For a time when I worked at Microsoft, in my department, the booze cart would come by every Friday afternoon for happy hour, and we’d get free alcoholic beverages. The legal department shut that down because they used ALE. Ironic that ALE ended happy hour, isn’t it? Read on, and you’ll see why ALE killed happy hour.
What’s the ROI for the door to a bank vault? How much should a bank spend on the door to a vault? The answer isn’t simple. In fact, the ROI cannot be measured but can be approximated through data analysis. What if the vault door prevented 20 compromises of the vault? Again, the answer isn’t simple. How much money is in the vault? How much loot can the robber(s) take with them? A purchase decision, in this case, cannot be made based upon ROI. The decision is actuarial and depends on loss exposure— mainly single loss exposure (SLE) and annualized loss exposure (ALE). I’ll get into that shortly.
Isn’t your web application and API protection (WAAP) system) a type of vault door? Your intrusion prevention system? Almost all of your security products are analogous to a bank vault door, which is fundamentally an insurance policy. When you ask for a budget, it’s going to be difficult to get what is needed if a Cerberus guarding the budget thinks in terms of ROI. They need to think like actuaries. That’s how insurance rates are calculated and how you determine how much insurance to purchase.
Test labs/Ratings agencies dubbed Test labs have long conveniently reported security efficacy, false positives, and performance. That’s essential information, but that information alone provides insufficient data to make a purchase that is best described as an insurance policy. For that reason, SecureIQLab provides a metric called return on security investment (ROSI). ROSI integrates security efficacy, operational efficiency, and ALE to provide a critical metric not found in other test lab/ratings reports.
At SecureIQLab, we recognize that quantifying ROSI is important for obtaining a budget and assessing the comparative value of security products you may consider purchasing. The ROSI formula involves three variables.
- Security Efficacy (SE). The better the SE score, the less risk of compromise, and potentially, the better mitigation, which reduces the cost of failure. Ask any insurance company why they give discounts for certain safety features in cars.
- Total Cost of Ownership (TCO). TCO is calculated as an annual expense and includes the purchase price as well as operational maintenance costs
- Annualized Loss Exposure (ALE). The annual loss expectancy, AKA annual loss expectancy, is the projected cost of failure. This information is extracted from historical losses. The ALE is unique to different organizations, but the SecureIQLab ALE calculator defaults to $4.24 million. This number is based on IBM’s Cost of a Data Breach Report 2023.
ALE is a critical component. Without the ALE metric, you can’t know what the correct amount of money to spend on a security product is.
As an arbitrary example, I am looking at two security products. The TCO of one product is $10,000 per year, and the TCO for another is only $5,000. The more expensive product has somewhat better security efficacy, but my ALE is $2,500. Not that ALE is exposure, and not necessarily what is expected. I might only expect an incident to cost $1,600 even though my exposure is potentially $2,600. Given the low ALE, does paying for the more expensive product make sense? Maybe. However, that depends upon variables such as brand reputation damage, regulatory fines, and lawsuits, to name a few factors.
ROSI provides a valuable metric, but one size does not fit all. For example, the ALE for a hospital is much greater than the ALE for a law firm suing the hospital. Yeah, law offices and hospitals are attractive targets for cybercriminals.
We provide a ROSI calculator so that security practitioners can factor in variables that will affect the ALE for specific companies, helping enterprises fine-tune the ROSI score derived by SecureIQLab.
ROSI is calculated by multiplying the annualized loss exposure by the security efficacy score, subtracting out the TCO, and dividing that result by the TCO.
ROSI=(ALE x SE-TCO)/TCO
The better the security efficacy, the better the ROSI. The higher the TCO, the lower the ROSI. But ultimately, without an ALE, a purchasing decision that is not supported by empirical data can occur. Without ALE, pubs go out of business.
The ALE from lawsuits if an employee drove while intoxicated killed happy hour. And so, buy your ale at your local pub, but use ALE on the job.
Support your local pub and your bottom line; don’t forget the ALE.
Randy Abrams
Senior Security Analyst
SecureIQLab