Have you ever said or heard someone say “that will never happen to me” or “I do not have to worry about that”? Risk analysis on a personal level. What risk is worth taking? What potential downside is worth protecting against, despite a relatively low probability of something happening?
The rising popularity of the Chief Risk Officer (CRO) within enterprises demonstrates that businesses are focused more than ever on their own risk profile. This is potentially good news for the CISO’s and their teams. It provides an opportunity to put security in the context of overall business risk, elevating the issue in a way that resonates with senior management.
A simple way to calculate the risk in financial terms for business leaders is by using the Annualized Loss Expectancy (ALE) calculation. ALE is the product of the Annual Rate of Occurrence (ARO) and the Single Loss Expectancy (SLE) and is mathematically expressed as: ALE = ARO x SLE. ARO is the probability of a risk occurring in a given year. And SLE is the amount of loss expected for any single risk event that occurs for a given asset, expressed in monetary terms. SLE is the product of Asset Value (AV) and Exposure Factor (EF), where AV is the total value of the asset and EF is the amount of damage that a risk poses to an asset as a percentage of the assets value. This is mathematically expressed as SLE = AV x EF.
Take a look at the following example:
Suppose a company with $1B in revenue has a 1% chance of being the target of a DDoS attack within a given year. That company is also highly dependent upon Internet connectivity for all aspects of its business from processing sales to managing its inventory to all of its communications (email, VoIP, IM, etc…). If the average expected DDoS attack duration was a 4-hour period and the additional cost of an incident was 50% more than the lost revenue/productivity of that company, then the ALE would be the following:
ALE = (0.01 / (365 x (4 / 24))) x (1,000,000,000 x 1.5) = $246,575
In business terms, this means that if the chance or cost of the attack rises, it is worth spending at least the ALE value to mitigate this as a risk. Or said another way, an organization like this could spend up to the amount of the right to mitigate this if all of the factors hold true in this example. You need to research and estimate the right values for your organization (which are your assumptions for these calculations) and should be made transparent to the business leaders so that they understand what the calculations are based upon. This calculation can be used many ways. It can calculate the risk of a DDoS attacks targeting the application-layer (i.e. targeting the availability of business-critical services). It can also be used for very specific attacks against specific assets of an organization and, in doing so, can be cumulative as you calculate multiple risks for a given asset or the same risk against multiple assets. ALE can be a great tool to calculate risks and their likelihood. This can empower you and your teams to engage with business leaders in your organization on these risks and have conversations about them.