Home » Security Leadership » Metrics/Budgets

Security and Business: Financial Basics

You need to find and use the right financial metrics to communicate security's value to your company. Here are pros and cons of four: TCO, ROI, EVA and ALE.

ALE (Annualized Loss Expectancy)
Just the acronym alone should make this popular. And indeed, for many CSOs, calculating annualized loss expectancy provides a useful measure that can help set spending priorities for security. ALEs, for instance, are a way to measure the likely impact of security spending, drawing on existing data around everything from laptop theft to security breaches. Some organizations use similar measures, such as NIST's FIPS (Federal Information Processing Standard) 200. The aim is to assess specific assets, then put a number to the risks they attempt to counter.

Jill Knesek, CSO of BT Americas, says she has stopped using ROI and TCO when talking to her CFO. She felt that the numbers were being driven by "Chicken Little' kind of stuff," like potential natural disasters, she says. More useful are ALE estimates based on the company's historical data on incidents and related customer loss, brand damage and potential fines. In fact, BT tracks 20 major risks on an ongoing basis, and Knesek uses these numbers to build a risk matrix and presents that to management, framing the conversation in terms of risk exposure and risk appetite.

Knesek acknowledges that even with ALE and risk matrices, there is still a bit of prophecy to the numbers. But she thinks that overall, it works, and the ability to predict risk gets better with each year of data.

The trouble is that ALEs pale for some types of security. Security consultant Hunt, for instance, warns that "ALEs are just irresponsible, wild guesses in almost every case" when it comes to information security.

Yet even Hunt concedes that for some things, you can figure an ALE. For instance, it's clear what it costs to replace a laptop or a car, and actuarial tables clearly show what kind of loss to expect from, say, earthquakes. Less helpful is looking at the ALE for a firewall. You know that if you don't have one, "bad things are going to happen," says Hunt.
So why bother calculating an ALE? Because ALE, used over time, can show that you're getting something for your security spending, says Bart Lazar, a partner at the Chicago law firm of Seyfarth Shaw.

EC Suite's Bell says that for specific risks ALEs works reasonably well, using measures like predicted rate of occurrence for things like attacks and hardware thefts. He looks at the actual cost as well as opportunity costs to build a loss expectancy for a year. Then he uses the cost of that potential loss to say, "If I'm going to put this protection in place, how much am I willing to spend to try to prevent it from happening, or to decrease my rate of occurrences?"