ALE Examples

ARO: Annual Rate of Occurrence – the number of times in a given year that an event is expected to
occur. This can be expressed as a fraction (such as 1 in 15, 1 in 200, 1 in X, etc.) meaning that the
event is expected to occur at least once (1) in some number of years (X).

ALE: Annual Loss Exposure (aka risk exposure) – the expected annual loss due to an event. This is
typically expressed as a dollar amount.

Examples:

Problem #1:

You work for a company whose offices are flooded. All of the servers in the corporate data center
on site are ruined. The total cost of all the systems was $500,000. The offices happened to be in a
100-year flood plain (the ARO for a massive flood in a given year was 1 in 100). Calculate the ALE
for this event.

Solution #1:

In this case the ARO is already given: 1 in 100 = .01

The cost of the systems is $500,000.

So, the ALE is the cost of the systems multiplied by the ARO or:

$500,000 x .01 = $5000

Now, this is NOT the cost of the loss. This is the annual risk exposure that a massive flood would
take out the systems. The cost of the loss, if a 100-year flood occurs is $500,000. This is just a way
to give IT and security managers a way to figure out whether they need to install a control that
would mitigate this problem.

Problem #2:

Your company pays an annual maintenance fee of $1000 to an anti-virus company, MyAV.com, to
stay current on the anti-virus software. One day, an employee receives an e-mail with a new virus
attached and opens the e-mail. Every mailbox in the company directory is infected. It will take
the IT staff 3 days to clean all of the affected mailboxes at a cost of approximately $10,000. The
chance of this happening, according to MyAV.com’s account manager, was 1 in 20. In addition,
the cost of loss of sales opportunity amounts to an additional $25,000. Calculate the ALE.

Solution #2:
In this case the total loss is the loss of sales opportunities as well as the cost of the cleanup:
$10,000 + $25,000 = $35,000.

MyAV.com claims that the ARO was 1 in 1000 or .05

Therefore the ALE is: $35,000 x .05 = $1,750

Problem #3:

The account manager for another anti-virus company, YourAV.com, contacts you after he hears
about your virus infection. He claims that his product, YourAV, would perform better than the
competitor, MyAV, and that such an event with his product would only have a 1 in 200 chance of
occurring. He offers you a competitive “upgrade” to his product for $500.00. Calculate the ALE
and the risk leverage.

Solution #3:

The loss in this case would still be $35,000. But now, the ARO is .005. So, the ALE is:

$35,000 x .005 = $175.00

The risk leverage is:

[ ($1,750) – ($175) ] / $500 = 3.15 (a relatively low number and so the solution is worthwhile).