Annualized Loss Exposure (ALE) is a key output from a FAIR quantitative risk analysis. ALE is computed as:
ALE = Event Frequency x Single Loss Magnitude
Occasionally in industry, we observe organizations that more heavily focus on impact. If this is the case, take a look at the following table below
Asset |
Effect |
Type |
Single Event Loss Magnitude (SLM) |
Customer Support Site |
Availability |
Malicious |
$12,000 |
eCommerce Database |
Availability |
Error |
$246,000 |
Order Process System |
Availability |
Error |
$30,000 |
Share Drives |
Availability |
Malicious |
$80,000 |
The scenario above that looks the most significant to the organization is an outage of the eCommerce Database.
But beware…
If we are trying to prioritize by Risk, which means considering both Magnitude and Frequency:
Asset |
Effect |
Type |
Single Event Loss Magnitude (SLM) |
Event Frequency |
ALE |
Customer Support Site |
Availability |
Malicious |
$12,000 |
1 per year |
$12,000 |
eCommerce Database |
Availability |
Error |
$246,000 |
1 every 10 years |
$24,600 |
Order Process System |
Availability |
Error |
$30,000 |
4 per year |
$120,000 |
Share Drives |
Availability |
Malicious |
$80,000 |
1 every 2 years |
$40,000 |
We see the true prioritization has changed.
In wrapping up - I am not advocating to stop communicating Single Loss Magnitude. Rather just telling a cautionary tale on forgetting about the true definition of risk, according to the FAIR standard. In reporting on risk, it is common for us to communicate both ALE as well as SLM. In doing so we are providing more information that could be valuable to key stakeholders.
Related: