Skip to main content


People ask me what I do on a blog, like they expect that I tell people about my bowel movements or something. I tell them that it gives me an outlet to proselytize about two-factor authentication, post things that don't belong on a corporate marketing site and throw up half-baked thoughts without the pressure of writing a full-blown white paper. This post is goes under the last category.


I have posted about information security and ROI and why ROI is a poor measure for everthing. I suggested that using a risk-adjusted cap rate rate is a much better idea. I even suggested a way to doctor up a cap rate to compensate for information security risks

. In a discussion some time ago on Security-basics, a poster brought up ALE as a good solution too. I've been chewing on ALE and want to discuss using it in an NPV calculation to see what comes to mind and see if it generates some discussion.


I believe that most enterprises under invest in security because it can be hard to justify certain expenses. I believe that enterprises unknowingly accept greater risk than is acceptable given their projected returns. AALE is an interesting concept because it promises to put a number on that risk. I had trouble coming up with numbers I felt comfortable with for projected losses. I think the costs are under-reported, in general. I think that IT pros will have to come up with their own numbers. For my example, I used some costs from the CSI/FBI survey. While only about half of the companies reported financial costs for attacks, I think the offer a good, averaged base number.


Theft of Proprietary Information $11,460,000.00

System Penetration $901,500.00

Unauthorized Access $4,278,205.00

Total $16,639,705.00

Number of respondents: 269

Average per year $61,857.64


While these numbers have some basis in reality, I then used a VPN example that I completely made up: A new remote access solution that costs $100,000 saves $10,000 per month in remote access dial up costs and increased productivity. The ROI is good, the payback 10 months. What about NPV? Assuming the firms weight-average cost of capital is 8%, here is the base scenario NPV:


Investment: $100,000

Interest Rate: 8%

Period: 36 months

Savings: $10,000

NPV: $15,899.93


All good so far. But as an IT professional, you know there is an increased risk with the new system. If you subtract a AALE from your savings, what happens to NPV? I used the $61,857 number from the CSI report without adjustment – divided by 12 months. I figured that only half reported and they averaged it out already – plus these are only a portion of the actual potential problems. The survey doesn't break out the costs so it's hard to tell how accurate they are. Your mileage may vary.


Investment: $100,000

Interest Rate: 8%

Period: 36 months

Savings: $10,000-5,154.80=$4845.20

NPV: ($40,025.83)


Ouch, we went big time negative! You can do some sensitivity analysis around these figures now. You can apply you own expectations of loss. If you have high value intellectual property or if you are in a highly targeted industry - or if you have highly uncooperative employees, you might raise your numbers. Or you can hypothesize what investing in information security systems that will reduce the likelihood of a successful attack.


I'd be interested in better ALE numbers and how they might be calculated by a company, if anyone has such data or can point me to it.
Current rating: 1

Recent Posts







RSS / Atom