Strategien


Risikomanagement

Calculated Risk

09.12.2002
Von Scott Berinato

In the end, the math is simple. You subtract cost from benefits. Apositive number is good: a return on investment. A negative number isbad: You're spending more than you're getting.

Of course, the math behind the variables and coefficients that go intothe costs and benefits is massively complex. Fortunately, if you'vegot raw data from your legwork, someone else has done or will do thedifficult computations for you. Still, there are some basic riskcomputations you should know. Here they are:

ANNUAL LOSS EXPECTANCY. ALE is the foundation of risk assessment. Itis what it sounds like: how much money you expect to lose per year dueto some sort of security incident. Note that this is different thanthe raw cost of an incident (which, remember, you should always keepas a baseline). It's actually the raw cost times the probability of anevent in the next year. So the ALE of a security breach that costs $1million and has a 40 percent chance of happening is:

Incident cost X Probability of incident = ALE
$1,000,000 X 0.4 = $400,000

MODIFIED ALE. mALE is the same equation, but with the probabilityaffected by mitigation measures you take. Imagine the above scenariowere a virus attack. You introduce antivirus software that cuts inhalf the probability of a successful attack, to 20 percent. Or, youstart an awareness program that reduces probability 5 percent. (Theseare arbitrary, but if you've done the legwork from Step 2, you'll havereal numbers to plug in here.) Then:

Zur Startseite