, including the following:

  • Human errors
  • Hostile action, such as cyberattacks, unauthorized disclosure or misuse of data
  • Application errors
  • System or network malfunctions
  • Physical damage from causes such as fire, natural disasters or vandalism

What results do you get out of quantitative risk analysis?

Quantitative risk analysis helps you estimate:

  • Possible outcomes of a given risk
  • The probability of achieving specific objectives
  • Realistic costs
  • Project completion timelines

When is quantitative risk analysis most useful?

Quantitative risk assessment helps you make smart, data-informed decisions for your business. You should perform a quantitative risk analysis when you need to:

  • Decide whether to invest in specific projects or tools
  • Choose countermeasures to mitigate potential sources of loss
  • Provide detailed data about the chances of completing a project within budget and on schedule
  • Create a contingency reserve for your project

What is annual loss expectancy?

Annual loss expectancy is a calculation that helps you to determine the expected monetary loss for an asset due to a particule risk over a single year. You can calculate ALE as a part of your business’s quantitative cost-benefit analysis for any given investment or project idea.

For example, let’s say that you calculate an ALE of $10,000 and figure it would cost $15,000 a year to eliminate the risk; based on these numbers, you might decide that the cost isn’t worth the risk.

Of course, not all situations are that simple. For instance, suppose you understand that a HIPAA violation might cost you $100 per violation up to a maximum fine of $250,000. That might seem manageable, but digging deeper into information that you may not have considered could reveal that if the violation is due to willful negligence, the impact could be as high as $1.5 million. This example illustrates that while quantitative risk analysis provides a reliable and objective way to potential risks, the results are only as good as the data you put into the process.

Moreover, remember that ALE determines the cost of the risk. Do not confuse ALE with the total cost of ownership (TCO), which assesses the cost of a particular solution.

How is annual loss expectancy calculated?

Here is an overview of how to calculate ALE. Each term is explained in further detail below.

  1. Inventory your information assets and determine the asset value (AV) of each.
  2. Identify the potential threats to each asset.
  3. For each threat, do the following:

#1. Determine the exposure factor (EF) to that threat for each information asset.

#2. Calculated the single loss expectancy (SLE) using this formula: AV x EF = SLE

#3. Calculate the annual rate of occurrence (ARO).

#4. Calculate the annualized loss expectancy (ALE) using this formula: SLE x ARO = ALE

  • Asset value — Many of your assets are tangible items, such as computers, servers and software. Other assets are intangible, like expertise, databases, plans and sensitive information. The asset value is the total value of the specific asset; if your server is worth $6,000, your AV is $6,000. Here are some questions to consider to find your AV:
  • What did you pay to acquire or build the asset in question?
  • What is your liability if the asset becomes compromised?
  • What is the production cost if the asset is made unavailable?
  • What is the asset’s value to outside users?
  • In what other ways would loss of the asset affect your business?
  • Exposure factor — This is the percentage of the value of a given asset that gets lost as a result of a specific incident. If you expect to lose a quarter of the value of an asset in an incident, then your EF for that asset is 0.25 (25%). Remember that you can only calculate the EF in relation to a specific risk, such as a security breach or natural disaster. Also keep in mind that a loss can exceed the value of a given asset; in such cases, the EF would be greater than 1.0 (more than 100%).
  • Single loss expectancy — This is the amount of money you expect to lose each time a specific asset is lost or compromised. For instance, you may expect to lose $300 each time your business server breaks down, or you might lose $1,500 every time a laptop is lost or stolen. To calculate single loss expectancy, multiply the AV and EF.
  • Annual rate of occurrence — This is the number of times you expect a specific incident to occur in one year. If you expect your server to crash five times per year, your ARO would be 5. If the ARO is less than 1, you express it as a percentage — for instance, if the likelihood of an incident is once every four years, the ARO for that incident would be 0.25 (25%).

Example

Here’s a fictional scenario to help you practice calculating an ALE and using it in a business decision. Note that this is a very simplified calculation that considers just one threat to one information asset.

Let’s say that your organization is considering investing in a solution that can help you to discover malicious insider actions on your file servers to reduce the risk of losing a particular piece of intellectual property (IP). Here’s how you could determine if investing in a particular security solution is justified:

  1. Determine the AV. Let’s say that the IP asset of interest has a value of $75,000.
  2. Calculate the EF. Let’s assume it is 0.75 (75%).
  3. Calculate the SLE by multiplying the AV by the EF, which yields an SLE of $56,250.
  4. Determine the ARO. Let’s assume it’s 0.95 (meaning there’s a 95% chance of malicious insider activity occurring in any given year).
  5. Calculate the ALE: $56,250 (SLE) X 0.95 (ARO) = $53,357.50 (ALE).
  6. Compare the ALE to the cost of each of the software solutions you’re considering. If the license fee exceeds your ALE ($53,357.50), the solution is not a worthwhile investment.

Conclusion

Calculating ALE as part of a quantitative risk assessment is essential for making informed business decisions. While the process can be confusing and arduous at times, reliably determining risks and accurately calculating potential losses will provide valuable information to help you make smart business decisions. With ALE as a risk assessment tool in your pocket, you can more effectively perform cost-benefit analysis and determine if employing specific countermeasures are worth the investment.