An toàn bảo mật

Security risk management

Calculating
 01 CALCULATING ANNUALIZED
LOSS EXPECTANCY

02 TOTAL COST OF OWNERSHIP

CONTENTS 03 RETURN ON INVESTMENT

04 RISK CHOICES

05 EXERCISE
1. CALCULATING ANNUALIZED LOSS
EXPECTANCY

The annualized loss expectancy (ALE)

calculation allows you to determine the annual
cost of a loss due to a risk.

Ex: A company has 1000 laptops.

Hardware

PII
* Asset value

The asset value (AV) is the value of the asset

you are trying to protect.

Ex:

Hardware:
2500 USD

PII: 22500
AV: 25000 USD
USD
 Deloitte, there are three methods for
calculating the value of intangible assets:
• Market approach: assumes that the fair
value of an asset reflects the price at
which comparable assets have been
purchased in transactions under similar
circumstances .
• Income approach: is based on the
premise that the value of an
… asset is the present value of the future
earning capacity that an asset will
generate over its remaining useful life.
• Cost approach: estimates the fair value
of the asset by reference to the costs
that would be incurred in order to
recreate or replace the asset
* Exposure factor

The exposure factor (EF) is the percentage of

value an asset loses due to an incident.

* Single-loss expectancy
The single-loss expectancy (SLE) is the cost of a
single loss.
SLE = AV * EF

EF= 100%, (the

laptop and all of the data are
gone)

SLE = 25,000*100%
= 250,00
* Annual rate of occurrence

The annual rate of occurrence (ARO) is the

number of losses suffered per year.

Ex: For example, when looking through past

events, you discover that you have suffered 11
lost or stolen laptops per year on average.
ARO = 11

* Annualized loss expectancy

The ALE is the yearly cost due to a risk. It is
calculated by multiplying SLE by the ARO.

Ex: ALE = SLE x ARO

= 25,000 x 11
= 275,000 USD
 Formula Description

Asset value (AV)

Value of the asset
AV

Percentage of asset value

Exposure factor (EF) EF lost

Single-loss expectancy (SLE) AV×EF Cost of one loss

Annual rate of occurrence (ARO) ARO Number of losses per year

Annualized loss expectancy Cost of losses per year

SLE×ARO
(ALE)
2.TOTAL COST OF OWNERSHIP

The TCO is the total cost of a mitigating

safeguard.

TCO combines upfront costs (often a one-time

capital expense) plus the annual cost of
maintenance, including staff hours, vendor
maintenance fees, software subscriptions, etc.

These ongoing costs are usually considered

operational expenses
Ex: Cycle = 3 year

- the upfront cost: $100/laptop

-> $100,000 for 1000 laptops. TCO over 3 years:
- The vendor charges a 10% • Software cost: $100,000
annual support fee, or $10,000 • Three years of vendor support:
per year. $10,000×3=$30,000
- Install the software: 4 staff • Hourly staff cost: $280,000
hours/laptop • TCO over 3 years: $410,000
-> 4000 staff hours. • TCO per year: $410,000/3 = $136,667
* the staff cost per hour is $70 per year

=> Install software cost = 4000 Your TCO for the laptop encryption
project is $136,667 per year
x 70 $ = $ 280,000
3. RETURN ON INVESTMENT (ROI)

The ROI is the amount of money saved by

implementing a safeguard.

- TCO < ALE => a positive ROI

- TCO > ALE = Poor
Sumary of example:
- T h e a n n u a l T C O = $ 1 3 6 ,667
- T h e AL E fo r l o s t o r s to l e n u n e n c rypte d l a p to p s i s
$ 2 7 5 ,00 0.
Im p l e m en ti n g l a p to p e n c r ypti on w i l l c h a n ge th e EF. T h e
l a p to p h a r d ware i s w o r th $ 2 5 0 0 , a n d th e e xp o s e d PII
c o s ts a n a d d i ti o na l $ 2 2 ,5 0 0, fo r a $ 2 5 ,0 0 0 AV.
- EF i s 1 0 0 %, b e c a u se a l l th e h a r d w are a n d d a ta a r e
e xp o s ed .
L a p to p e n c r ypti o n m i ti g a tes th e PII e xp o s u re r i s k ,
l o w e r i n g th e EF fr o m 1 0 0 % ( th e l a p to p a n d a l l d a ta ) to
1 0 % ( j u s t th e l a p to p h a r d ware ).
T h e l o w e r EF l o w e r s th e AL E fr o m $ 2 7 5 ,00 0 to $ 2 7 ,5 00 .
= > Sa vin g $ 2 4 7 ,5 00 p e r ye a r ( th e o ld AL E,
$ 2 7 5 ,00 0, m i n u s th e n e w AL E, $ 2 7 ,5 00) b y m a k i n g a n
i n ve s tm ent o f $ 1 3 6 ,66 7.
= > R O I i s $ 11 0 ,8 33 p e r ye a r ( $ 2 4 7,50 0 m i n u s
$ 1 3 6 ,66 7).
T h e l a p to p e n c ryp ti o n p r o j e ct h a s a p o s i ti ve R O I a n d i s a
w i s e i n ve s tme nt
4. RISK CHOICES

Accept
the risk

Mitigating Risk Risk

risk avoidance
Choise

Transferring
risk
* Accept the risk
Some risks may be accepted. In some cases, it is
cheaper to leave an asset unprotected due to a specific
risk, rather than make the effort and spend the money
required to protect it. This cannot be an ignorant
decision; all options must be considered before
accepting the risk.

Ex: risk to human life or safety

* Mitigating risk
Mitigating risk means lowering the risk to an
acceptable level. Lowering risk is also called risk
reduction, and the process of lowering risk is also
called reduction analysis.

Ex: The laptop encryption

* Transferring risk
The insurance model depicts transferring risk.

Ex:
- accident insurance
- fire insurance

* Risk avoidance
A thorough risk analysis should be completed before
taking on a new project. If the risk analysis discovers
high or extreme risks that cannot be easily mitigated,
avoiding the risk (and the project) may be the best
option.
 THANKS
Click here to add to the title