The Annualized Loss Expectancy (ALE) is the expected monetary loss
that can be expected for an asset due to a risk over a one year period.
It is defined as:

ALE = SLE * AROwhere SLE is the Single Loss Expectancy and ARO is the Annualized Rate of Occurrence.

An important feature of the Annualized Loss Expectancy is that it can be used directly in a cost-benefit analysis. If a threat or risk has an ALE of $5,000, then it may not be worth spending $10,000 per year on a security measure which will eliminate it.

One thing to remember when using the ALE value is that, when the Annualized Rate of Occurrance is of the order of one loss per year, there can be considerable variance in the actual loss. For example, suppose the ARO is 0.5 and the SLE is $10,000. The Annualized Loss Expectancy is then $5,000, a figure we may be comfortable with. Using the Poisson Distribution we can calculate the probability of a specific number of losses occurring in a given year:

Number of Losses in Year | Probability | Annual Loss |

0 | 0.6065 | $0 |

1 | 0.3033 | $10,000 |

2 | 0.0758 | $20,000 |

≥3 | 0.0144 | ≥$30,000 |

We can see from this table that the probability of a loss of $20,000
is 0.0758, and that the probability of losses being $30,000 or more
is approximately 0.0144. Depending upon our tolerance to risk and
our organization's ability to withstand higher value losses, we may
consider that a security measure which costs $10,000 per year
to implement is worthwhile, *even though it is more than the
expected losses due to the threat.*

You are welcome to use these definitions for any purpose provided that an acknowledgement is made

to**www.RiskyThinking.com** and (if you're using HTML) you provide a link back to this site.

to

Errors or Omissions? Contact us and let us know!