“It will never happen to me…”


Have you ever said or heard someone say “that will never happen to me” or “I do not have to worry about that”? Risk analysis on a personal level. What risk is worth taking? What potential downside is worth protecting against, despite a relatively low probability of something happening?

The rising popularity of the Chief Risk Officer (CRO) within enterprises demonstrates that businesses are focused more than ever on their own risk profile. This is potentially good news for the CISO’s and their teams. It provides an opportunity to put security in the context of overall business risk, elevating the issue in a way that resonates with senior management.

A simple way to calculate the risk in financial terms for business leaders is by using the Annualized Loss Expectancy (ALE) calculation. ALE is the product of the Annual Rate of Occurrence (ARO) and the Single Loss Expectancy (SLE) and is mathematically expressed as: ALE = ARO x SLE. ARO is the probability of a risk occurring in a given year. And SLE is the amount of loss expected for any single risk event that occurs for a given asset, expressed in monetary terms. SLE is the product of Asset Value (AV) and Exposure Factor (EF), where AV is the total value of the asset and EF is the amount of damage that a risk poses to an asset as a percentage of the assets value. This is mathematically expressed as SLE = AV x EF.

Take a look at the following example:

Suppose a company with $1B in revenue has a 1% chance of being the target of a DDoS attack within a given year. That company is also highly dependent upon Internet connectivity for all aspects of its business from processing sales to managing its inventory to all of its communications (email, VoIP, IM, etc…). If the average expected DDoS attack duration was a 4-hour period and the additional cost of an incident was 50% more than the lost revenue/productivity of that company, then the ALE would be the following:

ALE = (0.01 / (365 x (4 / 24))) x (1,000,000,000 x 1.5) = $246,575

In business terms, this means that if the chance or cost of the attack rises, it is worth spending at least the ALE value to mitigate this as a risk. Or said another way, an organization like this could spend up to the amount of the right to mitigate this if all of the factors hold true in this example. You need to research and estimate the right values for your organization (which are your assumptions for these calculations) and should be made transparent to the business leaders so that they understand what the calculations are based upon. This calculation can be used many ways. It can calculate the risk of a DDoS attacks targeting the application-layer (i.e. targeting the availability of business-critical services). It can also be used for very specific attacks against specific assets of an organization and, in doing so, can be cumulative as you calculate multiple risks for a given asset or the same risk against multiple assets. ALE can be a great tool to calculate risks and their likelihood. This can empower you and your teams to engage with business leaders in your organization on these risks and have conversations about them.

Do you currently use the Annualized Loss Expectancy (ALE) calculation to calculate the risk in financial terms of a DDoS attack?
Continue Reading

Bringing it all home

Doing the checkbook on the weekend can be a thankless job. This weekend it turned into an adventure, not dissimilar to a situation that many companies find themselves in. After logging in to my bank, I noticed something was amiss. There was a mystery $300 “Moneygram” order. Not a good feeling. Noted philosopher Charlie Sheen […]

Continue Reading

When ‘average’ becomes a problem

When you think of the word ‘average,’ a few thoughts usually come to mind: Run of the mill Typical Mediocre Common Average DDoS attack sizes are creeping up and up and up. It’s now common to see attacks in the 2-10GB/sec range and it’s even typical to see spikes in the 50-100Gb/sec range. This is […]

Continue Reading

What is intelligence, anyway?

One of the smartest people I ever met was a house painter. During summer breaks in college, twenty-five years ago, I worked on a crew with a guy who was 15 years older than I was. He didn’t say much, but when he did, it was always on-point, whether it was about the job, or […]

Continue Reading

Advanced, Persistent and Costly: DDoS Grows Up

Just in case you haven’t noticed, DDoS attacks have become larger, more sophisticated, and unfortunately, easier to perpetrate against a wide range of targets. In fact, DDoS has become a complex attack against availability that is often highly effective and can be difficult to defend against. (more…)

Continue Reading

Guest Post: Blackmailers Working at Improving their DDoS capabilities

Similar to ASERT, Wapack Labs has been tracking the current DD4BC extortion campaign since it started in Australia and New Zealand in early May. DD4BC stands for Denial of Service for BitCoin. The group threatens to block websites with high capacity Denial of Service attacks unless the organization pays a ransom in Bitcoin. There are […]

Continue Reading

The Road Less Traveled: Recruiting the Next Generation Security Analyst

The vast majority of security teams, including those responsible for Security Operations and Incident Response, have been trained and mentored, rising within their functions within the frame of infrastructure protection and compliance. Understanding and putting effective measures in place to manage vulnerabilities, risk and controls has been the focus. A strong technical component has underpinned […]

Continue Reading