ALE = SLE * AROwhere SLE is the Single Loss Expectancy and ARO is the Annualized Rate of Occurrence.
An important feature of the Annualized Loss Expectancy is that it can be used directly in a cost-benefit analysis. If a threat or risk has an ALE of $5,000, then it may not be worth spending $10,000 per year on a security measure which will eliminate it.
One thing to remember when using the ALE value is that, when the Annualized Rate of Occurrance is of the order of one loss per year, there can be considerable variance in the actual loss. For example, suppose the ARO is 0.5 and the SLE is $10,000. The Annualized Loss Expectancy is then $5,000, a figure we may be comfortable with. Using the Poisson Distribution we can calculate the probability of a specific number of losses occurring in a given year:
| Number of Losses in Year | Probability | Annual Loss |
| 0 | 0.6065 | $0 |
| 1 | 0.3033 | $10,000 |
| 2 | 0.0758 | $20,000 |
| ≥3 | 0.0144 | ≥$30,000 |
We can see from this table that the probability of a loss of $20,000 is 0.0758, and that the probability of losses being $30,000 or more is approximately 0.0144. Depending upon our tolerance to risk and our organization's ability to withstand higher value losses, we may consider that a security measure which costs $10,000 per year to implement is worthwhile, even though it is more than the expected losses due to the threat.
Errors or Omissions? Contact us and let us know!