Annual Loss Expectancy

Annual Loss Expectancy (ALE) is a quantitative risk metric that expresses your expected cybersecurity loss in dollars per year. It is calculated by multiplying the Single Loss Expectancy (SLE) — the dollar value of one incident — by the Annualized Rate of Occurrence (ARO), which is how many times that incident is expected to happen per year. ALE gives security leaders a concrete number to justify security spending to boards and CFOs.

ALE = ARO × SLE. To calculate it: (1) determine your Single Loss Expectancy by multiplying asset value by exposure factor; (2) estimate your Annualized Rate of Occurrence based on threat intelligence and historical data; (3) multiply the two. Example: if a ransomware attack has an SLE of $4.88M and an ARO of 0.3 (expected every 3.3 years), your ALE is $1.46M per year.

SLE (Single Loss Expectancy) is the dollar cost of a single occurrence of a risk event — one breach, one ransomware attack. ALE (Annual Loss Expectancy) is the annualized version: SLE multiplied by how often that event is expected per year (ARO). SLE measures impact per event; ALE measures expected cost per year. ALE is the number that matters for budget planning.

ARO (Annualized Rate of Occurrence) is the estimated frequency of a threat event occurring within a year. An ARO of 1.0 means the event is expected once per year. An ARO of 0.1 means once every 10 years. An ARO of 3.0 means three times per year. ARO comes from threat intelligence feeds, industry breach reports, and historical incident data. The IBM Cost of a Data Breach Report is a common source for ARO benchmarks.

ALE turns vague risk into boardroom language: dollars. If a security control costs $200K per year and reduces ALE by $600K per year, the ROI is self-evident. The rule of thumb is that any control costing less than the ALE reduction it produces pays for itself. ALE-based justification is the approach recommended by NIST SP 800-30 and the FAIR risk quantification framework for presenting security investments to leadership.