Stomping on ALE's grave

Short post: I belive they still teach Annualized Loss Expectancy (ALE) as a way of calculating security risk in the programs like CISSP. While I will write a whole post later on why CISSP is so outdated and irrelevant, ALE is one of the worst aspects. It should be killed and the grave stomped on thoroughly. Here is why....


ALE is a relic of a bygone era. The equation is:

Annualized Loss Expectancy (ALE) = Annual Rate of Occurance (ARO) x Single Loss Expectancy (SLE)

Single Loss Expectancy (SLE) = Asset Value (AV) x Exposure Factor (EF)

You can read the definitions of each item on wikipedia.


These are some of its key problems:

Asset value - it is very difficult to accurately calculate the value in £/$ terms of an information asset, e..g how much is your client lists worth (is it this year or discounted cashflow?) or all the credit card numbers you hold from your customers - its actually not its worth to you but the value to the customers and society and more importantly the threat agents

Exposure factor - this is the worst aspect. Information assets are not like a building and fire, it makes no sense to say that you will loose 45% of the value of a HR database of personally identifiable information in a security incident. The actual impact will be more the financial, reputational, competitive impact to your company from an incident impacting that information, it is not an impairment of that asset that is the cost of the security incident, the asset could be perfectly fine but if your competitors have your trade secrets via lost USB you have an impact on your business

ARO - suffers from the fact that humans are very bad at predicting probability of future events that are not physical. In fact most security incidents you care about you would estimate (hope) would happen less than once every 10 - 50 years. Using ARO artificially increases the risk of incidents that happen frequently but you don't really care about that much (e.g. $3Million year loss in internet banking fraud - made up of thousands of incidents but is the cost of doing business on that channel) vs. the Black swan Heartland systems or TXJ Maxx incident that sends you bankrupt.

How to fix it

I am not proposing a magic bullet in this post, I am just telling you that ALE is not the best way to calculate your security risks. I'm not advocating a finger in the air qualitative approach either, my application (which will be web based and mobile on iPhone and Android) will use a modified enhanced OWASP risk assessment methodology approach. If you are interested in being a beta tester for this application contact me on Twitter or Linked in.

This application will however not be a significant improvement in security risk assessment methodology though (it will be convenient and easy to use and practical and a step forward). To take this step I belive some university PHD's need to do some research into using powerlaws to predict and value security incidents. Because I am not a maths expert and like money too much to do a PHD I will leave this to others more qualified. If anyone knows of a good study let me know.

No comments:

Post a Comment


Written by