5. The Approach to Cybersecurity: Cyber Risk Management 109 A cost benefit analysis is based on the annualized loss expectancy (ALE) calculation. The ALE is the projected losses to a cyber asset due to a cyber risk over the course of a year. A cost benefit analysis compares the ALE before controls are put in place (the pre- analysis), to the ALE assuming controls have been added (the post- analysis). If the cost of the controls exceed the projected savings, then the controls should not be pursued. ALE equals: ALE = Single Loss Expectancy x Annualized Rate of Occurrence The ALE calculation starts with the single loss expectancy (SLE) calculation. The SLE is the projected losses to a cyber asset due to a cyber risk as a result of a single incident. The SLE measures the impact, similar to the qualitative risk assessment above. SLE = Asset Value x Exposure Factor The asset value (AV) is the value of the cyber asset. The exposure factor (EF) is the percentage of the asset’s value that will be compromised if the risk is realized. The EF is a percentage, and it is always between zero and one (inclusive). Zero means that none (0%) of the cyber asset’s value will be lost, and one means that all (100%) of the cyber asset’s value will be lost. Lastly, the annualized rate of occurrence (ARO) needs to be determined. The ARO is the expected annual frequency of the incident occurring. The ARO measures the likelihood, similar to the qualitative risk assessment above. Taking the example of the small business above that needs to determine the risk severity of a DDoS attack on their ecommerce web server, they first determine the SLE. The web server brings in $1,000,000 in revenue per year—this is the AV. AV = $1,000,000 The next calculation is the EF. If the business suffers a DDoS attack, what percentage of its value will be compromised? Based on research, the business has determined that an average DDoS attack against a similar scale website takes the server offline for one week. For simplicity’s sake, this analysis does not take into account other costs of a DDoS attack, such as reputational harm, loss of future sales, etc. One week is 1/52 of a year, so the exposure factor, with a little rounding, is 2% EF = .02 Therefore, the SLE is $20,000. SLE = $1,000,000 x .02 = $20,000 Next, the business needs to determine the number of times per year they can expect a DDoS attack to occur—this is the ARO. Based on market research and other available
RkJQdWJsaXNoZXIy MTM4ODY=