Cybersecurity Budgeting: Risk vs Cost
How much should we spend on security? Every security budget faces the same question from leadership: prove it's worth i...
Feb 16, 2026
Annual Loss Expectancy
Annual Loss Expectancy (ALE) is the number you show leadership when "we should probably fix that" isn't persuasive enough. This is cyber risk explained in the boardroom as a dollar amount when someone asks how bad a breach could get. It's risk math that ends in dollars instead of shrugs. The IBM Cost of a Data Breach Report 2024 gives us the hard data to back it up.
The ALE Formula: Security Spending in One Equation
ALE = ARO × SLE
This formula comes from quantitative risk analysis methodologies outlined in NIST SP 800-30 and formalized by the FAIR (Factor Analysis of Information Risk) framework.
| Component | Full Name | Example Value |
|---|---|---|
| ARO | Annualized Rate of Occurrence | 0.3/yr |
| SLE | Single Loss Expectancy | $4.88M |
| ALE | Annual Loss Expectancy | $1.46M/yr |
Pro Tip
If your control costs less than the ALE it reduces, it pays for itself.
Related Articles
