The Math of Cybersecurity Risk

I don't know about you but I find things are more interesting when math is involved.  So when I found out that cybersecurity risk assessments have a mathematical component to them, I paid more attention.  In this post, I want to talk about the following values that can help you make a quantitative analysis:  ALE, SLE and ARO.

Definitions

ALE stands for Annual Loss Expectancy and refers to how much loss you can expect in a year.

SLE stands for Single Loss Expectancy and refers to how much you can lose in a single event.  This is made up of two other factors:  AV and EF.

• AV stands for Asset Value and, as the name implies, is the monetary value of an asset.
• EF stands for Exposure Factor and refers to how much of the asset is vulnerable to an attack.  This is expressed as a percentage.

ARO stands for Annual Rate of Occurrence and stands for the likelihood of an event occurring in a year.  This can be drawn from historical data.

The Math

What you are ultimately interested in is the ALE and you can calculate that by multiplying the SLE by the ARO.  So the formula is:

ALE = SLE * ARO

Or stated another way:

ALE = (AV * EF) * ARO

Note that in the second equation we substitute the components AV and EF for SLE.

An Example

Let's assume you have an asset worth $10,000 that has an exposure factor of 50%.  Let's also assume that this type of asset has an associate ARO of 0.25.  You can then calculate the ALE as follows:

ALE = ($10,000 *0.5) * 0.25 = $1250

What this does is help you prioritize what assets need to be more secure.  If your business can withstand the loss of $1250 in a year then you can probably focus on other, more important, assets.

Conclusion

This is just an introduction and a simple example.  Still, I hope this helps at least give you an idea of how these calculations can help in an assessment.