Security should be a top priority for IT professionals within all areas of skills. One of the top pain points is how to convey the story of security to upper management, so they can have the budget to implement security. I would like to focus this blog on the conversation around budget and presenting the data that matters to allow for successful implementation of security goals.
There is a formula, imagine that, to help you with pricing and presenting this to a broader audience for a yearly number versus individual spends. There is a price to NOT be a leading news story in the media for a breach, by the way. The integrity of customer and employee information is vital to all parties. Now, how do you make sure that the boss understands why we NEED encryption software on every laptop? With the Annual Loss Expectancy formula. You’re welcome. ;)
Annual loss expectancy helps you to have fluid conversations with upper management on their level of understanding without all the eye rolling or frustration. You can place needs in black and white, and allow your presentation and numbers to do the talking for you and your department. And, it enables you to forecast the correct numbers and present an accurate budget that has a driven purpose with pain point relief in sight.
ALE = ARO * SLE
Well, that looks simple enough, but let me explain what those acronyms are and what they represent.
ALE = Annual Loss Expectancy
ARO = Annual Rate of Occurrence
SLE = Single Loss Expectancy
Annual Loss Expectancy is the product of the Annual Rate of Occurrence and the Single Loss Expectancy. There is a sub formula that comes into play to get the SLE. Don’t worry, I’m walking you through this and it will all come together in a complicated word problem within this blog. Just kidding, it’s pretty simple. I’m trying to get you relaxed to enjoy the learning that is taking place right now. OK, moving on: SLE is the asset value (AV) multiplied by the exposure factor (EF).
The EF is always a percentage. The EF percentage equals the impact of the risk over the asset, or percentage of asset lost. A stolen asset is 100% gone, which would = 1. If someone breached a laptop and stole $5,000 worth of personally identifiable information (PII), and the total laptop value was assessed at $10,000, then the exposure factor would equal 50% or .5.
Stay focused here: the AV * EF = SLE. BOOM! It’s magic, right? Now, we set up a scenario that I’m using from my CISSP certification guides. I feel it makes sense and it represents a valuable asset management component that most IT professionals understand.
The problem setup. On average, this hypothetical company, ABC, has ten laptops that are lost or stolen each year. The laptops are valued at about $10,000 apiece. This includes the information that's stored on them and software installed. This company has 100 laptops distributed amongst the employees. ABC Company wants to purchase encryption software to protect these laptops from being hacked or breached if lost or stolen. The IT professional decides to bring in the ALE formula to have the conversation with management on why it’s saving money to buy encryption software.
Asset Value (AV) = $10,000
Exposure Factor (EF) = 100% or 1
Single-loss expectancy= $10,000
It’s simple enough now to plug in the rest of the formula. We need to find the annual rate of occurrence (ARO). We know they have ten laptops lost or stolen every year, so this is our ARO for our example.
Pro tip: If you live in a natural disaster area or a high theft zone, you may be able to get the ARO on that type of data from surrounding insurance agencies.
Now we can set up our formula for our annualized loss expectancy without encryption software.
The annualized rate of occurrence (ARO) = 10
Single loss expectancy (SLE) = $10,000
Annualized Loss Expectancy = $100,000
Eureka! We have solved for how much money losing ten laptops costs the company every year. So how do we convey this to management, so they purchase software to reduce the amount we are losing every year? We use the same formula to show the delta (difference) with and without encryption software.
It costs $100 to place the software on a laptop. This is a simple formula, so I’m not adding in the cost of labor or time. You can do this and factor it within the cost. Now, since they own 100 laptops, we will multiply by $100 (for the encryption software), and we come to $10,000 for the software to be applied to ABC Company’s laptops.
Using the same formula, we will have a different number, as the exposure factor will be different. We now know that the physical cost of the laptops is around $1,000. To find the percentage, we would take the $1,000 (cost of laptops) and divide this by $10,000 (cost of software) and come up with 10%.
Asset Value (AV) = $10,000
Exposure Factor (EF) = 10% or .1
Single Loss Expectancy = $1,000
I will plug this $1,000 into my annualized loss expectancy formula.
Annualized rate of occurrence (ARO) = 10
Single loss expectancy (SLE) = $1,000
Annualized Loss Expectancy = $10,000
Take the new encrypted laptop lost or stolen number of $10,000, subtract from the ALE without the encryption ($100,000), and you have a delta of $90,000. This is how much money you would be SAVING the company yearly and is precisely the conversation you need to have with the management team. Show the numbers in black and white. Allow them to see for themselves that IT security management
, when used proactively, pays off dividends to the company, and it’s an investment that needs to be made.
I hope you’re able to use this formula to help your organization with security budgets.